Establishing Business-Aligned Patch Prioritization Approach (Part 2)
Applying the 7 Rules Cyber Framework to Become Exceptional at Patch ManagementIn Part 1 of this blog, we presented the business case for patch prioritization. In Part 2, we guide you through the application of 7 Rules to build team commitment to address this often overlooked challenge. Our analysis is illustrated by a current real-life conundrum that could lead to personal regulatory liability.
See Also: OnDemand | AI-Driven Endpoint Security: Adapting to Industry Changes
Here is an overview of how 7 Rules Cyber Framework can be applied to achieve excellence at patch management.
Rule 1: Develop a Business-Aligned Mindset
Value Consumption: Cybersecurity exists to enable business. Therefore, understanding your business is the key to developing appropriate context and prioritization for your patching efforts. Effectively understanding key business processes, products and objectives is vital to building and validating a view of securing what matters the most to the organisation. Contextualizing vulnerability and patch management controls with this understanding will enable building effective bridges with business stakeholders and senior leadership.
The nature of the business can also help inform the relative importance of the confidentiality, integrity and availability, CIA, triad. For example, confidentiality might be a higher priority for IT and digital systems, while availability might be a greater priority for operational technology, OT, systems.
Rule 2: Recognize That Cybersecurity Is a Risk Management Exercise
Value Consumption: Cybersecurity is fundamentally about managing risks. Furthermore, cybersecurity is not just a technical risk, it is a business risk and the approach to patching needs to reflect the business risk aspect clearly. The language of risk and finances is what resonates with senior business stakeholders. Developing an understanding of key assets through Rule 1 serves as input for effective risk analysis through appropriate threat and impact consideration. The goal is to build a defensible cyber risk program, and decisions around patching play a significant role. A weak patching posture could also be deemed as a potential material weakness. The SolarWinds Orion data breach further demonstrates the increasing importance of a defensible cyber risk posture. Sensible adoption of cyber risk quantification techniques can also play a key role in informed decision-making.
Rule 3: Measure It
Value Consumption: Effective metrics and measurements are key to demonstrating progress and challenges to ensure adequate management. However, metrics must be tailored to the right audience. Highly operational vulnerability metrics do not resonate with boards and senior leadership. They need to be aligned to critical business applications with clarity of impact and maturity. For example, a good strategic metric could be a percentage of critical internet-facing applications that have critical patches applied in a timely manner. If this critical application is a key payments platform, there is a material implication on cash flow, which, when quantified, can offer useful insights to leadership.
Rule 4: Address the Human Factor
Value Consumption: With majority of incidents and breaches exploiting the human factor, it is clear that cybersecurity is a human issue at its core. Furthermore, technology exists for - and by - humans. Relying on the fear to influence human behavior and embed secure practices is not an effective strategy. We need to align our cyber message and controls to aspirational aspects such as business goals and personal safety. Leveraging effective gamification, humor and positive competition (leaderboards) can be really useful to influence secure patching practices. It is useful to recognize that human instinct tends to resist change because change introduces the unknown. Addressing the human factor also enables effective change management by embedding behavioral outcomes.
Rule 5: Understand the Design and Execution of Cybersecurity
Value Consumption: Cybersecurity controls need to be applied with consideration of business and technology strategies along with relevant threats and compliance obligations. Security controls such as patching do not exist in isolation. They need to be accounted for in the overall enterprise security architecture and control framework that informs their design and applicability. Defined security architecture principles can also guide the selection and implementation of the right tools and technologies to manage vulnerability risk. Factors such as clarity of sourcing and operating models (including roles and responsibilities), along with sequencing and prioritization of initiatives, enable ongoing efficacy of patching controls.
Rule 6: Master the Art of Differentiating Skills
Value Consumption: Differentiating skills such as emotional intelligence, presenting actionable options succinctly, effective communication and storytelling play a vital role in building trust within an organization and enabling professional excellence. Emotional intelligence plays an effective role where you can read the room and empathize with stakeholders regarding their concerns, including patching risks. For example, there might be genuine concern among business leaders of risks from failed changes, which might not be reversible. Not all failed changes can be rolled back successfully or cleanly. It is important to remember that hearing is not the same as listening. Be a good listener and a business partner and not just a supplier of service.
Rule 7: Build an Authentic Brand
Value Consumption: Your security function should build a brand that is grounded in being a trusted advisor to the business. Ongoing effective engagement through various organizational channels and a pragmatic mindset will solidify your team’s brand. This will also help achieve executive buy-in and support for your initiatives to improve the security posture, including, but certainly not limited to, patching. Purposeful networking and actions to inform, educate and enable your organization on various aspects of security considerations will put you in good stead. Ensure you celebrate and promote wins - no matter how small. Every win inspires confidence and is a step on the ongoing journey of cybersecurity improvement.
Putting It All Together - The SolarWinds Wells Notice
The $26M shareholder class action lawsuit settled end of last year, with no admission of fault, did not spell the end of troubles for the company or its executives. The settlement ends a nearly two-year legal battle between SolarWinds and its stockholders over whether the company had inaccurately conveyed its security shortcomings and therefore improperly boosted its stock price. It also forgoes the need for a trial and lengthy discovery process that could have led to further embarrassing revelations.
But in an unprecedented move, SEC issued a Wells Notice to its CFO and CISO on the same day of the announcement of the settlement. Wells Notice is a letter from the SEC alerting the recipient that the financial watchdog may bring enforcement action against the company or an individual. Several commentators observed the unusual naming of the CFO and CISO in the Wells Notice, potentially alleging individual wrongdoing. The SEC further introduced a new set of cyber disclosure rules in July 2023 where some observed the SolarWinds Wells notice could be used as a test case.
In conclusion, companies and their executives would be well advised to align their patch management policy and cyber risk posture with their business strategy and be in a position to demonstrate their resolve in elevating these technical agreements to executive commitments to discharge their duty of care and not to be accused of taking shortcuts.