Juan Morales advises prioritizing vulnerability remediation by first identifying the critical assets that are most important to keeping the business running operationally and financially. It is important to understand where these key assets are located and have conversations with business stakeholders to obtain insight on the criticality of the assets. Quantifying risk to stakeholders in terms of potential system downtime and financial impact, such as revenue loss, can help communicate risk more effectively than simply stating the cost to fix a vulnerability. Visuals like charts and dashboards with trend lines are also effective for stakeholders to understand risk.
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldEMC
The new RSA Security Brief highlights that basic security lapses still contribute to most security incidents. The report identifies top areas for improvement and provides practical guidance on measures that deliver the greatest impact on organizations' ability to respond to cyber attacks and data breaches.
About RSA Security Brief :
RSA Security Briefs provide security leaders and risk management executives with essential guidance on today's most pressing information security threats and opportunities. Each Brief is created by a select team of experts who connect experiences across organizations to share specialized knowledge on a critical security topic. Offering both big-picture insight and practical technology guidance, RSA Security Briefs are vital reading for today's forward-thinking security and risk management practitioners.
Read More via
What Small Business Can Do To Protect Themselves Now in CybersecurityReading Works Detroit
On October 16, Daniel Cherrin spoke at the Wall Street Journal PRO Cybersecurity Small Business Academy at the Monarch Beach Resort in Dana Park, California. You can find an excerpt from his remarks on Incident Response on a Budget at http://www.northcoaststrategies.com/blog/steps-you-can-take-now-to-prepare-for-the-next-data-breach-that-wont-cost-a-lot-of-money.
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
This white paper provides guidance for how to adopt an Intelligence-Driven Security strategy that delivers three essential capabilities: visibility, analysis, and action.
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Resolver Inc.
Every security organization needs data scientists! Expanding the utilization and influence of data scientists within corporate security risk intelligence teams will undoubtedly lead to enhancements for the organization’s risk exposure understanding and business decision-making, while also presenting analytical intelligence products in a more visually-appealing and quickly digestible format.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
Protecting enterprise systems against cyber threats is a strategic priority, yet only 42% of executives are confident they could recover without impacting their business from a cyber event. Find out the hidden risks of shadow IT, cloud and cyber insurance.
A Point of View on effectively addressing the complexities of securing organizations of all sizes. This approach is complementary and additive to traditional enterprise security models.
Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
What Small Business Can Do To Protect Themselves Now in CybersecurityReading Works Detroit
On October 16, Daniel Cherrin spoke at the Wall Street Journal PRO Cybersecurity Small Business Academy at the Monarch Beach Resort in Dana Park, California. You can find an excerpt from his remarks on Incident Response on a Budget at http://www.northcoaststrategies.com/blog/steps-you-can-take-now-to-prepare-for-the-next-data-breach-that-wont-cost-a-lot-of-money.
Priming your digital immune system: Cybersecurity in the cognitive eraLuke Farrell
Learn how cognitive security may be a powerful tool in addressing challenges security professionals face.
New capabilities for a
challenging era
Security leaders are working to address three gaps
in their current capabilities
—
in intelligence, speed
and accuracy. Some organizations are beginning to
explore the potential of cognitive security solutions
to address these gaps and get ahead of their risks
and threats. There are high expectations for this
technology. Fifty-seven percent of the security
leaders we surveyed believe that it can significantly
slow the ef forts of cybercriminals. The 22 percent of
respondents who we call “Primed” have started their
journey into the cognitive era of cybersecurity
—
they
believe they have the familiarity, the maturity and the
resources they need. To begin the journey, it is
important to explore your weaknesses, determine
how you want to augment your capabilities with
cognitive solutions and think about building education
and investment plans for your stakeholders.
This white paper provides guidance for how to adopt an Intelligence-Driven Security strategy that delivers three essential capabilities: visibility, analysis, and action.
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...Resolver Inc.
Every security organization needs data scientists! Expanding the utilization and influence of data scientists within corporate security risk intelligence teams will undoubtedly lead to enhancements for the organization’s risk exposure understanding and business decision-making, while also presenting analytical intelligence products in a more visually-appealing and quickly digestible format.
Estudio de Russell Reynolds Associates sobre ciberseguridad que explora la importancia de la relación entre el Chief Information Security Officer y el Consejo de Administración.
