CIO OPINION
Additionally , the scope and impact of software supply chain risk is only just starting to become properly understood by those outside the software development industry .
Unfortunately , those that are responsible for patching and fixing software vulnerabilities are rarely involved in the technology selection process , leading to a lack of learning and improvement in technology selection choices . Layer onto this the escalating compliance landscape and it is easy to see how overwhelming the task is . vulnerability is actively being exploited in the wild , and the risks associated by those adversaries leveraging it , to a company ’ s specific environment .
Most companies focus more on the consequences and severity of a vulnerability versus the likelihood they may be impacted – if you focus too much on severity and consequence , you may not see the complete picture .
CVSS scores , for example , focus mainly on severity , with global values for likelihood that are assumed valid for all organizations – a mistaken assumption .
It is simply impossible to patch and mitigate every software vulnerability present in an enterprise network .
Historically , organizations would prioritize mitigation based on limited and inward-facing data , such as server versus workstation , an employee ’ s role , asset criticality , vulnerability score and patch availability .
Yes , a vulnerability may be critical and of highest severity , but this vulnerability is relevant to your own organization because of the threats that target it .
This is where custom likelihood comes in . Understanding your own likelihood is critical for prioritization and triage .
Despite this level of prioritization , patching remains a time-consuming task with limited effectiveness because it doesn ’ t consider knowledge of how that
The modern enterprise has a new wealth of internal and external data to make more data-informed choices about actions to take and the threats to respond to .
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 45