On Episode 9 of The Cyber Security Matters Podcast we spoke to Jennifer Cox, the Head of Communications at Cyber Women Ireland, about her work with vulnerability management in the sector. Jennifer is a multi-award winning advocate for women in tech, using her knowledge to mentor women as they join the workforce. She also speaks at global events, bringing her expertise to a wider audience.
Read on for Jennifer’s insights on vulnerability management in the Cyber Security industry.
What do you think are the three big takeaways on vulnerability management?
At the core of vulnerability management, you need to be able to identify where you’ve got problems. It’s not just laptops, it’s every device that’s possibly connected to the internet. You need to focus on what’s important to remediate first. Vulnerabilities are growing almost exponentially, but the teams that handle those issues aren’t growing the same way. The challenges are not always exclusive to the products that we sell – many times you’ve only got two people on the team, but 40,000 vulnerabilities that you need to fix.
How do you think vulnerability management is changing in today’s world?
What’s changed most dramatically since COVID is this overnight remote workforce. Companies no longer have control over every single device on the network, and more and more people are bringing their own device into the office. Companies still need to make sure that those devices are secure. When people are at home they often have wide open home networks. We’re improving education around vulnerabilities and teaching individuals how to put better practices in place at home. People forget that web applications are also vulnerability risks, so they haven’t included them when they’re doing the assessment of their mobile devices, which is a huge factor. Having a team to do vulnerability management within the team is probably the biggest change.
What do you think is the biggest obstacle to vulnerability management as a whole?
Hands down it’s budgets and bodies. When you don’t get reports about anything going wrong and being fixed by the cybersecurity team, you often don’t appreciate that the team is doing a really great job. If you’re hearing from your cybersecurity team, then there’s a problem – they’re either understaffed or under-educated so they’re struggling to cope. That silence is a problem, because when companies are trying to strip back budgets, they’ll look at reducing that team because it’s quiet. That’s actually the worst thing that they can do, because that’s the team that’s protecting them the most.
The challenge has been resources all the way along. We don’t have enough people to remediate all these issues. What you’ll do in that case is educate your team on prioritisation using a scoring system called ‘CVSS score’. We also have an algorithm that we use called vulnerability prioritisation rating. It takes the CVSS score and a multitude of other different things into account. Based on all of these things, it tells us what is most likely to become a problem over X number of days. The struggle is that of 40,000 vulnerabilities, 30,000 of those are critical. I can’t remediate 30,000 vulnerabilities in a weekend, but that’s the only time I’m allowed to do it. Add to that things like needing a 99.9% uptime, restarting the server after patches, and that becomes a challenge in itself.
To hear more about vulnerability management and the work that Jennifer is doing to improve diversity in the industry, listen to The Cyber Security Matters Podcast now.
We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.
