An innovative Information Technology, Assurance and Security Leader possessing over 20 years of experience, Sabastian combines a diverse technology background, business acumen and solution prowess. He has delivered high value and enabled business goals in large enterprises, mid-sized and small companies and their partners.
When it comes to vulnerability and risk reporting, there’s a significant disconnect between what business stakeholders want and what the vast majority of security assessment and tool vendors provide. All too often, tools generate dense reports full of technical minutiae while third-party vendors provide pages awash with red, green and amber colors. Unfortunately, business stakeholders have little insight into the relevance of these findings in the context of their day-to-day operations and what correctives exactly to prioritize. This needs to change.
As technologist and security professionals, here are six actions we can and should take to close the relevance gap:
Understand Who You Are Working For
Any Information Protection, IT security and Risk organization – internal or external – needs to understand the business they are trying to support. If you only have a vague understanding of the business and their industry then you are not partnered properly. Without this fundamental, foundational knowledge, risk reporting is always going to be generic and of limited value to an organization’s senior business stakeholders.
Educate Vendors and/or Security Leaders About What it is You Need
Too often product vendors fashion software tools based on what they think we need rather than asking us in the security community what we really want for businesses we serve. However, instead of pointing fingers, we also have to look ourselves in the mirror as many security professionals lack the skills to communicate our specific requirements. So have a frank conversation with your vendors. Likewise, internal business and security stakeholders also need to closely collaborate so needs are communicated.
Start With The End Game
Most of us are guilty of zeroing in on a platform’s feature set, inspection capabilities and how well it can identify vulnerabilities. Executive-level reporting capabilities are typically an afterthought. How about we switch that around and begin with the end requirements? Even better, how about we involve business stakeholders at the outset – when we are vetting capabilities and services? By getting the business side of the house engaged upfront and perhaps even participating in pilot programs, risk reports are likely to be much better at reflecting their needs.
Provide Business Context
Rather than provide pages of technicalities, reports should provide risk in a broader context relative to the specific business and the assets’ deployment model. What makes executives nervous at night? In short, disruptions to business operations. Not being able to process transactions? Not being able to schedule production on a factory floor? As security practitioners, we should want to know so we can customize the tools we use to assess threats and vulnerabilities in these terms. Rather than focusing solely on Common Vulnerabilities and Exposures (CVE®), how about reports show by business criticality where budget should be deployed to get the most protection? Because we seldom have the budget to fix everything, reports need to be contextualized for better, more informed decision making.
Only Select Highly Customizable Tools
Only select tools that you can fashion to your environment and needs. Too often tools have their own vernacular and that is forced on stakeholders. Improvements could be made by reporting risk in a way business executives can understand and minimizing the “security speak” that so many of today’s tools produce.
Don’t Report The Irrelevant
Security and risk assessment reports are typically not only sizable, but also extremely detailed. When dealing with business stakeholders, only the most relevant themes should be reported on. Please, no more pages of technicalities and meaningless raw scores that lack any context. How about these reports highlight a few areas of concern where there is a high risk of exploitation and explain why this matters to the business?
All of these steps are relatively easy to implement and once they have been worked through, your risk based reporting will not only be more relevant, but far more impactful. It may even result in additional funding because business stakeholders can finally understand the very real ramifications of security vulnerabilities in the context of the day-to-day running of the business.
[post_title] => Six Ways to Increase the Business Relevance of Risk-Based Reporting
[post_excerpt] => When it comes to vulnerability and risk reporting, there’s a significant disconnect between what business stakeholders want and what the vast majority of security assessment and tool vendors provide.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => six-ways-to-increase-business-relevance-risk-based-reporting
[to_ping] =>
[pinged] =>
[post_modified] => 2023-02-10 08:57:33
[post_modified_gmt] => 2023-02-10 14:57:33
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=14454
[menu_order] => 487
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 1
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 14454
[post_author] => 64
[post_date] => 2019-12-11 07:00:59
[post_date_gmt] => 2019-12-11 07:00:59
[post_content] =>
When it comes to vulnerability and risk reporting, there’s a significant disconnect between what business stakeholders want and what the vast majority of security assessment and tool vendors provide. All too often, tools generate dense reports full of technical minutiae while third-party vendors provide pages awash with red, green and amber colors. Unfortunately, business stakeholders have little insight into the relevance of these findings in the context of their day-to-day operations and what correctives exactly to prioritize. This needs to change.
