For better or for worse, mainstream media is increasingly covering particularly dangerous, widespread or otherwise notable security vulnerabilities.
The growing coverage has made more people aware of the risks and of the need to keep their various devices (software) up-to-date and, with the increased digitization of our everyday lives, I would say that’s a definitive plus.
But among those people are also partners and regulators, and executives and boards of directors who may demand their security teams do something about them immediately, even though they might be currently doing more important things than quickly patching a vulnerability that may or may not be critical to the company’s security.
These urgent request can sometimes be met and sometimes not.
According to some of the CISOs and security analysts Tenable research analyst Claire Tills recently interviewed, when the security hole can be plugged easily, security teams might welcome the temporary disruption as an opportunity to score a quick “win” and show their value to the organization (even if the vulnerability is not critical).
But if the real risk of the vulnerability is lesser than it apparently seems, if there are no fixes or mitigations available, or if the patching process is expected to be difficult and time-consuming, enterprise security officers and their teams are in for a fight and a potentially great disruption of their activities and plans.
Most of the individuals canvassed by Tills used Meltdown and Spectre as an example of vulnerabilities that resulted in many headaches and derailments of vulnerability management programs.
The news coverage was massive but not enough concrete information about the associated level of risk was available initially. Security teams first had to determine the risk involved, all the while being pressured to patch promptly. The patches were being released slowly and some were problematic. (All in all, the patching process ended up being so long and frustrating that it made many security teams decide to roll out patches more slowly in the future.)
Juggling all this while pushing back on the deadlines expected by higher-up executives and making them understand the real risk these vulnerabilities present to the company took a lot of effort.
The silver lining
Still, there are positive aspects to all this: with every vulnerability that gains a high profile and gets noticed and forcefully prioritized by the higher-ups due to extensive media coverage, defenders get better at evaluating the real risk of a vulnerability and communicating it to key stakeholders.
They also improve cooperation with other business units and reinforce processes set in place to deal with these occurrences, thus improving their ability to deal with business-threatening vulnerabilities that will arise in the future.
“While security teams are aware that media coverage is not an ideal measure of technical risk, they need to discuss their risk evaluation process with others. They also need to accept that the overall risk presented by a lower-severity vulnerability might require action,” Tills noted.
Finally and most importantly, they must manage perceived risk and enable a measured response to vulnerabilities based on contextualization, rather than hype, she pointed out.