Apr 19, 2024
Why Detection Obsession is Toxic for Vulnerability Management
by Alex Babar
For security professionals, a cyber breach has long been considered the “third certainty” of life, alongside death and taxes. In 2024, the lack of a silver bullet for cybersecurity defenses feels clearer than ever as organizations that should conceivably be the most prepared out of everyone, based on things like the sophistication of their security teams and total investment in security, continue to get breached.
This dichotomy prompts the question, what difference is all that security spending making? We know investment isn’t slowing down, either. For example, IBM expects 51% of organizations to increase their security investments in 2024, while Gartner notes in their 2024 global security and risk management (SRM) spending forecast that SRM leaders are adopting more technical security capabilities that provide greater visibility across the organization’s digital ecosystem.
In my opinion, too much emphasis has been placed on detection efforts, such as scanning, and not enough on proactive security. We are surrounded by untenable amounts of data and intelligence telling us about existing risks, threats, software vulnerabilities and more. With this many “known knowns” in security, organizations are still obsessed with finding instances of vulnerabilities via scans, tests and other detection methods, as opposed to understanding and reducing the business impact from those findings.
I don’t own a crystal ball, but I think there are enough signs to support a healthy belief that it’s possible for organizations to finally adopt and prioritize proactive approaches to security in 2024.
Vulnerability Management Is the Clearest Manifestation of Proactive Security We Have
At its core, proactive security methods such as vulnerability risk management focus on identifying, assessing and addressing vulnerabilities before they’re ever exploited. And if we look at the data, most attacks are taking advantage of vulnerabilities that have existed for years. Organizations are generally not being breached because hackers came up with a brand-new, never-before-seen attack method. Most organizations just do not have good-enough hygiene in place to prevent them.
And it’s no wonder. When the volume of noise from detection tools is so high, how do security teams determine what matters the most? Do those same teams even know which systems are most critical to the business? Unfortunately, in a lot of cases, the answer is no.
Looking at who makes up the security personnel within a large organization today, it makes sense how we got here. Today’s CISOs are practitioners who came up the ranks as system admins, analysts, incident responders, etc. They’re technical leaders with experience finding and detecting stuff; that’s how they were trained.
Shifting from Discovering to Addressing Risks
Now, as boards of directors and C-suites are expected to be more security savvy, they are asking important risk questions of their CISOs: Given all this spending on finding our problems, are we secure? Are we better off than we were a year ago or two years ago, or three years ago? And few security executives can answer those questions with comfort, because historically they were not focused on addressing risk, they were focused on discovering the risk.
As time goes on and the security leader’s role becomes more business-centric, the benefits of taking a more proactive approach to security will continue to grow and shine. For example, the role of vulnerability management in providing improved risk reduction, achieving regulatory compliance, and cost savings.
By actively seeking and addressing vulnerabilities, organizations can significantly reduce their overall attack surface, minimizing their chances of security breaches, data leaks and more. Many industries, like health care and financial services, have strict regulations governing the protection of sensitive data.
Regularly assessing and addressing vulnerabilities ensures that organizations meet these regulatory standards, avoiding potential legal consequences. Finally, addressing vulnerabilities early on is more cost-effective than dealing with the aftermath of a security breach. Proactive measures can save organizations from the financial burdens associated with data recovery, legal issues or reputational damage after a successful attack.
Practical Recommendations for Approaching Proactive Security
Adopting a proactive approach to security is not just a question of technology, it also requires a shift in culture. It requires CISOs to hold their business owners accountable while also understanding the priorities of the business. It requires security leadership to accept risks they typically wouldn’t and to translate them from technical security speak to business-relevant risk.
At the same time, business owners must trust that security is only going to ask them to address issues that are truly important. They must also agree to hold their own people accountable to fix such issues with the priority they deserve.
In some organizations, this is manifesting as a risk operations center, a new, more mature home base for security where traditional disciplines merge into a holistic view across an entire business. If we look at the value that Salesforce brought to sales teams, or that HubSpot brought to marketing, having a centralized hub for proactive security is a no-brainer.
Not every organization will be ready for a risk operations center approach. That said, there are a few steps that most security and business leaders can take today to foster a more proactive approach to security:
- Risk Assessment and Prioritization: Not all vulnerabilities are critical, so it’s essential to prioritize them based on severity and potential impact on the organization. This will allow your security teams to focus their efforts on addressing the most critical risks first.
- Improved Understanding of Your Attack Surface: It’s true what they say — you can’t secure what you don’t know. Having a strong understanding of your environment may sound obvious, but in practice, this requires very intentional and frequent examination of what you’re trying to protect, and where it is.
- Well-Planned Security Awareness Training: We know that 74% of all breaches include the human element, but cybersecurity is also too big and too broad to expect non-security employees to become well-versed in all aspects when even practitioners with years of experience still have a lot to learn. It’s important that employees understand the importance of security best practices, but it’s more important for the organization to prioritize specific business risks to determine who needs to be involved in training, and whether training on phishing attempts or secrets in code, for example, is going to make more of an impact.
It’s a known certainty — cybercriminals will continue to exploit companies with such a low barrier to entry. The exploits being used in the wild are practically free to obtain and easy to do, and the return is clearly very high. Organizations should operate with the assumption that hackers already know their vulnerabilities, and they should prioritize protecting their unique crown jewels. At the end of the day, why spend more money to identify more vulnerabilities and security findings when it’s clear we’re past the point of diminishing returns for detecting those? Addressing your known risks and vulnerabilities will make the target on your organization’s back much smaller.
Stop obsessing over detection. Take a new approach to vulnerability management today.
Stop obsessing over detection. Take a new approach to vulnerability management today.