Achieving Cyber Resilience through Vulnerability Management and Supply Chain Security
Introduction: Understanding Cyber Resilience in 2024
In this episode of Breaking Badness, we explore some of the most pressing cybersecurity topics today, including vulnerability management, cyber resilience, and the challenges of securing the supply chain. With expert guests from LevelBlue, SecurityPal, NetSPI, and Gutsy, the conversation highlights both technical and organizational obstacles and dives into proactive approaches to protect critical assets.
Vulnerability Management: More Than Just Patching
The conversation kicks off with a breakdown of vulnerability management, where our guests clarify that addressing vulnerabilities like Log4j goes beyond just applying patches. Jacob Graves emphasizes that vulnerability management is often seen as a simple technical task, but in reality, it’s an organizational challenge involving the right people, processes, and prioritization. Building patches is just the beginning—rolling them out effectively involves coordination across departments, balancing security with business demands.
“It’s not a technology problem. It’s an organizational problem—getting everyone aligned on the importance of security.”
The Critical Role of MTTD and MTTR in Cybersecurity
Metrics like Mean Time to Detect (MTTD) and Mean Time to Repair (MTTR) are crucial for understanding and improving vulnerability management. In the episode, our experts discuss how these metrics help security teams gauge their efficiency in identifying and mitigating vulnerabilities. Faster detection and repair times can drastically reduce exposure to risks, but the ideal world of instant remediation is far from the reality most organizations face.
“In an ideal world, both those numbers would be zero, but in reality, they are way longer.”
Supply Chain Security: A Growing Concern
Pukar Hamal, CEO at SecurityPal, sheds light on supply chain security and the concept of nth-party risk. With the rise of cloud services and sub-processors, vulnerabilities in a vendor’s supply chain can ripple down to affect an entire organization. This discussion highlights the interconnectedness of today’s business environments and the importance of monitoring not just direct vendors but their suppliers as well.
“We talk about nth-party risk all the time. It’s almost guaranteed that a vendor of your vendor is somewhere in your supply chain.”
Cyber Resilience: Beyond Cybersecurity
Cyber resilience was another key theme of the episode, as Theresa Lanowitz discussed how resilience is a comprehensive strategy for bouncing back from incidents—whether cyber-related or due to natural disasters. Resilience involves more than just securing the IT estate; it’s about preparing for all types of disruptions, from cyberattacks to physical disasters, and ensuring the business can recover swiftly.
“Resilience is about the entire IT estate. It’s not just about responding to cyber events—it’s about preparing for anything that could disrupt your organization.”
See Theresa Lanowitz’s LinkedIn Profile
C-Suite Collaboration: The CIO, CTO, and CISO Must Work Together
One of the most critical takeaways from the discussion was the need for cross-functional collaboration among the CIO, CTO, and CISO. Despite their overlapping responsibilities, research shows a surprising lack of communication between these key roles. The episode emphasizes that cyber resilience is a whole-organization issue, and effective collaboration at the C-suite level is essential for success.
“We found that 72% of governance organizations don’t know what cyber resilience is and often conflate it with cybersecurity.”
Conclusion: Building a Resilient, Secure Future
The episode wraps up by stressing the importance of proactive security and ongoing vigilance. Vinay Anand, Chief Product Officer at NetSPI, discusses the need to continuously monitor and prioritize vulnerabilities as they emerge. The episode leaves listeners with actionable insights into how businesses can better prepare for vulnerabilities and secure their supply chains to build a resilient future.
“Resilience is not a destination—it’s a continuous process of discovery, prioritization, and
remediation.”
