At time when everything comes nice and neatly packaged delivered to your door by person or drone, even vulnerabilities now come with marketing campaigns as seen with badlock (badlock.org). They have logos, specially designed names, even their own websites and they scream from the ceiling to the often ill-informed and security unaware executive audience what it might be about and how desperately they need to listen and respond. As frustrating as it is for our poor technical teams trying to manage patching cycles and expectations off the back of knee jerk reactions to these campaigns, is this all bad or is there an important message we are actually happy to have delivered through these new marketing campaigns?
One terrific, possibly un-acknowledged, outcome from all of this is exposure. The demanding executive team who chat to colleagues or review the odd technical forum, are lured into these campaigns and often simply demand a response. However, the response they usually get is exactly what is expected, which is delivery of a remediation plan that involves patching the environment. That often means immediate deployment, minimal testing and minimal approvals required.
So who is at fault? Has the executive team actually done anything wrong by expecting a brief on the vulnerability, how the organisation is affected and a remediation plan? Or, probably the reality, are our technical teams at fault for assuming that the response required is to demonstrate how quickly they can respond and make the changes through their exceptional knowledge of these things and their ability to patch systems quickly. From an executives perspective, having a chart showing lots of red blocks that indicate vulnerability, followed shortly by a chart filled with green is a terrific result.
We need to get better at this, and right now! These flashy marketing campaigns are actually giving you and your technical teams the very opportunity needed to demonstrate to the leadership team that they are the subject matter experts. They have the in depth knowledge of the environment and the security infrastructure that supports it.
I have assembled 3 quick tips to ensure you keep a cool head, and deliver exactly what the leadership team want from their Information Security Manager; A risk based executive brief.
- Understand where you are vulnerable – read the announcement of the vulnerability from a reliable technical source likehttps://nvd.nist.gov/and create liaison roles within your security team to engage the teams that manage the affected infrastructure to confirm that they are vulnerable
- Using the knowledge of the Security infrastructure that protects the affected systems and any compensating controls, perform a risk assessment to determine the likelihood and impact of the exploitation of the vulnerability
- Prepare and deliver an executive brief that outlines the vulnerability, effected systems, risk to the organisation and the recommended action. This may be in the form of immediate patching anyway, however may also be adding the patches to the regular cycle as exploitation would be near impossible based on the risk assessment.
This will gain you immediate respect from the executive team as the response is calm, professional and well considered, based on a principle that they will understand; risk to the organisation. The respect level from the technical teams will also improve as they are not being told to drop everything, yet again, to patch the vulnerability because, well, we have to.
Okay, isn’t it…?
David Stafford-Gaffney