Perception Gaps in Cyber Resilience: What Are Your Blind Spots?Sarah Nirschl
Protecting enterprise systems against cyber threats is a strategic priority, yet only 42% of executives are confident they could recover without impacting their business from a cyber event. Find out the hidden risks of shadow IT, cloud and cyber insurance.
A Point of View on effectively addressing the complexities of securing organizations of all sizes. This approach is complementary and additive to traditional enterprise security models.
Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
A Risk Analyst is in charge of reviewing and examining an organization's investment portfolio to ensure that the risk is acceptable in light of the company's commercial and financial goals.
https://www.infosectrain.com/courses/crisc-certification-training/
Internet, Cyber-attacks and threats are becoming more prevalent. This Infographic explains the current state, and things to consider for yourself and your business.
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
Cybersecurity risk assessments help organizations identify, manage and mitigate all forms of cyber risk. It is a critical component of any comprehensive data protection strategy.
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
CISOS work hard to manage risk and ensure the security of the organization. But, they must also create an environment where business can be transacted seamlessly, conveniently and securely. With over a decade of supporting organizations in this mission, Security On-Demand has compiled the eight keys to security success which will help you achieve your goals of delivering security and business agility.
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
What i learned at issa international summit 2019Ulf Mattsson
This session will discuss what attendees learned at The ISSA International Summit 2019, held on October 1-2 at in Irving/Dallas, TX.
Learn from one of the presenters at this conference and what cybersecurity professionals got to share and learn from the leaders in the industry.
Over the last 30 years ISSA international has grown into the global community of choice for international cybersecurity professionals. With over 100 domestic and international chapters, members have world wide support with daily cyber threats that are becoming increasingly intricate and difficult to prevent, detect, and re-mediate.
The Next Great Challenge for CISOs
I am honored to be recognized! Cybersecurity is truly a team effort at a strategic level, either we all work together or the threats will tear us down piecemeal! Every person, no matter their role, can play an important part in making digital technology trustworthy and keeping the Internet secure, private, and safe.
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Check out the webinar slides to learn more about how XfilesPro transforms Salesforce document management by leveraging its world-class applications. For more details, please connect with sales@xfilespro.com
If you want to watch the on-demand webinar, please click here: https://www.xfilespro.com/webinars/salesforce-document-management-2-0-smarter-faster-better/
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
3. Regards,
Srinivas Mukkamala
CEO and Co-Founder, RiskSense
Without a doubt, you struggle with prioritizing the plethora of threats and
vulnerabilities that hit your organization every day. There are never enough hours
in the day, nor enough staff to remediate all of attacks on both your internal and
external IT infrastructure.
Shift your thinking. Narrow down the threats and vulnerabilities to the ones that
apply to your IT infrastructure, then further reduce the list to the ones that have
active exploits and finally identify your critical devices that should be remediated
first. This is impossible if you don’t have a platform that takes in all of your
vulnerability scanner data, across your dynamic attack surface: network, endpoints,
database, applications and IoT devices. Leverage human intel, combined with AI and
machine learning to guide your remediation efforts and let your security staff focus
on the strategic issues to support your digital transformation with an integrated
security platform.
This e-book illustrates the value of identifying critical IT assets, and the importance
of a prioritization platform that provides you clear guidance on remediation
efforts. With the RiskSense Security Score (RS3), you can define your journey to
track security metrics that link to your business goals. Security teams and business
leaders alike will find value in the perspectives shared here.
The RiskSense Platform embodies the expertise and
intimate knowledge gained from real world experience
in defending critical networks from the world’s most
dangerous cyber adversaries.
We help organizations prioritize IT vulnerabilities and
threats to reduce cyber risk achieving confidence in your
digital transformation efforts. Our mission is to accurately
identify and prioritize threats and vulnerabilities, add
context to quickly remediate and continuously monitor
the results providing organizations with cyber resilience
across a growing and dynamic attack surface.
RiskSense offers the only intelligence-driven
prioritization of threats and vulnerabilities, helping
organizations overcome the complexity of managing
today’s continuously changing IT infrastructure and
ever expanding and complex attack surface. The
leader in analyzing threat and vulnerability data across
the broadest spectrum of technologies (network,
applications, endpoints, databases, and IoT devices) to
uncover the most likely attack scenarios. Our platform
allows organizations to view assessment findings in
real-time, create asset risk profiles, and manage the
continuous feed of threat and vulnerability data which is
enriched from over sixty independent sources factoring
in human Intel to elevate and prioritize remediation
actions.
