When discussing vulnerabilities in cybersecurity, the conversation often gravitates toward patching software, updating systems, and staying ahead of emerging threats. While these technical solutions are essential, there is an equally critical component known as communication.
More specifically, the way we communicate about vulnerabilities and whether they are addressed.
A breakdown in communication can turn a manageable vulnerability into a crisis. Without clear and effective dialogue between security teams, IT staff, management, and other departments, vulnerabilities can slip through the cracks, leaving organizations open to attacks. And this breakdown often affects how organizations prioritize vulnerabilities as critical, high, medium, or low, creating gaps in defense.
Understanding the Role of Communication in Vulnerability Management
The lifecycle of a vulnerability involves several steps—discovery, assessment, communication, and remediation. While many organizations excel in detecting and analyzing vulnerabilities, they frequently struggle when it comes to the crucial step of communicating the risks and urgency of each threat across different teams.
One such example I shall use is receiving a vulnerability scan report. You are the overworked and underpaid patron of the IT realm. Your job is to translate all this sensual and exotic language to Hank the manager. Hank only cares about one thing, and that is productivity and money.
He is also in charge of the vulnerability management program and discusses remediations from the scan report with the director. These are two individuals who may or may not understand the technical details of the scan report. Or the urgency of some of the items listed that need immediate attention.
To bring my point to fruition, we all remember the Equifax breach of 2017 and how horrible it was for everyone involved. What also made things worse was a quote from the former CEO before the Senate Banking Committee. It outlined the reasons why the breach happened and who he felt was responsible.
While Smith said he was personally “ultimately responsible for what happened” he also blamed a single unnamed person in the IT department for not updating, or “patching” one of Equifax’s “portals” after the credit reporting giant was alerted to the security gap in March.
“An individual did not ensure communication got to the right person to manually patch the application,” Smith testified before the Senate Banking Committee on Wednesday. He also said the company’s scanning software, which looks for unpatched systems, didn’t find the hole — all of this despite “investments approaching a quarter of a billion dollars in security,” Smith acknowledged.
https://www.nbcnews.com/business/consumer/former-equifax-ceo-blames-one-it-guy-massive-hack-n807956
There is a lot to learn from the statement above. We want to look at key points from the CEO’s statement.
- He blamed a single unnamed person in the IT department for not updating, or “patching” one of Equifax’s “portals” after the credit reporting giant was alerted to the security gap in March.
- An individual did not ensure communication got to the right person to manually patch the application.
- He also said the company’s scanning software, which looks for unpatched systems, didn’t find the hole — all of this despite “investments approaching a quarter of a billion dollars in security.
The CEO blamed multiple instances for failure in his statement, but the end result is the company is responsible for its patch management system. The success and failure will always be on the company’s shoulders, and it is up to management to make sure it succeeds. You can’t patch an asset without management’s approval. So, we ask ourselves, where did the failure happen? Lack of effective communication.
The Effective Difference Between Critical, High, Medium and Low Vulnerabilities
The security team may identify a vulnerability in the system that could be exploited by a threat actor. But if the urgency and potential impact are not effectively communicated to leadership, the issue may not receive the attention or resources it requires. If miscommunication leads the leadership team to believe it’s not a pressing concern, remediation may be delayed, leaving the organization exposed. All vulnerability scan outputs are the same, they have critical, high, medium, and low vulnerabilities.
The security team will dive into the results and send the feedback to management for the next steps. Remember, you cannot patch any asset without management approval and a process to follow.
I feel the issue with patch management is a lack of effective communication. An example would be a manager who may know that a critical vulnerability is serious but knows how serious it actually is. The same goes for the high and medium of the report.
Keep in mind that at any point, a threat actor can turn a medium vulnerability into a high or critical depending on the situation. A significant challenge in vulnerability management is determining how to prioritize responses to various threats. Most security frameworks categorize vulnerabilities into different tiers: critical, high, medium, and low. Each tier reflects both the likelihood of exploitation and the potential damage a successful exploit could cause.
However, the effectiveness of addressing these vulnerabilities hinges on how well these categories are understood and communicated within the organization. The only way to change things is to update how we communicate Critical, High, Medium, and low vulnerabilities to management.
1. Critical Vulnerabilities – financial loss, reputational damage, or regulatory penalties
A critical vulnerability is one that can be easily exploited, often remotely, and has the potential for severe damage. This might involve full system compromise, sensitive data theft, or a ransomware attack that could cripple operations. While technical teams usually understand the importance of fixing critical vulnerabilities immediately, the message may not always resonate with non-technical teams.
Communicating a critical vulnerability must go beyond technical jargon. Instead, the risks need to be framed in terms that management understands, such as financial loss, reputational damage, or regulatory penalties.
2. High Vulnerabilities – Emerging Risk – Business continuity failure, financial loss, reputational damage.
High vulnerabilities are less urgent than critical ones but can still have a significant impact if exploited. These vulnerabilities may require specific conditions to be exploited, such as internal network access or particular user permissions. The gap in communication often arises when teams incorrectly assume that because a high vulnerability isn’t as immediately dangerous as a critical one, it can be put off for longer periods.
The risks need to be framed in terms that management understands, such as, “Emerging Risk: “A developing threat that has the potential to grow into a larger issue if left unmitigated.
3. Medium Vulnerabilities – Potential disruption, Developing threat, manageable weakness.
Medium vulnerabilities are issues that could lead to minor operational inefficiencies or setbacks if exploited. While not a top priority, resolving it will help maintain smooth business operations. The risks need to be framed in terms that management understands, such as, “Potential disruptions: “A developing threat that has the potential to grow into a larger issue if left unmitigated.
4. Low vulnerabilities – Minimal exposure
Typically, have limited impact or require highly specific conditions to exploit. They might involve minor misconfigurations or small-scale issues that, while problematic, are unlikely to lead to a major breach.
Low vulnerabilities, if not communicated properly, can either be over-prioritized—leading to wasted resources—or completely ignored. Although they don’t require immediate attention, understanding how they could evolve in combination with other vulnerabilities is crucial.
5.) Pizza Party
To bring everything together to guarantee success, management and IT staff need to have a “Pizza party.” I am not talking about the same thing management does for its employees instead of giving out raises. I am talking about a method of communication for meetings only for needed personal only… with two pizzas to feed everyone. If you only have two pizzas to feed everyone, you will want to include only the important people.
When it comes to patch management, communications such as emails, phone calls and IMs tend to go to everyone rather than people who are responsible. From the article above, you can see where there was confusion about who was supposed to patch the affected asset.
“An individual did not ensure communication got to the right person to manually patch the application.” If there was pizza party, the asset would have been patched and Equifax would have been in the clear.
While the technical side of addressing vulnerabilities remains crucial, the unseen vulnerability that often undermines these efforts is communication. Without changing the way, the industry communicates vulnerabilities, they can go unaddressed, leading to breaches and attacks that could have been prevented. Prioritizing communication alongside technical remediation is the key to building a resilient security posture.