The ability to understand cybersecurity risks—and what areas of business they effect—is crucial in making sound decisions for the company you govern. A general security status report is informative, but it won’t deliver the actionable intelligence you need to steer the company past threats. However, your astute questioning will uncover more pertinent and granular detail upon which you can confidently act.

The first critical question your board should ask its security team when it receives news of a breach is: “where are we exposed?” The next question is: “what should we prioritize?” Without knowing which assets are essential to business continuity and recovery, the security team could end up locking down the cafeteria menu instead of securing customer data or other business critical resources. The results of such missteps can be devastating. Liability abounds for corporate executives and directors alike.

The smart way to organize response team priorities is to perform predictive prioritization based on actual business risk and threat intelligence. Such prioritization enables the security team to respond with the urgency and care that risks to business-critical assets warrant, rather than waste resources on lesser evils.

The Answers You Don’t Need 

Below are two common replies board members may hear from their security leaders to the hot-seat question, “where should we prioritize?” I also explain why these responses fall far short of the concise and actionable answer that directors of companies need to hear.

1. We take care of all critical vulnerabilities and respond to and most that are ranked “high.” This answer carries a high degree of mathematical improbability, since there are far too many vulnerabilities for security teams armed with traditional cybersecurity technologies to find and address. According to the Vulnerability Intelligence Report from Tenable Research, some 19,000 new vulnerabilities will have been found by the end of 2018. The vast majority of these are defined as “critical” or “high” in nature.If everything is critical, then nothing is. It is nearly impossible to know whether all of your company’s critical or high vulnerabilities are covered at any point in time. Further, an answer such as this can lead to a false sense of security and a dangerous state of complacency. The haystack of vulnerabilities keeps getting bigger, making finding the needles more and more difficult. But it only takes a few needles to cause huge damages for your company.
2. We have moved this latest vulnerability to top priority status. Pulling resources away from other vulnerabilities to refocus them on the latest one may feel like your company is on top of things. In fact, the opposite may be true. If the vulnerability is unlikely to be weaponized to harm your company’s critical assets, moving resources might unnecessarily increase exposure elsewhere. However, if a critical asset is vulnerable, and predictive prioritization forecasts that an exploit is likely, then re-allocating resources makes perfect sense.

The Answer You Need 

According to the Vulnerability Intelligence Report, a staggering 93 percent of the vulnerabilities discovered last year did not have any publicly available examples of how they were exploited. In other words, while the vulnerabilities were identified, no one had yet taken advantage of them. It’s imperative that your security team be able to concentrate on the remaining seven percent. The math alone illustrates the vast potential for missing the most serious threats and spreading resources too thin. The Vulnerability Intelligence Report shows that enterprises identify 870 unique vulnerabilities on their systems every day, on average. Of those, more than 100 vulnerabilities are rated as critical on the common vulnerability scoring system. Yet, in 2017, public exploits were available for just seven percent of all vulnerabilities. The remaining question is which of your critical assets were at risk from this seven percent?

New, next-generation tools have been designed to sniff out new vulnerabilities as they appear in real time across your entire attack surface. These tools visualize threats on a single pane of glass, and then perform predictive prioritization that will better arm your team to address the threats that matter most. If the security team is taking a holistic, rather than a piecemeal, approach in their defensive strategy, using a predictive tool will allow them to be able to see the company’s total cyber exposure, and concisely report the most pertinent details to you in the boardroom. Further, if a predictive tool is used early to identify critical business assets and vulnerability management took advantage of predictive prioritization, the security team can also report the response status for those that may be affected by the most salient threat.

It is critical to rank threats according to actual risk, and business assets according to their impact on business outcomes, to see how they may align. Response priorities can then be set according to the data from this hard analysis. Only when your security team is able to prioritize based on risk can they give corporate directors the answer they need: “We have evaluated this vulnerability, we have identified the risk it poses to our most critical business functions, and we are prioritizing our response accordingly.”

Want to learn more about understanding vulnerabilities in the context of business risk? Read the Vulnerability Intelligence Report from Tenable Research.