Doctor's sometime recommend Lab tests. Reports produced are several pages long including graphs, numbers along with pictures with some Bold markings and annotations. This unknown of not being able to decipher the report creates anxiety in our minds. Searching the web for answers sometimes results in us getting more worked up or depressed. Eventually while you sit across the doctor as he reads through the report, he simply flips pages, ignoring our anxiety, our ever drowning look, he then shifts his gaze and ponders into ours and says 'Don’t worry everything is alright'. We breathe a sigh of relief. It makes me wonder, is it his experience and knowledge above all the Lab. tools and results that help him reach an accurate prognosis? This is his USP and it makes him a well regarded doctor and entrusted by many.

It reminded me of the above analogy, while at a small booth at a conference we sponsored. I was there attending visitors when a CISO from an organization stepped in. The conversation turned to DoyenGC-ApON’s offerings; vulnerability assessment & penetration testing in particular. We discussed about scoring the vulnerabilities through the Tools Vs RISK based scoring. Many tools provide risk levels (Low, Medium High) but these are based on technical assessments as we see in Pathological Lab results. It is important to translate these technical risks into business risks through experience, aptness and envisioning. This translation helps when talking to executives on the business side, It helps CIO’s and CISO’s talk to the peers on the other side, help them understand the business impact of security.

The discussion then turned to resolution and mitigation of the vulnerabilities identified by tools. More importantly to an important and somewhat contentious question: what, if all the vulnerabilities identified are HIGH, in what order would we resolve them.

There were two school of thoughts –

1. Fix the OS, DB or Applications with most vulnerability, first.

2. Fix the vulnerability with the most impact.

One & two don’t necessarily align all the time. #1 addresses the most number of vulnerabilities in one go, whereas #2 addresses the biggest concern first. How do we then objectively decide what to address first.

There is no one right answer to this question; we have to weigh the risks involved with any one of these vulnerabilities were to be exploited. Sometimes small risks have cascading effects. Like every human being, Every Organization is different, situation is different, every environment unique; even with the same human anatomy one medicine doesn't suit all. Years of experience teach us to categorize, prioritize and resolve these risks based on all the above factors.

At DoyenGC-ApON we have a team of CIO’s and CISO’s with years of experience helping clients address their security needs. Results from automated tools or manual tests alone aren't enough to draw the right conclusions and derive solutions. These have to be translated into accurate business risks which comes with experience, as we see in the case of a Doctor and his advise.

Experience Is a Big Risk With Cybersecurity Professionals. With virtually no unemployment in the field, recruiters need to look beyond certifications when vetting cybersecurity experts. February 23, 2017 by Sarah Fister Gale Wordpress.com