hi and welcome to our last lesson for the executive vulnerability Management module one. We're at less than 1.5 and we're gonna be talking about the executive leadership role as it relates to vulnerability management.
So are learning objectives. For today we're really gonna be focused on who on the executive team can help vulnerability managements on why that's important,
how the organization size may dictate vulnerability management decisions. You know, we're really gonna be talking about small, medium businesses and large businesses. How vulnerability Management's really gonna be different across all of those.
However, his committee may help to prayer resolve prioritization issues. I'm a big fan of this idea, So we're gonna talk a little bit more about that. Ah, and then how to really create an effective security policy around vulnerability management
for our executive management considerations? Uh, you know, again, as I've mentioned in earlier lessons, leadership can really help to drive and prioritize vulnerability management. You know, the ability to say, Hey, you know what I trust you Go ahead, do what you need to dio,
or when the security team comes and says, Listen, we've got this major exploit, you know that we're seeing in the wild. We really need to get this vulnerability, you know, mitigated. Right now,
you know. So the ability to say yes, go do what you need to Dio is really helpful for the security team to do what they need to dio and helped to get the i t. Team integrated into that.
Um, and if it's not done from the top down, you know, teams might focus on other projects, other priorities. You, the i t team,
they're gonna have lots to do. You know, in the infrastructure team, the help desk, they're all gonna be really busy working on their own normal day to day functions. Eso Sometimes it's hard to get security integrated into that.
So if you have executive leadership, you know your C i o your even your CEO saying you know what risk management and vulnerability management are important.
I want to make sure that you know
I'm gonna avoid a breach at all costs. What do we need to do to get there that will help to shift priorities and maybe push off some other projects? You know, Teoh, prioritize vulnerability management
on the idea that not all vulnerabilities need to be remediated. I think that's Ah, that's kind of a big misconception to I
I know critical highs. You know, some people have reporting requirements on those, and those are very important to get remediated.
But you have Teoh, especially if you have a smaller team.
You need to determine where your highest risk is. So what's my most critical asset? What is most important to my business? You know, my holding p I I you know what? What information do I really need to protect? So that way you can focus on those things first. Because if you try to immediate all the vulnerabilities all the time, you know, it could just be this endless fight
which can also leaves turn over if you've people just adding installing patches every day, every day, every day.
Um, you know, it could lead to turn over which would then, uh, maybe put your vulnerability management program at risk,
Um, and having a technical advisory team to assist in determining risk.
You know, I think it's really important that I, t and security work together and that they work together with leadership.
Having everybody come together a table really helps for people to understand what their own priorities are and then to help put them together with what the business priorities are, especially when it comes to risk management.
So organization size you. This is a really big deal, especially when we're talking about maturity of a vulnerability management program. Um, it really depends on the size of your leadership team, but also, you know, how big's your tea shop do you only have one guy working on your on your I T team?
Um, you know, that could make it really difficult to prioritize Patch management as well as just keeping the systems up all the time. You know, there's there's many other issues that you know, if you have one person running your I t shop,
they're gonna be dealing with lots of other things as well as patch management. So,
uh, it can be difficult. So it's important for leadership to, uh, know that there are those possible complexities and to try to help the teams with that
so smaller teams, your CEO, your CEO may need to be involved and helped her I vulnerability management. You know, if you have a team under 50 people under 30 people. Uh, you know, depending on what kind of systems you're using, your risk may be lower. But it also depends on you know, if you're building an application, if your startup
are you working on software development, Um,
you know, your CEO may be ableto help and say, You know what?
We need to make sure we're secure before we move forward to who do we need to hire? What do we need to dio to make sure code is secure Before we go forward?
you might have a cyst so you might have security management who can really take control, take the lead and say, You know what? These are the important things when it comes to, um
when it comes to vulnerability management. So you really have to make sure that when you've got that Sisto, you've got that security management. They know what's going on, and they're able to take control. So that's kind of your mid sized organization might have one of those
from your larger teams. You're probably gonna have many different layers of direction in the security team. You might have a director of incident response might have a director of Threat Intelligence. You might have any any of those other sections involved with security management,
so they may be able to help you decide. You know, your director of threat and tell may say, Hey,
this is number one. We got to fix this first eso you might have that more mature capability model, um, looking at vulnerability management.
