Toward the Strategic Security Imperative: Integrating Automated Patch and Vulnerability Management Into an Enterprise-wide Environment
by Lane F. Cooper - Originally published in issue 2 of (IN)SECURE Magazine - Tuesday, 30 August 2005.
This article explores the trends that are creating requirements for a strategic - rather than a tactical - approach to information security, patch and vulnerability management among public and private sector organizations. It demonstrates how an integrated, automated and enterprise-wide strategy that uses best-of-breed security solutions can be most effectively integrated into the operations of organizations large and small.

Despite the headlines, the conferences and the stated objectives of many large public and private organizations, many executives still wrestle with how to effectively deploy security measures that protect critical information assets underpinning their mission critical operations. It is the position of this White Paper that the challenges many organizations face in markedly reducing the risk posture of their organizations stem from a tactical understanding of risk and vulnerability assessment, perimeter security, threat remediation including anti-spyware, patch management and other critical security activities. Today, many organizations still treat each of these activities in a distinct and discrete manner, making it difficult to get a big picture understanding of their risk posture, inhibiting their ability to respond appropriately and cost-effectively to threats.

A Growing IT Target

According to analysts at IDC, worldwide spending on information technology will grow at 6 percent a year through 2008 to reach 1.2 trillion dollars, up from 965 Billion in 2004. That increase in spending is an explicit recognition of the role IT plays in helping organizations to achieve their strategic business objectives.

However, it also represents a growing target of opportunity for those who wish to exploit our growing dependence on technology. This helps explain why in the United States alone the market for information security will grow at 19 percent a year through 2008, according to recent data from the Freedonia Group. That is more than three times the rate of the global IT spend. According to the Freedonia analysts, much of this growth will be driven by efforts to integrate security on an enterprise-wide basis.

Security Still Afterthought

It would seem that people are voting with their wallets, and acknowledging that security is indeed a strategic issue. But is there truly a broad strategic recognition of security’s strategic imperative? Consider the following:
  • In the summer of 2004, a survey by the Conference Board revealed that almost 40 percent of respondents consider security an overhead activity that must be minimized.
  • The situation appears no better in the public sector. Agencies in the federal government continue to struggle with meeting the requirements of Federal Information Security Management Act (FISMA). In early 2005, the Government Accounting Office (GAO), the investigative arm of Congress, concluded that poor information sharing and management was responsible for exposing homeland security to unacceptable levels of unnecessary risk.
The problem illustrated by the above points is not one of effort or discipline. Millions of dollars are invested on security technology and hundreds of thousands of man hours are brought to bear on protecting critical information assets by IT and security personnel. The problem, rather, is one of perspective. In both cases, security measures appear to be treated as stand-alone activities that are divorced from the technologies, business processes and information assets they are meant to protect. Security, in short, is treated by many organizations as an afterthought.

According to PatchLink CEO Sean Moshir, “One of the greatest threats to enterprises today is that many — too many — organizations still consider security the lock they put on the door after the house gets built.”


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th