Working with a multi-national drinks company over the last 18 months I have seen first-hand how large organisations are continuously flooded with IT Risks. New vulnerabilities are reported daily, and the volume just seems to increase! As part of the Risk Management programme the organisation was striving to fix vulnerabilities rapidly, but a key impediment was that the process was inconsistent and lacked a collaboration platform between IT Security and IT Operations personnel that would act as a single source of ‘truth’ to track vulnerabilities. The result was an unknown risk posture and increasing focus from management.
Starting the IT Risk and Vulnerability Management Programme
The IT Risk Programme was set up with the goal of eliminating vulnerabilities that pose a serious risk to the organization. The newly formed team, based in Bengaluru, India invested in agent, network and application vulnerability scanners. These different scanners churned out thousands of vulnerabilities, but each lived in its own application or infrastructure ‘walled garden’. This wasn’t a critical issue for the Security Personnel who were comfortable working with the reporting and tracking capabilities provided by each scanning tool but it didn’t support the efficient collaboration with the IT Operations needed teams whose input was needed for remediation. An additional challenge experienced by the team was that the disparate scanning environments did not support the integrated reporting processes which required a holistic view of security posture that went beyond individual vulnerability scanning silos. Needless to say, C-level grew increasingly concerned with the lack of proper IT Risk Overview. No metrics, no trends – no overall reporting was possible with disconnected islands of information.
The tracking spreadsheet stage
For six months, the IT Risk team tried consolidating the scanning data in a single master tracking spreadsheet. The spreadsheet was then carved up according to different regional and functional teams and shared via the organisation’s cloud file sharing service. This reduced a technology barrier (everyone knows Excel!) but at the same time it created a huge overhead for the team when it came to bi-weekly reporting, change and progress reporting.
Federating ownership of risk and vulnerabilities to IT Operations
Our first contact with the IT Risk team was 6 months after the launch of the programme. We were introduced to the team by a key contact in Global IT Operations who had seen the benefit of a shared repository we had help establish for business applications. The contact could see how it had simplified the tracking of various compliance processes and saw parallels with the aims of the IT Risk programme.
Introducing the IT Risk Portal
With a commercial framework in place and an accompanying mandate to establish an IT Risk Management portal, there were two security assurance challenges that had to be overcome before the project could start.
The first requirement was that any risk and vulnerabilities found from Penetration Testing (PT) would need to be fixed. An external specialist organisation was engaged, and the findings from their white and black box testing were used to further bolster the security of the platform. Indeed, security features on the platform today such as the continuous scanning of third-party libraries are as a direct result of this engagement. The second hurdle was far easier to overcome; access to the application had to be controlled by the chosen Single Sign On (SSO) solution. This was achieved in 2 weeks,
With the green light from the Security Assurance Team we were able to get started on the first phase of the project – improving the operation of the application vulnerability management process.
Vulnerability scans were carried out before onboarding new applications and repeated on at least an annual basis for applications processing data owned by the organisation. It was therefore key to take a feed from the application inventory so that there was an accurate base of data to support planning processes. This was painless owing to an off-the-shelf ‘connector’ that was used to synchronise the application inventory with the Decision Focus platform.
The challenging (and interesting!) part of the project involved refining, standardising and subsequently documenting the process the team followed when they interacted with the disparate IT Operations teams.
A small focus group comprising IT Operations and IT Security personnel provided feedback over a set of four weekly sprints, and a month after we had started the project we were onboarding users.
Federate ownership of vulnerabilities
Dashboards, menus and views for IT Operations, IT Security, and IT Management were tailored so that the amount of ‘noise’ was greatly reduced. The IT Operations teams had a role profile which provided them with a focused view of vulnerabilities found in applications owned by their business area. There was no more need to split out and then reconsolidate the master vulnerability tracking spreadsheet, a fact greatly appreciated by the IT Risk team member charged with this responsibility!
Focus on the critical threats
Vulnerabilities were prioritised enabling the IT Operations team to focus on fixing the critical vulnerabilities, quickly enhancing overall IT Risk posture. The IT Operations team had dashboards set up that provided a view of vulnerabilities which were approaching or had exceeded their Service Level Agreements (SLAs).
Most of our projects involve a degree of remote working but this engagement with the Indian team was delivered entirely remotely. Only after the project went live did I get the chance to visit Bengaluru, meet the team in person and celebrate the successful “go -live”. The Decision Focus platform has helped standardise vulnerability tracking across all IT Operations Teams. It's great to see that the solution we introduced has not stood still. The flexibility of the tool has enabled the VM team to adjust the workflow following end user and management feedback - and to extend with support for tracking of Infrastructure Vulnerabilities which follow different remediation processes.
Some observations and key take-aways for us as a team.
This is solvable. It is complex, yes – and goes across disciplines, but there are great technology platforms available, that actually will break down the walls.
Pace over performance. Management is looking for better overview of their combined IT Risk landscape, to understand what direction and decisions are needed. Perfection is not the aim – this will continue to be a moving target, so we need speed over detail.
We really should integrate the IT Risk overview now generated - with the full corporate Risk Landscape. IT Risk should flow naturally into the Chief Risk Officer's report – not live in isolation for the CIO to deal with. Culture, maturity and education are key factors that will help drives this forward.
The productivity and determination of the team, has been key to produce the overviews, trends and risk charts now in use by management. I am curious to know how peers in the industry are tackling their IT Risk and Vulnerability programs – and hopefully we will start to see more benchmarking on these topics to help us all, keep driving down the IT Risk. A topic for later post!