Image
VM_People1x.png

Bridging the Human Gap in Vulnerability Management

Image
VM_People1x.png

 

This is the second blog in a three-part series that analyzes the gaps in many vulnerability management programs. Focusing on the core elements or “stool legs” of technology, people and process, this second blog post examines the role of people. Catch up on the series by reading the first blog on the technology leg.

 

 

People: Bridging the Human Gap

Although technology may seem like the most important leg of the stool in the cybersecurity field, the tools are nothing without the right people to leverage them in the most optimal way for a particular organization. By focusing on the key issues of overcoming the cybersecurity skills gap and investing in continuous training programs, organizations can better ensure that employees are equipped to quickly and effectively respond to new threats.

 

The human element in vulnerability management is indispensable, yet the industry grapples with a significant shortage of skilled cybersecurity professionals. Addressing this skills gap requires a commitment to continuous training programs for existing staff, ensuring a proactive and adaptive cybersecurity workforce.

 

 

Skills and Talent Shortages

To help overcome the cybersecurity skills gap is to bring in entry-level workers and genuinely set them up with success. Start with foundational concepts like networking, operating systems and basic security principles. Online platforms, courses and certifications like CompTIA Security+ can provide a solid grounding. Encourage hands-on experience through labs, virtual environments or internships. Platforms like Cybrary and Udemy offer diverse and self-paced courses, many of which are free.

 

Organizations often have a CISSP certification requirement, even for lower cybersecurity positions. How do we go beyond the CISSP filter? I recommend emphasizing practical experience and relevant certifications over a CISSP. Showcase hands-on skills and specific achievements in previous roles. Organizations should focus on soft skills, communication abilities and a collaborative mindset. A CISSP certification is valuable, but organizations must also seek professionals who can effectively communicate and work within a team. Assess problem-solving skills, critical thinking and a passion for cybersecurity during interviews or through practical assessments.

 

Continuous training programs covering the latest cybersecurity trends and mitigation strategies are essential. Collaborating with educational institutions and industries creates a pipeline for future cybersecurity professionals. When it comes to continuous training programs aimed at enhancing vulnerability management skills, it is beneficial to cover a range of subjects to ensure a comprehensive understanding of the field. Here are specific training subjects and learning objectives that can be particularly helpful:

 

  1. Threat Intelligence Analysis

    • Understanding threat intelligence sources
    • Analyzing and interpreting threat feeds
    • Implementing threat intelligence in vulnerability management
  2. Security Automation and Orchestration

    • Implementing automation in vulnerability management
    • Orchestrating security processes
    • Integrating tools for seamless workflows
  3. Risk Assessment and Management

    • Conducting risk assessments
    • Utilizing risk frameworks (e.g., NIST, ISO)
    • Prioritizing vulnerabilities based on risk
  4. Compliance and Regulatory Training

    • Staying updated on relevant cybersecurity regulations
    • Understanding compliance requirements
    • Integrating compliance into vulnerability management

 

Communication Breakdowns: Unifying IT and Security Teams

Effective vulnerability management hinges on the collaborative efforts of IT and security teams. Communication breakdowns between these two groups can lead to delayed response times, misaligned priorities and increased security risks. To foster better communication, initiate cross-functional training programs where members from IT and security teams can learn about each other's roles, responsibilities and challenges. The vulnerability management team should schedule regular meetings between IT and security teams to discuss ongoing projects, challenges and upcoming remediation SLAs. Finally, encourage temporary swaps between IT and security teams where team members work in the other department for a designated period. Defining well-defined communication channels to ensure rapid response times during security incidents further promotes a culture of shared responsibility.

 

 

Real-World Scenario

Like in my previous blog, we encountered a client who experienced communication issues between the IT infrastructure and the security teams. These teams faced challenges in remediating identified vulnerabilities. I’d like to explain further how these communication concerns posed key risks.

 

On the one hand, the vulnerability management team was proficient in the day-to-day operations and identifying new and existing vulnerabilities within the organization. However, when they communicated remediation efforts to the teams responsible for patching and remediating the vulnerabilities, a breakdown occurred. Despite the client having well-established policies and standards, they received resistance from the operational teams. In these cases, the perceived risk of bringing down a system outweighed the actual risk of a security incident.

 

This issue is a testament to the broader challenge where leadership often perceives vulnerability management as a checkbox rather than a fundamental aspect that protects the company’s reputation and future existence. Addressing the communication breakdown requires an approach aimed at fostering collaboration, understanding and a shared commitment to cybersecurity. Fostering transparent, open communication between the teams is imperative. At a minimum, weekly stakeholder and IT security meetings should be held to assess the vulnerabilities and the risks to the affected systems. Communicating awareness and the need for security ensures that everyone understands the importance of timely remediation and the potential risks associated with leaving them vulnerable. Finally, clearly communicating the actual risks associated with security incidents vs. the perceived risks of remediation efforts can provide a more balanced perspective.

 

In our next blog post, we will delve into the process challenges within vulnerability management and propose strategies to fortify the three-legged stool.

Shaun Kummer
Vulnerability Management and Remediation Practice Leader | Optiv
Shaun leads Optiv’s Vulnerability Management and Remediation practice, a part of the Threat business unit. He assists organizations design, deploy and solve problems that exist within their vulnerability management programs. Shaun’s approach is pragmatic, ensuring practical solutions that address real-world issues to assist organizations navigate the complexities of security challenges.

Shaun’s diverse career spans federal and local governments, as well as corporate environments. Before joining Optiv, his focus was primarily on corporate threat and vulnerability management. Notably, Shaun is a U.S. Army and law enforcement veteran, having served in Military Intelligence, HUMINT and law enforcement roles.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.