The way to build and maintain proper vulnerability management all starts with getting rid of the blind spots. Before you start your journey, you need to have exclusive insights about the companies’ used or owned software, certificates, servers and cloud solutions. Armed and prepared with a solid database filled with your assets you start scanning for vulnerabilities. Scanning requires additional software, additional software requires personnel that knows how to use it. This is where implementing vulnerability management gets tricky.
A clash of perspectives
At this point, the collaboration between the security engineers and the system administrators becomes crucial to succeeding the implementation of vulnerability management. So far, the system administrators have been willing to help the security team by providing the most accurate inventory of their used and owned assets in the company. The current systems and procedures are used to create a good overview of the attack surface of the company.
But after the inventory phase, comes the scanning phase. Imagine being a dedicated system administrator who has built and maintained a company's IT infrastructure for years. Now, enter the security experts tasked with implementing vulnerability management. Their initial collaboration with you as administrator seems promising, with you and your team providing information about the environment. However, then the security engineers start to onboard new tools and software! Before you know it, the security engineers have scanned your environment, and start sending you detailed reports outlining the most scary vulnerabilities. The reports highlight how you and your team have maybe overlooked some security patches over the years. How would you feel?
Bridging the gap
For a streamlined and efficient implementation of vulnerability management in your organization, communication and collaboration between the security team and the rest of the organization is key. However, this topic is quite often overlooked, whereas the focus lies more on the fast onboarding of vulnerability scanners and getting rid of the blindspots. But not all is lost, here are a few ideas in keep in the back of your head on how to bridge the gap between security experts and system administrators to ensure optimal and comfortable collaboration and communication:
- Give people time. Acknowledge that system administrators among others need time to absorb the vulnerability report and develop a remediation plan. Rushing the process can exacerbate resistance.
- Security Awareness Training: Educated employees are more likely to embrace security practices in the future. The first vulnerability management reports are less scary when the system administrators have the knowledge and experience on how to read and work with them.
- Shared Responsibility: Keeping your company secure is ultimately a shared responsibility; in the end we all want the same thing. Only by working together, security experts and system administrators can achieve a more secure organization.
It has been clear that working together is what made humans a successful species in the animal kingdom. Even though we live in a rapidly changing, sometimes scary, digitalized world, this has not changed. The best way to take the security level of your company to a higher level is by working together with everyone on board. A collaborative approach, built on mutual respect and understanding, is the foundation for a successful vulnerability management program.
