1

I was involved in a conversation concerning the in-house vulnerability management program. One the statements made was that the management is generally not willing to accept risk and it should be aimed to mitigate it preferably in form of patching.

On the other hand, there are cases of applications that are vulnerable (most of them have critical and high severity levels) and they are going to be decommissioned by the end of 2020.

The problem is, that no one wants to put money on the table for fixing the vulnerabilities because the product or products will be decommissioned in a few months’ time.

I’m now wondering, aren’t they somehow already accepting the risk of not providing funds for fixing the vulnerabilities or is it more an example of neglect?

Furthermore, shouldn’t, in this case, a formal process of risk management exist to weigh the cost against the potential loss caused by a possible exploitation leveraging the vulnerability?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user211245
  • 79
  • 3

1 Answers1

2

There is no such thing as "no risk". There is always residual risk. Therefore, management must accept some level of risk (known as "acceptable risk").

"Inaction" is not the same as "accepting risk". What you are seeing is management not wanting to make a decision that costs money. That's all. There is no "risk thinking" here, so you can't look at it through a risk lens.

Yes, there should be a simple risk process to identify, assess, and treat the risks in this scenario. Most managers are not well trained in risk basics and are not aware of how simple, effective, and straightforward it can be. Many managers in small companies are afraid of formal risk processes because they can seem like a lot of overhead and bother.

You can kick start this yourself by asking judgement-free questions of management.

  • what is your nightmare scenario in this situation?
  • how comfortable will you be if the worst-case happens?
  • are you ok with these vulnerabilities being un-mitigated in the meantime?
  • do you want to put in some extra monitoring or other protections to help reduce the risks?
  • do you want me to look at low-cost alternatives to patching to see if they can reduce the risk to a level you would be more comfortable with?
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Okay, so there's no risk in relation to management not willing to provide funds for fixing the vulnerabilities. But that does not change the fact that there are vulnerabilities and some risk associated with them. What would then be the best way of dealing with those ? – user211245 Jan 14 '20 at 14:36
  • 1
    I'm not sure that you read my answer correctly. There is risk in relation to management not willing to provide funds for fixing the vulnerabilities. But management's decision is not risk-based, so you can't say that they have accepted the risk. And I laid out 5 questions that would lead to what to do with the risk... – schroeder Jan 14 '20 at 14:43
  • Could one then say that their decision created a risk? If yes, shouldn’t it then be documented and accepted, mitigated, transferred etc.? – user211245 Jan 14 '20 at 14:52
  • Their decision did not *create* the risk. The risk exists. – schroeder Jan 14 '20 at 14:53
  • What's your goal in asking the question? To have an expert agree with you that management is bad? I'm not going to do that. ***You*** have responsibilities here since you understand the risk process. I'm helping you guide them, not to judge them. – schroeder Jan 14 '20 at 14:56
  • Just trying to understand it, I do not have any initiations to argue with anyone could you maybe refer me to some type of resources about risk management / vulnerability management. I think I need to read through it first to get a better understanding. – user211245 Jan 14 '20 at 15:01
  • Your question is not about vuln mgmt, but about risk. And I've given you a primer: identify, assess, treat. Get management's risk tolerance, risk acceptance criteria, seek treatment options, decide on which treatment options gets you to an aceptable level of residual risk. – schroeder Jan 14 '20 at 15:07