Create Shared Value Through Translation
Bolster your Security Culture by creating processes to support common values around security practices like Vulnerability Management.
Translate the needs of Ops, IT, and the Boardroom into a shared value system.
Vulnerability Management & the Value to the Business
Wouldn't it be great if you could pull IT, Ops, and the CEO in a room and get them to all see eye to eye when it comes to the value of effective vulnerability management? How can they all agree on what to do, who's doing what, and why its important? IT knows the value of Vulnerability Management activities, but that value isn’t always communicated effectively to Operations or the C-suite; until now.
Successful vulnerability management in Ops means striking a delicate balance between two very different and mutually important aspects of the business. The value to the business, which IT and Operations can both get behind, is that effective vulnerability management will continually identify vulnerabilities that can be remediated through patching and configuration settings BEFORE a cyber incident grinds production to a halt.
Use this translation guide to decipher IT's responsibility, Ops responsibility, and the shared value to the business. Bolster your Security Culture by creating processes to support common values around security practices like Vulnerability Management.
Managing Vulnerability in the Ops Environment
Vulnerability Management must be considered in each of these areas:
ONBOARDING. Onboarding and offboarding staff, processes, and devices. Each needs to be addressed to cover the gap of "you don't know what you don't know". IT and Ops must both consider the business impacts of onboarding/offboarding.
DISCOVERY. You can't protect what you can't see. IT and Ops must work together to create a network topology that shows the flow of communication, data, and network traffic.
PRIORITIZE. Which assets are the highest priority for Ops? What about IT? Does the boardroom agree? If so, is this documented in your Response & Recovery planning?
ASSESS. All eyes must remain on the operations network; looking for issues and anomalies that can threaten the integrity of the entire network.
REMEDIATE. The health of your network can fluctuate at any moment. Vulnerabilities are exposed, patches are published, and scheduling patch management can be a nightmare in an environment when production runs 24/7/365.
VERIFY. Is IT's work performing as intended on the Ops floor? Does Ops know how to identify issues? Does anyone on the floor know how to escalate issues to IT?
REPORTING. What gets reported? What is the report trying to achieve? What does Ops need to know? What about IT or the boardroom?