YOU HAVE BEARS!

Vulnerability management is still a tough thing to rally support for and everyone loves a good story, so today I figured I’ll just combine both! 

Once upon a time, a company took all of their employees camping. These employees saw all of the signs posted about the campground warning that there might be bears. They understood the warnings, but they hadn’t brought any bear safe food containers with them. Deciding to shrug off the warnings and go to bed, figuring bear attacks happen to other campers, they all turned in for the night, with food packed neatly inside their tents. That night, a hungry bear came through and ate all of their food as well as all of the employees, save one, who lived to tell about it to the media. 

This is how most companies approach vulnerability management. They purchase a network vulnerability scanner, which identifies the threat, and they send out reports. These reports are circulated so everyone is well aware the company has vulnerabilities in the environment. Whether the threat be a bear or an outdated version of MS SQL, this activity is one and the same – it’s simple vulnerability identification. We are screaming to our company, “YOU HAVE BEARS!” 

Ok, great. Bears. We have them. Now what? In order to avoid being eaten by bears, we can’t stop there. Flyers at the campground are great, but these campers don’t know how to combat the threat of bears. They’ve never been camping and they don’t understand proper food storage techniques. We must itemise the actions for creating a bear safe campground and delegate these tasks to those who need to act them out. We must also summarise the tasks and give our leadership a better idea of what the overall labour and material costs will be, so they can appropriate allocate resources. 

In this case, our reporting must take two paths. First, we tell our leaders that we’re going to need three people, a dozen bear safe food canisters, and some rope. This is the same as realising that patching Java breaks a user’s ability to use a critical application, so remediation will actually require coordination between application developers, server administration teams, and desktop administration teams. We present not only the problem (bears) and the risk (being eaten by bears), but a full remediation plan for mitigating this threat (bear safe containers hung from trees). As the people legally responsible for reporting the breach (eaten campers) to media and regulatory agencies as well as paying any fines related to the breach (death benefits for the poor people eaten by bears), our leaders must understand their responsibility to the organisation and the risk that they are incurring if they ignore your guidance. 

With leadership support, we now have money to buy our bear safe containers and rope, along with the personnel we’ll need to carry out our plan. Now we can assign one individual to stuff all the food into the containers and have the other two work together hanging the containers from the trees. Delegation is the key to vulnerability management, but we can’t delegate without leadership support, so we must work both paths in tandem. 

By working these two paths of reporting instead of posting generic warning signs around our campgrounds, we ensure that everyone is not only aware that there are bears about, but they are appropriately equipped to mitigate the risk. By understanding the risk as well as the tasks required to mitigate it, we can orchestrate a successful bear proofing campaign across our organisation and no one will get eaten by bears.