Threat and vulnerability management: Sometimes you see the bullet coming

Cybersecurity risk management is complicated. Threats, both known and unknown, are omnipresent. We are compelled to evaluate the likelihood of a threat exploiting a vulnerability in our organization and the possible impact the threat may have on our operations. When vulnerabilities are disclosed, leaders must act to lower their risk and ensure any residual risk is accepted at the appropriate level. In many cases, we may see the proverbial bullet coming and should not wait until it strikes us. Leaders may help address this risk by leveraging threat intelligence, enforcing patch management, and managing third-party risk.

Rising Risk

Known vulnerabilities may create unacceptable or even existential risk to organizations if they are not addressed. In the past 12 months alone, significant vulnerabilities were publically reported that allow attackers to create devastating effects. For example, security researchers revealed earlier this month that hardware vulnerabilities known as Spectre and Meltdown could allow an attacker to read sensitive data on microprocessor chips. In September, Equifax disclosed attackers exploited a known vulnerability that exposed sensitive personal data on 143 million U.S. consumers. Last May, the WannaCry ransom ware targeted unpatched computers running the Microsoft Windows operating system around the world. As the potential impact of such attacks against known threats grows in scale and frequency, institutions should develop an effective program to identify threats and address any vulnerabilities efficiently and effectively.

continue reading »