Five Requirements for Effective Cyber Risk Management

February 27, 2018 Sam Osborn

When it comes to vulnerability management, it’s all about quality not quantity. It doesn’t matter how many vulnerabilities you closed last month if you left open the one high risk (high quality, if you’re an attacker) vulnerability that will grant malicious actors access to sensitive data.  

According to Gartner, zero-day vulnerabilities will play a role in less than 0.1% of attacks, excluding sensitive government targets, through 2020. That means the vast majority of attacks will exploit vulnerabilities that could have been patched but weren’t.

Pouring through spreadsheets and creating 500-page PDFs isn’t just inefficient; it’s simply no longer enough to ensure that the right vulnerabilities are addressed at the right time. The increase of automated attacks means that security teams need to strive to make their own practices as precise and metric-driven as possible.

To help security organizations get a jump start on this problem, we’ve created a new white paper that explains the five requirements for effective cyber risk management. Here is a quick preview to help you start thinking about what you need to identify high-risk vulnerabilities and prioritize vulnerability remediation efforts.

Requirement #1: Know Your Assets

Do you know where all your assets and applications are? What is your current assessment coverage? How do you discover new threats?

Requirement #2: Know Your Business

Are you performing threat modeling? What threats exist to your business? Are you a target?

Requirement #3: Know Your Current Risk Posture

Where are your security weaknesses and vulnerabilities, and which ones are the most likely to be exploited? How do you determine likelihood and impact?

Requirement #4: Know Your Resource Constraints

What can you get done with the resources you have? Are you accounting for budget, time, and people?

Requirement #5: Know Your Direction

Are you reducing risk over time? Given the previous four requirements, what is an achievable goal for risk reduction?

Bonus: Know What’s Coming

Are your vulnerability management efforts maturing beyond proactive to being predictive? Can you determine which vulnerabilities will become high-profile targets?  

If you aren’t able to answer all these questions, don’t worry; you’re not alone! Many organizations are still slogging their way through spreadsheets and cumbersome reports. But there is another way, so check out the white paper to learn how you can answer the questions above and establish a cyber risk management program that focuses on quality not quantity.

Get your copy of Close What Matters: 5 Requirements for Reducing Vulnerability Risk

The post Five Requirements for Effective Cyber Risk Management appeared first on Kenna Security.

Previous Video
Webinar: Reporting on Risk to the Board
Webinar: Reporting on Risk to the Board

Kenna is a software-as-a-service Vulnerability and Risk Intelligence platform that accurately measures risk...

Next Article
The Concept of Measuring Recall in Cybersecurity
The Concept of Measuring Recall in Cybersecurity

In a recent article for the USENIX magazine, In-Q-Tel CISO Dan Geer and Kenna Chief Data Scientist Michael ...