I’m certain this has been written about before. I believe it's worth laying out again. This month I will have covered information security for 17 years. The vulnerability hype cycle has not changed. While I do not have all the answers, I do have confidence in our community that we will continue to work toward change. For now, here’s my tongue-in-cheek description of how so many vulnerabilities are handled today:
- Someone, or a team of people, spends copious amounts of time finding a software bug, or a series of bugs. A small subset of those bugs ends up being vulnerabilities. An even smaller subset of those bugs ends up being exploitable.
- An exploit is written, and a disclosure process takes place for a random time.
- The vulnerability gets, potentially, a name, a logo, a song, a dance, and a website.
- Everyone starts talking about the vulnerability, especially how bad it is. We throw around terms like “supply chain,” “vulnerability management,” “patching” and “risk” often without enough context or definition.
- Malicious actors begin exploiting the vulnerability to achieve their [goals] (This could happen before any of these steps, including #1).
- Some organizations patch the vulnerability, some do not. Sometimes the patch works, sometimes it does not, or additional vulnerabilities are discovered and patched (or not).
- Eventually, everyone forgets about the vulnerability, and X number of systems remain vulnerable, forever.
Global Chief Marketing & Growth Officer, Exec BOD Member, Investor, Futurist | AI, GenAI, Identity Security, Web3 | Top 100 CMO Forbes, Top 50 Digital /CXO, Top 10 CMO | Consulting Producer Netflix | Speaker
1 个月Paul, thanks for sharing! How are you doing?
Always looking for interesting problems to solve.
2 年Preach Paul!
Purple Squirrel with an analytical mindset and methodical approach to solving cybersecurity risk and compliance concerns. I help companies reduce cyber exposure to avoid being a headline on the 6 o'clock news.
2 年Security is a revolving door. Anyone that has been around long enough will soon realize that vulnerabilities keep coming back, because they actually don't go away. The biggest culprit is generally poor cyber hygiene practices. I have lost count how many times in my 25+ year career in cyber security, that I have heard the sky is falling over some newly discovered vulnerability; that some other researcher found 5 years ago. People can barely wash their hands, much less implement solid security practices. That being said, I await with eager anticipation and bated breath for the 'next big thing from 5 years ago'. Let me grab some popcorn...
Managing Partner, CFennelly Consulting, LLC
2 年I wrote about this over 20 years ago: https://www.computerworld.com/article/2794483/feeding-the-frenzy.html