What does cybersecurity mean to your business? This might seem like an odd question, but how an enterprise responds to it can tell you a lot about the culture and practice of cybersecurity in that organization. There are a few different ways to ask the same question — Which function does cybersecurity report to within the enterprise? Who is the internal client for cybersecurity? Does cybersecurity leadership have a voice at the highest levels of corporate decision-making?
There are 2 main schools of thought about the role and orientation of cybersecurity within the enterprise. The traditional school places cybersecurity within the Information Technology (IT) function of a business. In this model cybersecurity reports to IT, IT is the internal client for cybersecurity, and the CISO might report up to the CTO or CIO.
It’s easy to see why one might make this association. IT and cybersecurity professionals often have similar or adjacent skillsets and overlapping educational and professional backgrounds. Both functions often deal with highly technical, specialized, and complex information and processes. However, the goals and KPIs of IT and cybersecurity are not only unaligned, they are often in direct conflict. The internal clients for IT are other business functions that essentially pay for the various technology assets (applications, servers, cloud instances, etc.) required to keep the enterprise running. IT performance is evaluated by how seamlessly, continuously, and cheaply they are able to deliver their services. IT doesn’t really have visibility into or an understanding of how these assets are being used by the business, what kind of data they process, which critical business functions they support.
When cybersecurity comes to IT and tells them that a particular technology asset or part of the IT infrastructure has problems or weaknesses that could be exploited by malicious actors, they have to weigh the benefits — stopping a potential attack that may or may not happen vs. the costs — resources allocated to fix the problem, unhappy internal clients due to technology assets being unavailable during fixing, valuable time spent fixing and validating the issue. This is a hard sell and essentially amounts to self-regulation. A significant percentage of breaches exploit known vulnerabilities and weaknesses within an organization. Looked at from this lens, it’s not difficult to see how such problems can go un addressed.
The modern school of thought recognizes Cybersecurity as its own independent vertical within the enterprise — like sales, marketing, HR, or any other function whose purpose is to help the business function and thrive. In this model, cybersecurity has various different business functions as internal clients, and the CISO might have a seat at the C-level table. Cybersecurity informs business stakeholders of the risks they face as a result of the technology infrastructure they utilize. The business stakeholders provide the context necessary for informed risk triage and collaborate with cybersecurity to identify which vulnerabilities or weaknesses pose the biggest threats to the part of business they own. These prioritized risks are then sent to IT for remediation. Since risk remediation or mitigation is being driven by the business stakeholders, IT is incentivized to fix these problems. Risk-based cybersecurity programs are a way to put this approach into practice.
I'm proud and excited to announce that Brinqa has raised $110 Million in growth capital from leading global venture capital and private equity firm Insight Partners. This is our first institutional investment and represents a significant milestone for the company. Brinqa was bootstrapped and remained founder-backed as we shaped the Cyber Risk Management space, achieved strong organic growth and profitability, and acquired some of the biggest brand names in the world as customers. This new injection of funds combined with Insight Partners' ScaleUp expertise will fuel the next stage of our growth and accelerate ongoing efforts to make Brinqa an essential, unifying component of every enterprise cybersecurity ecosystem. Our mission, values, and objectives as a company remain the same; this partnership will help us achieve them faster and better. We decided to take this step with Insight Partners because of how aligned they are with our vision for Brinqa and the priority of long-term and short-term goals. We firmly believe that Brinqa is an essential platform for all enterprise cybersecurity organizations. As digital transformation proliferates across industries and saturates every aspect of business, the IT infrastructure to enable and the security ecosystem to protect become larger and more complex. Imagine a scenario where hundreds of different teams, systems, and programs — each focused on a task so demanding and technical that it requires specialized skills and tools — work towards the same overarching goal but rarely communicate with each other. Unfortunately, this is often the reality for most cybersecurity organizations. To be effective and a true contributor to business success, it must function as ONE TEAM aligned in purpose, connected in data, and transparent in communication. This is the vision that Brinqa helps our customers achieve. We know that this is possible because we have proven it at some of the world's largest and most complex enterprise IT environments. We are fortunate to count among our customers three out of the five largest retail companies in the world, the largest healthcare providers in the US, and the most prominent global brands in technology, financial services, insurance, healthcare, manufacturing, aviation, and critical infrastructure. This partnership will help us bring this vision to cybersecurity practitioners and organizations everywhere. The capital infusion will be used to accelerate sales and marketing initiatives, enhance customer experience and community building, and strengthen partner and channel ecosystems. I am so thankful to the Brinqa family — our employees, customers, and partners. You are the source of the immeasurable hard work, innovation, creativity, and conviction it has taken to reach this huge milestone, and all credit for this accomplishment goes to you. I am excited as we embark on this next stage of our journey and look forward to achieving greater heights together.
