Vulnerability management may not be the sexiest topic. But, while buzzier topics are certainly important, vulnerability management may just be the key to an effective data security strategy. According to a Ponemon Institute report, 42% of nearly 2,000 surveyed IT and security workers indicated that they had suffered a data breach in the last two years that could be blamed squarely on unpatched vulnerabilities. In this article, we’ll pull back the curtain on why vulnerability management matters and what we can do to support it.

More Openings for a Data Breach on a Growing Attack Surface

You are certainly aware of — or in the midst of building out — the hybrid cloud. As businesses continue to adopt public and private clouds and on-site databases, they become more flexible and agile. At the same time, they’re increasing the size of their attack surface when it comes to a data breach.

Let’s say we define the attack surface as X- and Y-axes. The X-axis marks every possible technical asset and the Y-axis marks all ways an attacker could exploit those assets. The attack surface expands endlessly. This is even more true if cloud adoption trends and patching gaps continue at the same pace.

But, that’s not why we’re doing this exercise.

Consider this same chart with vulnerability management and effective data security tools in place. Those can monitor for gaps and misconfigurations that can lead to a data breach. Suddenly, the Y-axis almost disappears. Its growth slows, turning the attack surface from a football field to a single swim lane. This narrow rectangle represents continued digital expansion with fewer surprises or unknown obstacles.

Learn more

Defense Is the Offense Against a Data Breach

Stopping the bad guys should be at the top of your list. Often the primary goal of any defensive team is to ensure threat actors — or careless employees — are spotted and stopped. But with unpatched vulnerabilities and misconfigurations being the number-one causes of data breaches, maybe that mantle should be shared.

It can be tempting to consider the offensive teams and tools that hunt for threats and stop attacks the heroes of the day. However, they often swing into action only once a data breach has already started. While no tool can stop every data breach, the defensive teams and tools should be given a similar investment and level of prestige. Without them, the attackers could enter without any trouble. And that would mean a lopsided scoreboard in favor of the ‘other team.’

Drafting the Right Team

If vulnerability management should be a cornerstone of IT and security programs, why are so few businesses devoting resources to support it?

Well, for one thing, it’s mundane. It is difficult to define the return on investment of a solution meant to stop threats when threats don’t succeed and can’t be quantified in the first place due to the problem being patched. Changing a mission-critical database’s password from ‘123456’ to something more secure isn’t exactly breaking news. But, it could do more to improve database security before an attack happens than any of the algorithms on the market today. That isn’t to say enterprise should stop investing in machine learning, threat hunting and predictive analytics when it comes to fighting a data breach or other attacks. Algorithms should also be used to detect openings and cut down on the time it takes to fix them.

That brings us to the second reason why businesses may shy away from vulnerability management: it can be complex. It requires teamwork between database admins and security teams, systems admins and others. These folks are tasked with tracking changes and trends over time. Their work may become more complex if you move this lengthy maintenance to the top of their to-do lists.

That is where a modern vulnerability assessment solution can help. It can run thousands of assessment tests across different hybrid or multicloud environments to detect gaps and misconfiguration. From there, it can prescribe steps to correct issues and deploy fixes. Siloes are on the way out as future-proof defense comes in.

It’s well past time to let vulnerability management take the field before a data breach happens.

Find out more about how IBM Security helps streamline data security vulnerability assessment with IBM Security Guardium.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today