My team doesn’t patch. We govern patching.
The patch incoming rate is dizzying. We have OS patches, application
patches, firmware patches. All need to be tested and deployed. It’s a never ending race with seemingly no
finish line of three of our teams against one potential event.
The vulnerability risk score can become what’s important and
what’s reported. It’s a metric that easily generated but often needs
explanation to execs. It is also really hard to compare your score against others in your
industry or company size.
Less often considered is that patches have consequences that
can impact the business – configuration changes, functionality limitations, broken
test cases. This represents security friction. The friction that also needs to be governed…and reported…and
managed.
Our team has to own the friction problem.
Doing both? Meet my vulnerability management fantasy.
Follow me on Twitter for the latest blog updates: @Opinionatedsec1
SEE ALSO
A Cyber Security Metaphor
The Five Pillars of a Successful Application Security Program
Why Operations Engineers Don't Always Transition Into Effective Cyber Security Practitioners
Follow me on Twitter for the latest blog updates: @Opinionatedsec1
SEE ALSO
A Cyber Security Metaphor
The Five Pillars of a Successful Application Security Program
Why Operations Engineers Don't Always Transition Into Effective Cyber Security Practitioners
No comments:
Post a Comment