Less risk, more reward: Managing vulnerabilities in a business context

Network security can be both an organization’s savior, and its nemesis. How often does security slow down the business? But security is something you can’t run away from. Today’s cyber-attacks have a direct impact on the bottom line, yet many organizations lack the visibility to manage risk from the perspective of the business. This quandary is a common balancing act that organizations must manage without truly understanding the impact to the bottom line.

Traditionally, network security revolves around scanning the servers for vulnerabilities, reviewing them and the risk to the server by drilling down through the reporting to assess how vulnerabilities could be exploited, and then looking at how those risks can be remediated. Looking at vulnerabilities in this technical context leaves a lot to be desired in terms of actual impact on the business.

No compromise when it comes to risk
These risks can be put into two groups. There is the security risk, which is about compromise. How can the network be compromised and what would happen if the vulnerability was exploited? What damage would be done, and what information could be lost? Assessing these types of risk is usually the domain of the infosecurity team.

The second type of risk is operational. How the business is impacted by addressing the vulnerabilities. This area of security is usually managed by the IT team, who will plan downtime to patch or upgrade the server. But with planned downtime comes unplanned downtime too, as often a fix won’t go according to plan and the fix can create a whole new set of issues for the network.

But it isn’t the network that runs the business, it is a platform to enable the business. So wouldn’t it be more valuable and practical to assess security from the perspective of a business application, which enables the business to run?

In fact, a 2013 survey by AlgoSec revealed that it is common among infosecurity, network operations and application professionals to struggle with managing business critical applications effectively, because of the heavy workload, complexity involved and for them to just keep up with the evolving needs of the business. Nearly 50% of respondents would prefer to see vulnerabilities from a business perspective, and it is this piece that is missing when they are assessing risk.

A higher level of understanding
When you really think about what is at risk from the organisation’s perspective, it isn’t the server; it is the application that relies on that server. Therefore, to take security to that of the business applications, you need to know which servers run which applications over them. Then, all the discovered and reported vulnerabilities on those servers are really vulnerabilities that will affect the application.

If you look at it from this perspective, that is, gathering the vulnerabilities at the server and applying the vulnerabilities to the application level, another group of people becomes involved in the security risk assessment process. These are the business application owners such as HR, finance and sales.

The business application owners are able to add balance to the decisions made about risks posed to the network: between the risk of compromise, and that of planned and unplanned downtime. For at this level, they are able to give input as to how important and business critical the application is, and what impact to the business there will be if staff, customers or third parties aren’t able to access it. So rather than being a pure IT and security decision, it becomes one with the business operations at the heart of it.

For example, an application that takes payments from customers could be deemed business critical as, without it running, the business grinds to a halt and ends up with frustrated customers that turn to the competition. With the involvement of the business application owners, not only does it empower them to own their risk, but it also enables much more informed decisions about the true priorities to the business for taking remedial actions.

By allowing business application owners to have their say, and by viewing threats to the business from the application level, security will not only protect the business, it will also help to optimise it. That’s a perfect balance of reduced risk, and greater reward.