How Resource Gaps Impact Vulnerability Management Programs

In a world of sophisticated cybersecurity technologies that address a range of advanced modern threats, it’s interesting how many successful cyberattacks still take advantage of basic known vulnerabilities. While this observation doesn’t account for the complex app-driven landscape in which businesses today operate, there are clearly some major obstacles hampering effective and timely vulnerability management. In this article, we look at the considerable impact of resource shortages on your vulnerability management program.

What Exactly is a Vulnerability Management Program?

Before diving further into the problems caused by a shortage of resources, it’s worth briefly exploring vulnerability management programs and their importance.

To support their IT activities, organizations deploy a range of hardware and software. Some of these technology components are commercially obtained from third parties, while others are custom-developed.

In what is an increasingly software-driven world, custom-developed apps represent a bigger proportion of the tech stack than ever. One study found that enterprises run an average of 464 custom apps while even smaller businesses deploy 22 custom apps. That study is now five years old, so it’s not a stretch to assume these numbers are even higher today.

How does this all relate to vulnerabilities? Well, any hardware or software component can have vulnerabilities in its design, setup or code. Enter a vulnerability management program—a structured and risk-based process for finding and dealing with vulnerabilities that threat actors could exploit. The process of vulnerability management is typically broken down into four crucial steps:

1. Identify: take steps to identify all the vulnerabilities in your IT environment, often with the aid of vulnerability scanning tools.
2. Evaluate: attempt to gauge the risk that particular vulnerabilities present so that you can prioritize and choose which ones to deal with first.
3. Decide: for most vulnerabilities, you’ll apply a security patch or other remediation action to prevent them from being exploited. However, there are other possible decisions to make, such as accepting the risk because the cost of remediation is too high or implementing some control measure that temporarily mitigates the risk, perhaps because there is no patch available.
4. Report: writing a report can help to improve the vulnerability management process and simplify the investigation into future incidents. Some regulations also mandate these reports as part of proving compliance.

A vulnerability management program puts the structure in place for conducting these activities with the efficiency and speed necessary to stay ahead of threat actors. However, when there are more components than ever spread out across a hybrid IT infrastructure, it’s more challenging to keep track of and remediate vulnerabilities.

And don’t forget that today’s apps are more configurable than ever. With containers and cloud infrastructure being used to run apps and multiple settings for developers to tweak, there are more opportunities for misconfigurations that can provide an entry point into IT environments.

These difficulties become even more noticeable when considering IT resource constraints in available staff for vulnerability management.

Problems Caused by a Lack of Resources

It’s no secret that the cybersecurity sector as a whole is plagued by an ongoing talent shortage. This shortage is often felt heavily in vulnerability management programs. With IT security personnel forced to wear many different hats, there might not be enough time in the day or qualified staff to run an effective program.

When it comes to budget, the tide is turning as businesses recognize the increased importance of cybersecurity in terms of bottom-line impact. This is good news for vulnerability management, but it’s not enough to just have the right tools in place.

Slowdowns in Dealing with Vulnerabilities

Vulnerability management is essentially a race against time. Threat actors can use freely available tools to quickly and effortlessly scan for low-hanging fruit vulnerabilities in web apps. Similar categories of vulnerabilities are exploited consistently over time and often with severe consequences (that’s why the OWASP Top 10 exists).

When hindered by fewer available staff and more IT components than ever to identify and scan for vulnerabilities, slowdowns in actually dealing with what’s found are inevitable. Spreadsheets quickly start looking intimidating with hundreds or even thousands of unresolved vulnerabilities awaiting appropriate action to be taken.

Bear in mind that central to the vulnerability management process is risk-based evaluation. Risk scores from vulnerability scans don’t always accurately portray the real business risk of a given vulnerability. It takes a trained eye, expertise and time to properly evaluate risks and prioritize vulnerabilities.

Stretched security teams often find that they don’t have time at the end of the day to fix vulnerabilities. Delays in patching or other actions can easily lead to breaches. In one recent survey, half of security professionals cited the time required to patch vulnerabilities as a top three concern in vulnerability management.

Vulnerability Management Fatigue

Another issue that becomes more pronounced with a dearth of available resources is fatigue. In-house security teams are constantly trying to put out fires, but the problem is that the frequent scans they run then reveal new fires to put out. Layered on top of this difficulty is the complex IT ecosystem that sees more vulnerabilities emerging in a disparate variety of systems and environments.

There is also the ever-present annoyance of false positives to contend with. Scanning tools regularly flag vulnerabilities that turn out to be incorrectly labeled as vulnerabilities. This creates noise in the form of alert fatigue and results in wasted time and effort. When there aren’t enough personnel to manage vulnerabilities, fatigue from dealing with false positives alone can sap motivation and cause teams to lose faith in the entire vulnerability management program.

The Value of Managed Security

The value of managed security services becomes self-evident for businesses that struggle with cybersecurity talent shortages. By augmenting in-house security skills with additional resources that aren’t available in-house, businesses can turn the tide back in their favor and stay one step ahead of malicious actors.

And when it comes to specifically addressing vulnerabilities, many MSSPs offer comprehensive vulnerability management. This managed service takes much of the work out of vulnerability management by identifying and prioritizing vulnerabilities in addition to providing expert analysis and remediation advice based on assessed risks.