Blog Home Page Next article:

A Head in the Sand Approach Leaves Many Networks Vulnerable

Many responsible for networks security take a “Head in the Sand” approach to ‘Cybersecurity Risk Assessments’!

Following a previous information security breach, I was speaking with an industry colleague who shared with me that he had been in discussions with the victim organization regarding a technology that would allow them to identify and address vulnerabilities within their network. The client declined to proceed with the solution, citing that they were concerned it might identify issues they could not address for one reason or another.

Given that this is a service that is similar to (though not 100% the same as) the services my organization offers, I am all too familiar with this scenario. In my experience, organizations frequently make the above described decision due to one (or more) of the following concerns:

  • Lack of organizational support …
  • Lack of bandwidth …
  • FEAR – Good old-fashioned fear!!!

Organizational Support – We Won’t Get Budget to Fix it…Why Bother?

Often, we find clients may believe that even if they identify vulnerabilities, either of a technical or administrative nature, they won’t receive buy-in (or budget approval!) from their upper management. This has been a common issue in the world of information security within organizations, and there are numerous articles on making InfoSec an organization wide responsibility – not just IT. To highlight the need to executives, we’ve found that performing a true penetration test at the beginning of an engagement will attract attention; this takes the engagement from a hypothetical scenario to a proven scenario. This solution obviously costs more than a standard vulnerability assessment — and therefore isn’t something you would want to perform at the same cadence as vulnerability testing — but is well worth the price at appropriate intervals.

Bandwidth – Like we Don’t have Enough to Do!

We also frequently see IT departments that are overburdened and understaffed. In this scenario, the idea of potentially identifying issues that will need to be corrected is daunting. These departments often feel they have barely enough time to ensure the network is functional, much less optimized and secured. I really feel for these groups: hard-working teams that seem to operate at critical mass indefinitely … it must be grueling! To mitigate this concern, we (like most services) offer prioritized remediation instructions to ensure that the time you can allocate to this initiative is as impactful as possible.

Fear – It Will Reflect Badly Me!

Finally, we occasionally speak to organizations where (though this isn’t usually stated directly) it appears that the biggest worry about the results of a vulnerability identification process is it might be seen as a reflection of their network management ownership. While this is certainly an understandable worry, the more worrisome potential alternative to an organization like ours identifying those vulnerabilities is those same vulnerabilities coming to light from a malicious entity on your network.

Knowledge is your friend – Not your enemy!

Do any of these descriptions sound familiar? If your organization fits this description, don’t wait: take some time to investigate solutions that will address these concerns. You can do this through creating an internal program, outsourcing to a third party, or some mix of the two. Any which way you address it, vulnerability identification is a key component to any risk management strategy. For a deeper exploration of this topic and of patch management, please review our blog series titled Anatomy of a Cybersecurity Program at