Vulnerability Management

You’ve performed your security assessment, found the flaws in your network environment, and now know where your gaps are. What’s next? Do you simply hand the report off to another team and hope that everything gets addressed? Do you share it with management? Perhaps, you turn the findings into a to-do list for the coming year. The important thing is that you do something. Interestingly, this is where many organizations fall short in terms of their security testing efforts. They find and acknowledge the risks, but fail to follow up on them – no accountability. Or there’s minimal follow up with little prioritization. Time passes, things get back to normal, and then – boom – it happens. The dreaded incident or confirmed breach rears its ugly head. It’s something old that was documented in a security assessment report that someone overlooked along the way. It’s the worst possible scenario.

There’s the saying talk is cheap. When it comes to information security oversight, it’s a story that rings all too true. You go through the motions and pay good money to find the security flaws, only to get distracted and never actually address them. It only takes one finding. It could be critical such as a weak password on a public-accessible server, or high-priority such as a missing patch that can lead to a denial of service attack. Someone could even exploit medium or low-priority items such as a misconfiguration on a firewall, or internal user emails advertised on public web pages via phishing scams. Regardless of the threat, your exposure creates tangible business risks.

It’s important to dedicate the time and resources needed to follow up on each item that is uncovered in your security assessment. Address them directly where you can by tweaking configurations, adjusting password requirements, applying patches, and the like. Failing to do so can lead to security debt which only accrues over time until eventually exploited. When the incident occurs, you’re going to be called on it. Any gaps in addressing known flaws won’t be defensible once a breach occurs. Not unlike a heart disease or cancer diagnosis that goes ignored, the consequences will surface sooner or later.

Our experts will consult with your team to understand where the vulnerabilities are and provide guidance on how to remediate and mitigate the findings. Vulnerability management is a process, let our experts help.