3Sponsored bySponsored by
FOREWORD
4. JUAN MORALES
SENIOR DIRECTOR, GLOBAL CYBERSECURITY
& INCIDENT RESPONSE
REALOGY HOLDINGS CORP.
Focus First on Assets That Keep
The Business Running: P5
NICK GREEN
VICE PRESIDENT , INFORMATION SECURITY
EMEA/APAC
LIVE NATION ENTERTAINMENT & TICKETMASTER
In a Large Organization, Know the
Risk Owners and Adapt to Their
Needs: P13
BOBBY ADAMS
SENIOR SECURITY ARCHITECT
TD AMERITRADE
A Holistic, Enterprise-Wide Strategy
is Essential: P16
JOHN TRUJILLO
AVP, TECHNOLOGY
PACIFIC LIFE INSURANCE
COMPANY
You Must Understand the Business
Function of Digital Assets: P19
JAYESH KALRO
DIRECTOR, GLOBAL
PRACTICE, CA SERVICES
CA TECHNOLOGIES
To Manage Vulnerabilities Effectively,
Define Business Priorities and Identify
Critical Assets: P22
PIETER VANIPEREN
FOUNDING MEMBER
CODE DEFENDERS
Risk Assessment and Prioritization
is a Triage Process: P8
SURINDER LALL
SENIOR DIRECTOR,
INFORMATION SECURITY
VIACOM
The Key To Risk Prioritization is
Risk Assessment: P11
4
TABLE OF CONTENTS
Sponsored by
5. JUAN MORALES
Juan Morales is the senior director
of global cybersecurity and incident
response for Realogy. He directs the
security operations center, incident
response, forensics, eDiscovery, and
vulnerability management functions
for Realogy. Juan has more than 18
years of experience in IT, InfoSec and
technology management, focusing
on reducing risk exposure, enabling
business success by promoting sound
and adaptive security practices with
a focus on the fundamentals of
cybersecurity. He holds a master’s
degree in Cybersecurity from
Fordham University and CISSP, ISSMP,
and CEH certifications.
Senior Director, Global
Cybersecurity & Incident Response
Realogy Holdings Corp.
LinkedIn I Website
T
he main reason for vulnerability management is that it’s not possible to remediate
all the vulnerabilities for all the assets in an enterprise completely. It’s necessary to
prioritize, yet for many companies, just knowing what assets they actually have can be a
daunting task. Juan Morales, senior director of cybersecurity at residential real estate services
company Realogy, recommends starting out by asking how you identify your critical assets.
“Regardless of vulnerabilities, start figuring out what is really important to the business,” says
Morales. “What is most impactful should it be exploited? What really are the key assets that
keep the company going, operationally and financially?”
As you identify those assets, you also need to know where they are located. “That helps to
start painting the picture of the criticality, and the context in which they’re being used,” Morales
explains. “You might start doing a bit more in-depth vulnerability scanning of those particular
assets, and then you’re able to start having conversations with key stakeholders.” This gives
you a basis for doing more research into vulnerabilities the system is identifying. “Now you
have the insight from the organization as far as the criticality of those key assets, tied with the
information that the vulnerability-management system is giving you,” he adds. He points out
the importance of this dialog with business stakeholders, because vulnerability-management
systems don’t really understand the context of how these systems are being used.
When communicating risk to stakeholders, Morales prefers to quantify it in terms of system
availability and financial impact . For instance, you can say that if your company is hit with an
exploit that costs $10,000, or $1 million to fix, that’s a point in time assessment of a cost to fix,
but not a true assessment of the actual impact to the organization. “If the system’s not going
Regardless of vulnerabilities,start figuring out what is really
important to the business.What really are the key assets that
keep the company going,operationally and financially?
FOCUS FIRST ON ASSETS THAT KEEP THE BUSINESS RUNNING
5Sponsored by
6. 6
Pictures paint a thousand
words. A couple of charts
or dashboards with lines
showing up or down trends
is sufficient for stakeholders
to understand the risk.
Sponsored by
to be available for X number of days or X number of hours, I think
then it becomes a lot easier to translate it into an actual risk and
potential revenue loss,” he says. He also advises keeping it simple.
