About The Guests

• Patrick Garrity: Security Researcher and VP Marketing at Nucleus Security
• Nikki Robinson: Works at IBM Security and wrote the book “Mind the Security Gap”
• Chris Hughes: President of Aquia in CISA, fellow at the Cybersecurity and Infrastructure Security Agency, and co-author of the book “Software Transparency”

Summary

Vulnerability management has become a critical aspect of protecting organizations from potential threats.

To shed light on this topic, Patrick Garrity hosted a roundtable discussion with industry experts Nikki Robinson and Chris Hughes, who shared their insights and expertise on vulnerability management, incident response, and other related security issues.

Key Takeaways

The Human Element in Vulnerability Management

Both Nikki and Chris highlighted the crucial role that humans play in vulnerability management, despite increasing automation in cybersecurity.

“Automation is great,” says Nikki, “but having someone who understands the systems in depth is crucial to a successful vulnerability management program.”

Collaboration and building relationships with stakeholders were also emphasized as important factors for better vulnerability management outcomes. 

“Dealing with the humans is absolutely critical to driving down vulnerabilities and doing it in a healthy way,” says Chris.

Aligning Different Departments for Effective Vulnerability Management

Aligning different departments within an organization is a common challenge in vulnerability management.

Lack of communication and alignment can hinder the effectiveness of unified vulnerability management efforts.

Building relationships and fostering open communication between security teams and other departments were suggested as ways to address this challenge.

Prioritizing Vulnerabilities in the Enterprise

Prioritization is critical in vulnerability management, given that not all vulnerabilities can be addressed immediately.

The limitations of the Common Vulnerability Scoring System (CVSS) were discussed and Chris, Nikki and Patrick recommended leveraging tools such as Exploit Prediction Scoring Systems (EPSS) to enhance the prioritization process.

Aligning prioritization with the organization’s goals and context was also emphasized.

Building a Modern Enterprise Vulnerability Management Program

Building a modern vulnerability management program requires a systematic approach and a focus on continuous improvement.

Nikki recommends, “start small, pick something that makes sense, and work your way out into the larger program.”

Steps such as creating a problem statement, defining roles and responsibilities, and integrating security into the organization’s culture and daily practices were outlined.

By making vulnerability management a shared responsibility, organizations can achieve a mature and effective vulnerability management program.

Secure by Design and Secure by Default

The concept of secure by design and secure by default was discussed as a proactive approach to addressing vulnerabilities.

Nikki, Chris and Patrick emphasized the need for software suppliers and vendors to prioritize security during the system and software development lifecycle.

Chris says, “secure by design and secure by default aims to put the burden on those best positioned to address it: the people making the products and software.”

The importance of making security easier for those managing and consuming tools was also highlighted.

Looking ahead, organizations must stay vigilant, adapt to emerging threats, and continuously improve their vulnerability management practices.

“Vulnerability management should be easy. It should be part of your daily practice and not require a ton of extra effort,” says Nikki.

With the right approach and a commitment to continuous improvement, organizations can achieve a mature and effective vulnerability management program.

More Useful Resources