The aftermath of a cyber breach always involves a technical discussion around the specific failures that gave rise to the incident. This discussion can be difficult for non-technical leaders to engage in, which is frustrating given those same leaders are being held accountable. The good news is technical capability can be an outgrowth of sound policies and procedures. Fostering a culture of cyber risk is the kind of strategic initiative that any strong leader can and should be expected to accomplish.
When embarking on the tedious and frustrating search for a data breach’s underlying cause, which many times is not due to a singular threat, but a network of people, process or policy failures, we often hear investigators call out “inadequate patch management.” Again and again, we learn that basic hygiene – keeping systems up to date – would have gone a long way toward eliminating vulnerabilities. According to Steve Grossman, VP of Strategy at Bay Dynamics, who was quoted in a recent SC Magazine article1, “79 percent of security teams stated they were overwhelmed by the volume of threat alerts…with 79 percent saying they had a significantly manual patching approval process.”
If security teams know what to patch and how to patch it, there shouldn’t be an issue mitigating most common threats resulting from outdated software, right? As we know, it’s never that easy. It comes down to prioritizing patches in a way that quickly and seamlessly maintains security hygiene to never allow a gap in security functionality. So the question becomes: How can managers and their teams become more agile so they can react more quickly to reduce the risks posed by outdated software?
A cornerstone of any effective security program is the ability to know your assets. What systems are your business units using? Are you able to identify quickly which of those systems is critical to the business? Where is each system in its lifecycle? And finally, using all of this knowledge, how do you assign to each system the right priority for its maintenance?
The cold hard truth is that systems are too complex and varied for anybody to reasonably expect patches to remain up to date in real time.
The cold hard truth is that systems are too complex and varied for anybody to reasonably expect patches to remain up to date in real time. “Despite these statistics, security organizations are giving it their best with what they have, but are still working in a hectic mode of operation,” Grossman said. Perfection simply isn’t possible, and it shouldn’t be the goal. Neither should complexity be an excuse for failure when critical systems remain vulnerable.
What’s necessary is a risk-based approach to asset change and configuration management (ACM). Sound decisions require a detailed understanding of the assets in operation, the degree to which the business depends on each, and the frequency of their maintenance. In very simple terms, the model is to find the greatest risks and “patch” them first. Think of this as a form of triage, i.e. a decision-making process based on a realistic estimation of capabilities and consequences.
How can a model with that purpose become reality? It begins with fostering a culture of risk awareness. An organization that views risk as a force of nature that can be bent to gain advantage will perform well in all areas, including security. By implementing policies at the enterprise level to articulate the importance of a risk-and-reward culture using assessments of likelihood and impact, a natural balance occurs at any given decision point. A cyber risk and security operations team guided by this corporate ethic will give rise to a system that far outperforms the failed patch management systems we see today.
No good lecture on policy and process would be complete without a cry for measurement: measure what’s important, and what you measure becomes important. What should be the goals for security patch management programs? How can we measure our progress against those goals? While determining answers to these questions helps management understand what’s being done, perhaps even more important is the signal it sends to those in the trenches that 1) we understand your work and 2) we value that work.
In a world where security is by all measures a cost center, and by most measures an impediment to action, security teams have a hard time winning. Even when they do, the hallmark of their success is that nothing happened. Setting goals based on established principles is a sure way of galvanizing teams around the initiatives you want to accomplish. When the goal is achieved, leaders are presented with a clear demonstration of the contribution security teams have on the business. There is no better way to build enterprise-wide morale.