Back to basics - the best approach to vulnerability management


Businesses must adopt a simple approach to vulnerability management if they are to deal effectively with cyber security threats.

This is according to MTN Cameroon's Senior Manager for Information Security, Lydie Nogol who presented on the final day of ITWeb Security Summit 2018 in Johannesburg yesterday.

"In today's world where we have more and more complex IT and network architectures, where we have limited budgets, less time, fewer people and where the number of sophisticated attacks is growing, IT security professionals need to get back to the basics in order to manage vulnerabilities. It is important to ensure that primary controls are effective. If we start overloading the vulnerability management team to close some basic issues that can be handled upfront, they are not going to focus on what really matters for the company," said Nogol.

"They are going to focus on closing port 445 because of WannaCry when it should never have been exposed. Let's ensure that all those primary controls are well implemented by embedding the security into the design of any solution and configuring it into all our nodes," she added.

Nogol said an uncomplicated approach to vulnerability management requires focus on people and processes, not just technology.

"It is a complete lie if we think vulnerability is about technology. It is very far from the technology and is based on three main pillars which are the technology, the process and the people. The technology is only there to automate the process."

She also emphasised the need for better communication regarding threats within a business environment.

"We need to ensure that we are communicating to the right information to the right person in a language that he or she can understand. Let's start speaking security in the language of our interlocutor. If you speak to a Chief Financial Officer you need to do so in his language. Explain the risk in a way that can be understood. We need to identify the risk posture of our organisation and communicate this clearly to all stakeholders until the organisation reaches an acceptable level of risk," Nogol added.

Tailoring communication on the vulnerability of an organisation is critical if the IS professional is to solicit an appropriate response from colleagues.

"The chief information security officer of course would like to know the number of vulnerabilities, the type of systems et cetera.... but that type of information will never help the Human Resource manager as they would like to know the level of awareness of the company's employees. Let's talk business to business people, not security."

Poor communication makes you the insider threat

Professor David Taylor, security strategist and IT attorney who spoke during a panel discussion at the end of the 2018 edition of the Security Summit called for better communication by security teams with the rest of the business in order for them to avoid becoming the security threat themselves.

"People on boards like to blame the techies and the techies are often saying that they can't talk to management. The truth is that you are responsible for your own communication. You can't point at board members for not being educated (about security and the costs involved) because we don't educate them. What we do is we wait for the vendors to come and they push their product after which we copy and paste what they say and we give that to the board members. That's our fault because we want to get the job done as quickly as possible and then we turn around and blame the vendor. That insider threat is other people but first it is you because you are pushing the work off to vendors and you are not looking at everything properly and making good decisions."