Curious if anyone is using CISA services, i.e. vuln scanning. Any success? Lessons learned? Issues?

Security & GRC
1.8k viewscircle icon2 Upvotescircle icon4 Comments
Sort by:
CISO @ Florida Gulf Coast University in Educationa year ago

Hi there,

We currently use CISA as an augmentation for our external vulnerability management and the reports they send out are customized versions of Tenable.io reports.  It is nice because they do not charge you for it, and the reports can be used for some help with some of Gartner's outcome driven metrics for security (e.g time to patch vulnerabilities etc).

I heard from several of the other CISOs I collaborate with in FL that they have used their risk assessment and tabletop exercise services with good success.  I think nailing CISA down on dates can be hard because they are busy, and they may overdo it a bit if you do not scope them in the beginning, but overall I have heard nothing but good things about their services.

HTH,

Sven

Lightbulb on3 circle icon1 Reply
no titlea year ago

thanks, this is helpful

Head of Information Security in Manufacturinga year ago

While I haven't personally utilized the CISA vulnerability scanning services, my experience with similar services can shed some light on this topic. Vulnerability scanning as a service, such as what CISA offers, can be a valuable tool in identifying visible weaknesses from an external perspective. These services typically scan for known vulnerabilities in publicly accessible systems, offering insights into potential security gaps that external threats could exploit.

However, it's crucial to understand that these services have limitations. They primarily focus on external-facing systems, often overlooking internal vulnerabilities that could be just as, if not more, critical. While they can provide a snapshot of your external security posture, they don't offer a complete picture of your overall security health.

Effective use of such services also requires a comprehensive understanding of your organization's external IP addresses. Without this, the service might not cover all external assets, leaving some potentially vulnerable systems unscanned.

While external vulnerability scanning services, whether from CISA or another provider, can be useful to your security architecture, they should not be relied upon as the sole measure of your security posture. They are best viewed as one piece of a holistic security strategy, complementing other security measures such as internal vulnerability assessments, penetration testing, and continuous monitoring to ensure a robust defense against internal and external threats.

Lightbulb on3 circle icon1 Reply
no titlea year ago

Thanks! Much appreciated 

Content you might like

What steps do you typically take when you notice a security team member becoming less and less engaged? How do you approach them to diagnose/address the issue?

Read More Comments

Have you evaluated any “AI native” data security platforms so far (like Concentric AI, Normalyze, etc)? Interested to know your thoughts on these, whether or not you move forward with implementing.

Do you think your board/executive leadership understands cybercrime as an industry in itself?

Yes39%

Some but not all54%

No6%

I don’t know

View Results

How vulnerable is the real estate industry to cyberattacks?

As vulnerable as tech sector37%

Less vulnerable than tech sector52%

Not vulnerable5%

Don't know3%

View Results

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?