Businesses tend to think vulnerability management is about running a tool and reporting on known technical vulnerabilities.
However, it goes beyond vulnerability scanning – organisations need to define and implement a formal vulnerability management process that includes identifying, prioritisation, categorising and remediating the identified vulnerability.
So says Kudakwashe Charandura, cyber security director at SNG Grant Thornton, who will be presenting on ‘Effective vulnerability management’, at the ITWeb Security Summit 2020, to be held as a virtual event from 25 to 28 August.
According to Charandura, the remediation process should include identifying the root cause of each vulnerability so that its effectively resolved and will not recur. “Sometimes businesses focus on resolving only identified weaknesses without identifying the root causes – vulnerabilities tend to be symptoms of deeper problems or breakdowns in cyber security processes.”
In addition, Charandura says that businesses have a tendency to focus on financial systems, ignoring the operational technology and SCADA networks and systems, and including these systems in the vulnerability management process is critical.
Vulnerabilities also exist in people and processes, which are often overlooked as businesses focus on technical vulnerabilities alone.
“Cyber security processes, including vulnerability management needs to be embedded in people, processes and technologies, as well as across all the layers including application, database, network and suchlike, so that organisations have a holistic view of where the weaknesses are and implement appropriate mitigatory measures."
He says a successful vulnerability management process must include identifying, prioritising, categorising and remediating the identified vulnerability. “It should have clearly defined roles and responsibilities and metrics that are monitored periodically. You cannot improve a process if you can’t measure it. Tracking, monitoring and reporting vulnerabilities is key.”
Charandura stresses that vulnerability management is a continuous process. “Businesses should scan their systems for vulnerabilities regularly and as and when new systems are being developed. All identified vulnerabilities should be prioritised, categorised, validated and remediated. They should assign responsibility and accountability for identified vulnerabilities which should involve system owners and all key stakeholders.”
In addition, he stresses that the cyber attack surface is huge. A massive number of systems to be scanned, and a structured process needs to be employed to do this. Businesses need to have clearly defined IT architectures, and the classification of systems is paramount.
The COVID-19 crisis saw many companies having to hastily put together work-from-home plans without considering the cyber security implications and emerging risks. “This increased the cyber-attack surface of organisations as more and more employees are connecting remotely. Organisations have to remain vigilant by assessing risks that their systems are now exposed to.”
During his presentation, Charandura will unpack solutions for effectively identifying and managing cyber security weaknesses businesses are faced with.
[SIDEBAR]
ITWeb Security Summit 2020
Register now for the ITWeb Security Summit 2020 virtual event, and experience four days of international keynotes, sessions and workshops all for one price. The event will feature over 50 speakers, with all content being made available on-demand online. To register, and for more information, please click here.