In a recent alert from the National Cyber Awareness System (NCAS) three government agencies — the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government came together to provide technical guidance to public and private sector organizations to prioritize the patching of commonly known vulnerabilities exploited by foreign cyber actors. As part of this guidance, the alert identifies the 10 most exploited vulnerabilities from 2016 - 2019. The alert also addresses emerging risks based on vulnerability exploit trends in 2020 so far. Here are 3 observations from the alert. Old Vulnerabilities Persevere In an analysis of the 10 most exploited vulnerabilities between 2016 and 2019, 2 older vulnerabilities (CVE-2012-0158 and CVE-2015-1641) made the cut. As indicated in the alert, this points to systemic problems with existing vulnerability management processes. It is difficult to rationalize why old vulnerabilities with known exploits and fixes continue to exist and be taken advantage of by malicious actors. Remediating vulnerabilities is certainly not a trivial task. Remediation can require a significant investment of time and effort, with security professionals having to balance the need to mitigate vulnerabilities with the mandate to keep systems running and ensure installed patches are compatible with other software. However, effective vulnerability management processes should make such vulnerabilities a top target for remediation, and guide practitioners with effective and efficient ways to implement remediation. The 2 older vulnerabilities mentioned are just the tip of the iceberg and the alert expects this trend to continue, citing that 'state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective’. Microsoft Remains a Big Target It should be no surprise that Microsoft products, with their wide adoption across enterprise and personal users, are a big target for malicious actors. However, 7 out of the top 10 exploited vulnerabilities between 2016 - 2019 affecting Microsoft products should be a wakeup call for practitioners. 3 of these vulnerabilities are related to Microsoft’s Object Linking and Embedding (OLE) technology that allows documents to contain embedded content from other applications such as spreadsheets. This observation points to a widespread need for organizations to better understand and track the components that make up their IT infrastructure. While remediation can be time-consuming, robust vulnerability management programs should be able to provide instant insights into the prevalence and impact of these risks. How many of our IT assets have these vulnerable products or frameworks installed? What is the significance of these assets to our organization (what data do they store, what business processes do they support)? It should be possible for every vulnerability management program to answer these questions on demand, at a moment’s notice. Malicious Actors Adapt to Changes FAST In addition to the top 10 exploited vulnerabilities between 2016 - 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. We have all heard news reports about trouble makers being able to ‘bomb’ open zoom meetings. There has also been scrutiny of Zoom’s privacy and encryption policies. There have been reports of malicious actors targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations leaving them vulnerable to attacks. These reports point to some systemic cybersecurity challenges. Malicious actors are extremely resourceful, well-coordinated, and opportunistic. Security practitioners should always expect that malicious actors will respond to any change in the status quo faster than software and security vendors can. It takes time for software vendors to roll out patches and security practitioners should have a plan in place to manage the risk posed to them between vulnerability discovery and remediation. This also underscores the dire need for better employee cybersecurity education and effective system recovery and contingency plans. Be sure to read to full alert notice here for mitigations and more details.
This is the first year that Brinqa has participated in the Forrester Wave™: Vulnerability Risk Management study, and we are extremely happy to be recognized as Forrester reshapes the traditional vulnerability scanning market to better reflect modern vulnerability risk management! Some thoughts from our participation in this process… An ecosystem approach to Vulnerability Management According to Forrester “vendors with improved prioritization and reporting are pushing the market forward”, however, coming from a traditional network vulnerability scanning background appears to still be critical to achieving ‘leader’ status. Brinqa customers have invested in the best scanning solutions (often more than one) for their environment, and they like the results, so we partner with these vendors – who have perfected their capabilities over 15+ years. This is particularly relevant when we consider that the scope of modern VRM programs has expanded to include applications (SAST, DAST, SCA), cloud, configurations, and containers. The best vulnerability management results across the extended scope are realized by leveraging an ecosystem of tools and vendors, each addressing a specific part of the process in the best way possible. Brinqa Vulnerability Risk Service integrates with 150+ security, asset, and threat intelligence sources enabling customers to get more out of their entire security environment without having to start over with one more disconnected solution. Remediation is key If you haven’t read the report, Forrester’s four-stage process for Vulnerability Risk Management remains the same and is spot on: 1) Asset management 2) Vulnerability enumeration 3) Prioritization 4) Remediation Each stage is critical to building a risk-aware vulnerability management program, and in combination they eliminate the biggest threats to your business faster. By transforming all vulnerability, asset, and threat data into knowledge-driven insights, organizations realize better prioritization, remediation, and ultimately mitigation of risks. This year, remediation was dropped from Forrester’s scoring criteria, and we would argue that it should have been included. Risk-aware remediation is the key to shifting to proactive and automated management of cyber risk, aligning information security processes with the organizational goal of building and growing a business. Risk-aware remediation increases productivity by automating the proactive management of cyber risk, and is absolutely essential for scale! Cyber risk is unique Forrester’s focus this year was prioritization, and they were very clear on asset criticality, vulnerability severity and network exposure being the critical underpinnings. We agree, and find our customers generally start with this subset of security data and leverage our OOB risk model to prioritize vulnerabilities for remediation. However, they very quickly want to bring in more security data from the plethora of solutions (certificate management, endpoint protection, patch management, SIEM, etc.) that they’ve invested in to add more nuance to risk analysis. The resulting adjusted risk model truly informs their unique risk posture. It’s impossible to effectively prioritize risk without the right underlying components and a complete risk model that connects everything to establish a common risk language. Scoring 13 vendors based on a common set of criteria is tough. Some vendors excel at scanning, some focus on prioritizing and remediating cyber risk while leaving the scanning to others, and some vendors specialize in specific infrastructure monitoring areas such as digital footprinting. Hats off and a big thank you to Forrester for helping organizations navigate through the process of making their vulnerability management processes risk-aware! Learn more about how Brinqa addresses the capabilities outlined in the 2019 Forrester VRM Wave™. How Brinqa addresses the technical capabilities outlined in The Forrester Wave™: Vulnerability Risk Management (VRM) Q4 2019 study Access the full 2019 Forrester Wave™: Vulnerability Risk Management report here.