All right, so risk committee, I am a big fan of the idea of a risk committee.
Uh, that could be an advisory board. This is typically have seen it, you know, in research and in some journal articles, they're talking about it as being an advisory board. Like you would have an advisory board for just a regular organization. But I think a risk committee could be really important. Even internal to the organization. You could be talking about having
ah, group that meets, you know, every other week,
once a month. Hey, what's our top priority? What are the top 10 exploitable vulnerabilities that we should be looking at? That it related to our systems.
So if you're considering a group of sm ease to meet with executive leadership, weekly monthly doesn't have to be weekly, especially if you're a big organization, but you could meet monthly and just talk about risks. What's going on in the environment? Is their new software coming down the line? Are there new projects that we're working on that might increase risk you? What can we do to lower that risk?
So, having all those things at the onset
when you're implanting integrating these new projects, this new software you're gonna have your risk is gonna be lower from the beginning if you can add security to that table from the beginning,
um, doesn't need to be hours of reports suggestions. I mentioned this one of the previous lessons where if, as a security team were sending reports with 300 vulnerabilities in it, it's very difficult to wade through that and figure out what's important to me. What can I asked? What kind of take action on and fixed? Because I can't fix 300 things on one workstation. So what do I need to dio?
so that's why I bring up that focus on Top 10 threats. There's a lot of great reporting tools out there, especially from security skating tools. Ah, lot of them have reporting capabilities so you can talk about your top 10 threats. Take your 10 most vulnerable hosts. You know, Let's say you have a large server environment. You have lots of Web application servers.
You maybe you want to focus on those and say, Hey,
the's air, the biggest vulnerabilities related to these servers
on your 10 exploitable vulnerabilities with the largest footprint. So talking about,
Hey, we've got a sequel injection that we found and it's across 10 servers. We need to get that done right now, and that will knock out 10 individual vulnerabilities. Critical vulnerabilities. So
I think it's really important to have,
uh, good reports that help really help people understand what's going on in the environment.
So your security policy this when we're talking about taking that top down approach again, Um, you've gotta have ah, great security policy that you can look to to say yes, This is right. This what we're gonna follow? Focusing on responsibilities in S l A. So how long do we re mediate? How long can we take to remediate a critical vulnerability?
Is it 15 days? Is that 30 days is at five days.
You know what? What kind of timeline. Do we have that? We need to remediate critical vulnerabilities. Um, and then who's responsible for that? Who's gonna be on my teams? That's going to say yes. I'm gonna fix this. Um,
and then how do you handle SAS? Cloud platform versus on premise vulnerabilities. This is really where we're talking about taking vulnerability management holistically. We're not just talking about patches we're talking about, you know? Hey, do we use ***? How do we use it? Do we have, um, a security paperwork from them saying how they secure their systems that we're using?
What do we have in the cloud? How many service do we have? What os levels do we have? How are we using it? How long is it on during the day? All those things are really important in understanding what an vulnerabilities you might have
and then including your SMEs in policy development. Ah, lot of them. They're you know, they're the boots on the ground. They know what's going on. They might be able to help and say, Actually, you know what? This maybe isn't so big of an issue, but we need to look over here. This might be a bigger issue, you know? Hey, we've got, um you know, group policy is a really big issue we need. We need to really focus on that, and, uh,
you know, take a look at that to help secure the environment.
Um, so including them in the policy development, I think, could be really beneficial.
So in today's video, we talked about what considerations the executive management team should take when integrating or evolving their vulnerability management programs.
How organization size me affect those decisions. You know, small, medium businesses may not have the same resource is. So how can we kind of help? That is a risk committee able to improve vulnerability prioritization. It's possible on Ben how you can create an effective security policy to drive vulnerability management.
And here my references. I'll see the next module