Every CISO faces this agonizing dilemma almost daily:
– A new critical CVE announced by MITRE for devices you have on your network.
– A patch exists, but installing it demands 3-4 hours of production downtime.
🤷♂️ Panic sets in: Patch or perish?
I shared this dilemma on LinkedIn (See Here) and received invaluable insights from over 100 comments.
However, some recurring misconceptions highlighted the crucial need for CISOs as full-fledged members of the executive team.
Missing the Mark:
- Risk Defined: Many comments focused on technical risk, neglecting the actual business risk, measured in 💲. This is the language your executive team speaks.
- Assets Redefined: Discussions often revolved around technical assets like servers, overlooking the true stakes: business assets like PII and customer data.
- The Business Lens: Most treated the dilemma as purely technical, when it’s inherently a business decision. We must bridge the gap between cyber technical threats and their direct financial impact 💲.
Solving the Puzzle: Comparing the 💲 cost of production downtime vs. the 💲 estimated cost of a breach.
Here’s our recommended approach to navigate such quandaries:
1️⃣ Exploitable? Confirm if the vulnerability can be actively exploited – this heavily influences breach probability.
2️⃣ Temporary Defense? Explore compensating controls that might prolong the patch window.
3️⃣ Context Matters: Company size, preparedness, redundancy, and change management practices – all affect your decision
4️⃣ Quantify the Risk: Identify impacted business assets and processes, estimate the likelihood of exploitation, and translate this into a concrete dollar-value (💲) breach cost. Remember, critical CVEs don’t always equal critical business risks (and vice versa).
5️⃣ BIA Essentials: This step, ideally performed by a Strategic CISO within the first month, is called Business Impact Analysis (BIA)
6️⃣ Prepare for the Worst: Develop pre-configured playbooks for different threat scenarios, guided by your executives’ risk appetite (in 💲, of course).
7️⃣ Dollars and Cents: If patching costs less than the potential breach, patch it’s a no-brainer. 🏆
Bonus Resource: Download our white paper on Quantifying and Monitoring Your Cyber Business Risk 24/7 for in-depth guidance.