How do you currently involve departments and teams outside IT/security in your vulnerability management efforts, if at all?

Security Strategy & Roadmap Threat & Vulnerability Management

793 views2 Comments

Sort by:

Mission Diplomatic Technology Officer in Government3 years ago

As a risk statement with customer archetype check in every six months. Will only highlight maybe one risk that is appropriate to them out of our 20, but follow with the list of all risks we are tracking in our portfolio.

Have not measured for effectiveness, but it does creat awareness and a level of alliance-ship. Removes the use versus then and shapes it more as a we problem. Also helps gain perspective on their risks that I might not know or understand.

Anecdotally we feel there is more customer actions and partnership when we raise a vulnerability we are working to mitigate.

CISO in Education3 years ago

Coordinate Vulnerability Management Team (VMT) meetings to try and collaborate and/or facilitate remediation of vulnerabilities. Often, we've found that folks want to try and do the right thing, but don't necessarily have the connections or the the right level of influence to drive a vendor to fix an issue and/or prioritize an effort internally.

Content you might like

Is zero trust network access (ZTNA) just a strategy, or are there tools that offer ZTNA?

ZTNA is just a strategy21%

ZTNA can be both a tool & a strategy56%

There are ZTNA tools16%

Not sure5%

View Results

I'm looking to go for the Certified CISO certification & training as I'm an aspiring CISO. Any recommendations and additional certifications that I should be doing along with that? I already have CISSP.

How does your organization handle security team involvement in change requests submitted to CAB/RAB — specifically in relation to formal security review and approval?

Always required – Security must formally review and approve every change request.12%

Required for security-impacting changes – Security reviews only changes flagged as having potential security implications. Please comment : Who decides which changes require security review and which do not ? Is this determination manual or automated? How do you avoid gaps or oversights in this process ?77%

Not required – Security does not review changes submitted CAB/RAB by other teams. 10%

Risk-based or automated – Security involvement is determined by a tiered model or automated risk scoring within ITSM.2%

View Results

How often do you survey your organization for new, emerging risks? My company currently does quarterly surveys and I am contemplating dropping it down to 2x/year. Appreciate the insights!