Most of us have a favorite Olympic sport, and mine is wrestling. Not only because I spent many years of my life either coaching, competing or organizing in that world, but because I have such reverence for its demands and the athletes that embrace its sacrifices. Moreover, as with most combat sports, wrestlers face two battles every competition: 1) making weight, and 2) wrestling in the actual match. The match is the one that matters. Making weight, albeit more grueling than the match often, is compulsory…but irrelevant. There are no medals for making weight, and no one ever earned a coveted All-American designation for spending the most time in a pre-weigh-in sauna.
Yet, many wrestlers, especially in the early years of their careers, lose sight of the goal (winning the match) by focusing on the weight cut, and enjoying a false sense of accomplishment for making weight. It’s a mental trap that experienced wrestlers are rarely caught in, but victimizes many nonetheless.
It’s been years since I’ve thought about wrestling from anything other than a fan’s perspective, but our experience at FutureCon events this year and last, speaking with hundreds of cyber security community attendees, prompted me to rekindle those memories. Specifically, a strong parallel between a young wrestler’s myopic weight-cutting focus and security professionals’ view of vulnerability management emerged.
Much like the wrestler subconsciously celebrating a meaningless accomplishment (making weight), security professionals that complete vulnerability scans and submit reports replete with sophisticated prioritization recommendations are congratulating themselves for a hollow “accomplishment.”
Just as there’s no reason to make weight if you’re not going to wrestle, there’s no reason to scan for and identify vulnerabilities if you’re not going to patch them. And yet, we are engaged in what seem like countless conversations with security and audit professionals who beam with pride in their vulnerability management programs, but have little regard for, or interest in, the actual patching process. Indeed, it’s not unusual for them to smile dismissively when we ask about the patching side of the equation when they answer “that’s another team.”
This is largely the result of the bifurcation in vulnerability management and remediation responsibilities. The security teams run scans and hand off their reports to IT practitioners who are responsible for patching the vulnerabilities. And unlike making weight in wrestling, scanning and generating reports is the easy part, but both are equally immaterial. The rubber meets the road with the IT pros that risk network availability and disruption in their own personal lives (caused by long nights when things sometimes break) to close the security gaps that materially reduce their organization’s exposure. They’re the ones doing the actual wrestling, and yet their effort often seems trivialized, taken for granted, and even somewhat less important to that of the security team, when the exact opposite is the case.
To meaningfully reduce the risk to an organization of unpatched vulnerabilities, a cultural shift is urgently needed in the vulnerability management world, and perhaps a good start would be replacing our community descriptor “vulnerability management” or “scanning” with “vulnerability remediation”… just like we award medals for the sport of “wrestling,” not “cutting weight.”