One of my colleagues recently shared a story that unfortunately, is not an uncommon happening among line of business application owners. He was monitoring a high value application using standard monitoring tools. He knew who was logging in, when, from where, and other information most application owners have purview to as part of their daily jobs. Then, the day took a turn for the worse. Marked urgent, an email came in from his boss – the company’s CISO. It included only one sentence, “Did you know there is a highly critical vulnerability in your application?” The phone rang. The CISO was furious.
My colleague spent the next two days researching the vulnerability, looking to see if it was exploited or if malware was in the wild that could exploit it. A third-party vendor built the application so one would expect that vendor to provide patches and updates automatically. That didn’t happen. He looked on the National Vulnerability Database (NVD), reviewed the security architecture of his applications to ensure he had the right controls in place in the event the vulnerability was exploitable. He contacted the vendor for a patch and logged the event as an incident.
He told me the whole thing was embarrassing. He was responsible for a high value application and failed to protect that application. However, I don’t believe the incident was entirely his fault. He did not have the information he needed to protect his application. When it came to cyber security tools, he told me his Fortune 100 company had one of everything, eight tools in total. Yet, they were the wrong tools. They did not give him the vulnerability information he needed to patch a critical vulnerability.
We often hear the phrase, “making security everybody’s business.” It’s a mantra that sits on many cyber security experts’ tongues. Most people assume it means training your employees, especially those who are not on the security team yet govern valued assets like line-of-business application owners, to not click on suspicious links and avoid weak passwords. While those security best practices are important, they are not what “making security everybody’s business” really means.
Application owners need to play a more active part in managing cyber risk. They need to know when a highly critical vulnerability is in their application and ensure it gets patched immediately. However, successfully achieving that goal requires two things to happen. First, application owners must do their part in understanding their application’s user base and the information on the application itself. Second, they need to have the right information given to them to patch critical vulnerabilities in their application.
Starting with the first point, application owners must understand which users are accessing their application including those who have been approved and denied, and what they are doing once they have access. They also must understand what type of information their application leverages such as private health or payment information, corporate financial data, intellectual property and if the information falls under a regulatory requirement. They must know the impact if the application were compromised and potential threats and vulnerabilities that could lead to a compromise. They should make sure IT administrators apply updates and patches, and be able to monitor the progress of those efforts.
The bottom line is that application owners are responsible for making sure critical vulnerabilities in their applications are patched efficiently. However, moving to my second point, they cannot achieve those goals if they don’t receive the information in the first place. Security leaders must ensure they have a method to deliver application owners the vulnerability information they need to act. Going back to my colleague, he had many security tools at his fingertips yet none of them told him a critical vulnerability was in his application that needed an immediate fix. Thus, how was he supposed to know? He relied on the vendor that built the application to inform him if a vulnerability existed.
Most application owners depend on internal teams to do code scans, and if there isn’t a conduit between those scans and owners so that they can see the results, application owners are again flying blind.
Making security everybody’s business means that application owners understand their applications including their user base and the information in those applications, monitor their applications and take action to patch critical vulnerabilities before it’s too late. It also means that security leaders make sure those application owners receive the right vulnerability information so they can do their part in reducing risk. That way both parties can avoid the urgent emails, tense phone calls, and wasted days putting the pieces the together. But more importantly, they can avoid having a critical vulnerability linger on their valued applications for days on end, sitting there for a criminal to exploit.