How do you prioritize security updates when faced with conflicting operational demands?

How can an organization evaluate the severity of potential threats and the likelihood of occurrence? First, identify all of the threats then assess the impact from a financial, operational, reputational, and safety lens. The likelihood should be based on historical data, expert judgment, statistics of that threat, and any environmental factors (qualitative and quantitative assessments). Place this data in a matrix: Likelihood/impact Low Medium High Critical Very Likely Likely Possible Unlikely Develop strategies to mitigate those risks by preventative controls, contingency plans, transfer of risk, or accept the risk based on the organization's tolerance.

Staying up to date about emerging threats and attack trends through threat intelligence feeds and security bulletins can provide valuable insights into which vulnerabilities are currently being exploited in the wild. Moreover, risk assessment should be an ongoing and continuous process. Regularly reviewing and updating your risk assessments ensures that your security posture adapts to new threats and changes within your IT environment. Incorporating automated tools for vulnerability scanning and patch management can streamline this process, allowing for more efficient identification and remediation of security gaps.

Some of greatest security breaches have occurred because folks were too slow & cautious in applying Patch Tuesday updates. A major security breach will result in (1) Loss of good will to customers & general public (2) Huge $$$ losses (3) Complex lawsuits (4) Potential new customers will avoid due to bad publicity Thankfully, MS updates rarely cause some of issues of past -- but every Patch Tuesday update should be pilot tested. Once certified for existing APPs -- every user should be updated expeditiously using waves of fanout targeted usesr.

Risk Assessment: Evaluate the Vulnerability Severity: Use the Common Vulnerability Scoring System (CVSS) or similar frameworks to assess the severity of each vulnerability. Critical and high-severity vulnerabilities should be prioritized. Assess the Impact: Determine the potential impact of the vulnerability on the organization’s assets, data, and operations. Consider the likelihood of exploitation and the potential damage.

The best approach is to implement the CTEM (Continuous Threat Exposure Management) framework. This program can help you continually see your attack surface and improve security posture by identifying and remediating potentially problematic areas, such as: - Prioritize threats according to their potential business impact based on whether they're in an attack path to your critical assets. - You will be surprised how often a high severity vulnerability leads to a dead-end, while a medium/low severity vulnerability is in an active attack path to your critical assets. So a thorough analysis is critical. - These risks should be evaluated in your context and your environment, not a generic score.

Developing an effective update strategy requires multitasking. Normal patching should happen on a regular basis, for example, the Tuesday following patch Tuesday should normal updates be rolled out after testing to non-production systems. Second, an out-of-cycle patching process needs to be put into place for critical updates that are released in-between patch Tuesday, or even for Patch Tuesday's most critical updates. This process should patch systems in a more timely fashion.

An effective update strategy must balance security with operational continuation approach. Categorize updates by importance and impact on systems, prioritizing immediate updates for critical systems handling sensitive data. Schedule non-critical updates during off-peak hours to minimize disruptions. Always test updates in a controlled/test environment before full deployment to identify and resolve potential issues, ensuring smooth integration and maintaining business operations.

SECURITY is a #1 business strategy as well as a key technology safeguard. There is an optimal balance between Fort Knox level security & ease of use. Still, err of the side of SECURITY -- as it's better for users to jump thru 1-2 more hoops (lol) -- than to let the bad guys in & do $$$ millions in damages & loss of goodwill. SECURITY in our highly technological world is the cost of doing business today :)

Security and IT teams don't always speak the same language. Bring stakeholders from IT and other non-security teams into the conversation. Share the goals you're trying to achieve to build a clear understanding of what is being done and get their input to see what they'll need from you or other teams to make their lives easier. Additionally, sharing news of cyber attacks with them will help them become more aware of the business impact their actions have, and how it actually ties back to their part of the business.

Clear communication with stakeholders is vital for managing security updates effectively. Minimizing Resistance: Informing stakeholders reduces resistance to necessary downtime, making the update process smoother. Transparency: Being open about the risks of delaying updates ensures stakeholders understand the importance of timely implementation. Collaborative Approach: Emphasizing the critical role of cybersecurity fosters a collaborative effort to maintain secure and reliable operations. Enhanced Security: Effective communication supports overall organizational security and resilience, ensuring everyone is aligned on priorities and procedures.

Prioritizing security vs operations becomes a challenge when there is lack of clarity. Security leaders must set clear guidelines on what are the security risks associated with patches based on the context of the business, so there is no ambiguity about level of risks - ex: internet facing critical application patch that fixes an exploited vulnerability is a high risk patch. Executive leaders must set expectation on acceptable level of risks for the business and actions. ex: High risk update much be applied in 24 hrs. It’s when security leaders fail to define risks and executive leaders set no expectations on acceptable risks or set unrealistic expectations, operations teams suffer and expose the company to cyber risks.

O que n?o podemos fazer é simplesmente entregar um resultado de um scan de vulnerabilidade aos times responsáveis e pedir prioridade. O time se cyber precisa chegar com o time já feito toda a análise (o ativo é parte do BIA, temos controles que podem mitigar, temos ferramentas que suportam, está exposto para internet, tem segmenta??o, tem exploit público e faz parte do negócio primário da empresa?). Com certeza o que chegará para o time de Infra ou Sistemas será um número que n?o tem negocia??o e isso deverá entrar na rotina operacional.