Communicating Vulnerabilities with Your Business Leaders
“So what?” That’s what the CRO, COO, or choose your CxO is most likely thinking as their eyes glaze over looking at your security metrics, rife with percentages, maps, and unfamiliar words. We’ve all been here in one way or the other—expecting others to understand cybersecurity in the same way we understand cybersecurity. Unfortunately, that’s not realistic. Security practitioners must follow through on every vulnerability metric with the “so what?”, crafted specifically for their audience. Gone are the days when operational and technical vulnerability metrics could viably be supported by “mad scientist” statistics and charts received a blind pass from business leaders. The stakes are higher now—compromise is on the rise and your business-driven stakeholders want to know where company dollars are going. They now care. They want assurance that they’re safe, that threats are controlled, and they can continue to grow resiliently.
The “so what?” answers why your listener(s) should care. Communication and purpose are key when illustrating vulnerability metrics. Without it, security teams risk misinterpretation of their hard work and call(s) to action or worse yet, absolute disinterest. So how can you properly communicate your vulnerability management metrics to your business leaders?
To begin, every security leader must embed this basic business-hygiene practice in their team: connect every Security metric back to how it supports your business ’Mission, Vision, and Purpose (MVP). The bridge between the right vulnerability metrics for business leaders and the business MVP is supported by theday-to-day business risks that Security teams address and how they perform against them. When that journey is documented, it’s then that your team will be able to report on the necessary numbers and progress. Let’s apply this practice below to one overused vulnerability management metric: the often elusive or generic risk score.
Many tools automatically generate risk scores and usually they illustrate the cumulative risk of your vulnerabilities by way of quantity (i.e., CVE database correlated to your known assets) and severity (i.e., CVSS scoring). Security teams often display a percentage of critical assets scanned and vulnerabilities patched or unpatched to explain this risk score and usually stop there. The problem with this is that it’s not business-specific and fails to tell the whole story. Exploitability, threat actor association, asset criticality and business context are all necessary to apply to vulnerabilities to gain a more realistic view of what issues have been avoided and otherwise need to be dealt with urgently; however, this context is also usually missing. Why did the Security team remediate vulnerabilities and why do others exist? If a patch was not implemented, why and what workarounds were implemented? Based on the risk score, is the business safe and how can they be safer?
To right wrongs or general miscommunication here, progress-based metrics should support risk scores. These metrics should reference the breadth of critical assets perline-of-business scanned correlated to known proximal threats and the speed/efficiency with which any relevant vulnerabilities were patched (i.e.,improvement in SLA times) or workarounds were implemented. A before and after risk reduction narrative should be in full display for your audience to celebrate Security wins and to just Security priorities and investments.
Additionally, when a Security team is transparent about the vulnerabilities requiring remediation and the potential impact of moving slowly, avoiding, or accepting risks, this speaks to their due diligence, integrity, and to the importance of their call-to-action. The potential impacts of missing critical patches can range from delayed processes to financial loss and brand deprecation. Communicating business-critical impacts in context is key here. As a result of good communication, the right business stakeholder should expect to take part in risk ownership and have a “risk, cost, and value trade-offs” discussion with the Security team. When your business leaders feel like they can play a part in controlling cybersecurity risks, that is when you know you are communicating the right metrics.
The moral of the story is this: The right vulnerability metrics for business leaders bridge the gap between the business MVP and the Security story: the day-to-day business risks that Security teams address, how they perform against them, and what they will need from business leaders to continuously make progress.
Learn more about how ULTRARED enables business-ready vulnerability metrics tailored to your asset criticality and threat exposure here.