As technologist and security professionals, here are six actions we can and should take to close the relevance gap:
Understand Who You Are Working For
Any Information Protection, IT security and Risk organization – internal or external – needs to understand the business they are trying to support. If you only have a vague understanding of the business and their industry then you are not partnered properly. Without this fundamental, foundational knowledge, risk reporting is always going to be generic and of limited value to an organization’s senior business stakeholders.
Educate Vendors and/or Security Leaders About What it is You Need
Too often product vendors fashion software tools based on what they think we need rather than asking us in the security community what we really want for businesses we serve. However, instead of pointing fingers, we also have to look ourselves in the mirror as many security professionals lack the skills to communicate our specific requirements. So have a frank conversation with your vendors. Likewise, internal business and security stakeholders also need to closely collaborate so needs are communicated.
Start With The End Game
Most of us are guilty of zeroing in on a platform’s feature set, inspection capabilities and how well it can identify vulnerabilities. Executive-level reporting capabilities are typically an afterthought. How about we switch that around and begin with the end requirements? Even better, how about we involve business stakeholders at the outset – when we are vetting capabilities and services? By getting the business side of the house engaged upfront and perhaps even participating in pilot programs, risk reports are likely to be much better at reflecting their needs.
Provide Business Context
Rather than provide pages of technicalities, reports should provide risk in a broader context relative to the specific business and the assets’ deployment model. What makes executives nervous at night? In short, disruptions to business operations. Not being able to process transactions? Not being able to schedule production on a factory floor? As security practitioners, we should want to know so we can customize the tools we use to assess threats and vulnerabilities in these terms. Rather than focusing solely on Common Vulnerabilities and Exposures (CVE®), how about reports show by business criticality where budget should be deployed to get the most protection? Because we seldom have the budget to fix everything, reports need to be contextualized for better, more informed decision making.
Only Select Highly Customizable Tools
Only select tools that you can fashion to your environment and needs. Too often tools have their own vernacular and that is forced on stakeholders. Improvements could be made by reporting risk in a way business executives can understand and minimizing the “security speak” that so many of today’s tools produce.
Don’t Report The Irrelevant
Security and risk assessment reports are typically not only sizable, but also extremely detailed. When dealing with business stakeholders, only the most relevant themes should be reported on. Please, no more pages of technicalities and meaningless raw scores that lack any context. How about these reports highlight a few areas of concern where there is a high risk of exploitation and explain why this matters to the business?
All of these steps are relatively easy to implement and once they have been worked through, your risk based reporting will not only be more relevant, but far more impactful. It may even result in additional funding because business stakeholders can finally understand the very real ramifications of security vulnerabilities in the context of the day-to-day running of the business.
[post_title] => Six Ways to Increase the Business Relevance of Risk-Based Reporting
[post_excerpt] => When it comes to vulnerability and risk reporting, there’s a significant disconnect between what business stakeholders want and what the vast majority of security assessment and tool vendors provide.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => six-ways-to-increase-business-relevance-risk-based-reporting
[to_ping] =>
[pinged] =>
[post_modified] => 2023-02-10 08:57:33
[post_modified_gmt] => 2023-02-10 14:57:33
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=14454
[menu_order] => 487
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[comment_count] => 0
[current_comment] => -1
[found_posts] => 1
[max_num_pages] => 0
[max_num_comment_pages] => 0
[is_single] =>
[is_preview] =>
[is_page] =>
[is_archive] =>
[is_date] =>
[is_year] =>
[is_month] =>
[is_day] =>
[is_time] =>
[is_author] =>
[is_category] =>
[is_tag] =>
[is_tax] =>
[is_search] =>
[is_feed] =>
[is_comment_feed] =>
[is_trackback] =>
[is_home] => 1
[is_privacy_policy] =>
[is_404] =>
[is_embed] =>
[is_paged] =>
[is_admin] =>
[is_attachment] =>
[is_singular] =>
[is_robots] =>
[is_favicon] =>
[is_posts_page] =>
[is_post_type_archive] =>
[query_vars_hash:WP_Query:private] => 9c50a6db1106f9332ec470efab475f5d
[query_vars_changed:WP_Query:private] =>
[thumbnails_cached] =>
[allow_query_attachment_by_filename:protected] =>
[stopwords:WP_Query:private] =>
[compat_fields:WP_Query:private] => Array
(
[0] => query_vars_hash
[1] => query_vars_changed
)
[compat_methods:WP_Query:private] => Array
(
[0] => init_query_flags
[1] => parse_tax_query
)
)
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover why security operations teams choose NetSPI.