“You’re not going to be sharing actual technical vulnerability details.
Pictures paint a thousand words. A couple of charts or dashboards
with lines showing up or down trends is sufficient for stakeholders
to understand the risk.” A risk scoring model that translates
vulnerability data into business metrics would be invaluable.
There are a couple of important reasons to keep business
stakeholders involved in vulnerability discussions. For one thing,
they are accountable for the risk in their business. Also, they
can be important advocates for driving remediation and getting
additional resources needed to address a vulnerability. “We actually
distribute our vulnerability-management reports to executives,”
says Morales. “This is the picture of your assets and systems that
you’re accountable for, and here are the number of vulnerabilities
in your systems. We give them a 30-day look-back of the number of
vulnerabilities being fixed, and obviously we want to continue to see
a down-trend as we continue to gather those statistics.”
Traditionally, security people work with the operations teams
and support teams to fix vulnerabilities, but in a perfect world,
Morales believes executives should take an active interest in the
vulnerability-management discussion. It doesn’t always work that
way, but the trends are moving in that direction. Morales describes
FOCUS FIRST ON ASSETS THAT KEEP THE BUSINESS RUNNING
7. A dialog with business stakeholders is important because
vulnerability management systems don’t understand the
context of how assets are being used. Solutions that have
a prioritization model and support business criticality of
assets is needed.
By getting business stakeholders involved in
vulnerability discussions in business terms they
understand, they can help drive remediation and
advocate for additional resources needed to address a
vulnerability.
1 2
KEY POINTS
7Sponsored by
it this way: “You want executives to get a dashboard that has a clear business scoring model that allows them to engage and
appreciate how security impacts their business. . You want them to be able to take action and ask the questions. Why is this
dashboard looking the way it’s looking? Who’s not doing what is necessary? Do we need more resources? That’s the kind of
conversation we want to drive by showing these metrics to the executives.”
FOCUS FIRST ON ASSETS THAT KEEP THE BUSINESS RUNNING
8. PIETER VANIPEREN
Pieter VanIperen is a veteran
programmer, security expert, and ethical
hacker holding multiple certifications.
He is a founding member of Code
Defenders—a collective that protects the
long tail of the internet—and an adjunct
professor of Code Security at NYU.
He is currently the resident software
architect and secure coding expert for
several fortune 1000 companies, as
well as consulting for law enforcement
authorities and advising multiple
startups. He is the author of the HAZL
programming language and has served
as the CTO of several digital companies.
Founding Member
Code Defenders
Twitter I Website | LinkedIn
O
ne of the challenges that comes with rolling out vulnerability detection and
management technologies is interpreting and acting on the insights they provide.
“Having a set of results is great,” says Pieter Vaniperen, security architect and a specialist
in code security. “But you’re going to have a lot of false positives, especially on a first scan. If
you’re doing an internal scan, you’re going to have systems that aren’t even accessible to the
outside world that are getting flagged.”
VanIperen says that in order to use vulnerability scans effectively in a risk-management
strategy, you need to be able to triage and analyze risk and there aren’t tools that can do that
effectively today alone. Doing that requires systems and people. On the human side of the
equation, you will need to include people from different parts of the cyber ecosystem. “You will
need a cross-functional set of people in order to understand the context of the potential risks
you’re looking at, to figure out if they are risks, to understand how exploitable and exposed
they really are, and how to fix them,” he explains. Beyond that, VanIperen says you need to
have a system for monitoring events as they are occurring. “You need central logging, and you
need training,” he adds.
With these capabilities in place, risk assessment and prioritization becomes central to an
effective risk-management program. “There needs to be a risk analysis and ranking system,”
says VanIperen. “Whether that is something like DREAD (damage, reproducibility, exploitability,
affected users, discoverability), something like a category score (low, medium, high), or just a
scale of 1 to 10, there needs to be something so you can start assessing risk and triaging and
prioritizing vulnerabilities.” Being able to translate security metrics into business terms is critical
You will need a cross-functional set of people in order to un-
derstand the context of the potential risks you’re looking at.
RISK ASSESSMENT AND PRIORITIZATION IS A TRIAGE PROCESS
8Sponsored by
9. 9
As the system matures,
coders need to learn to
do threat analysis, and
so do network or system
engineers as they’re
building and deploying
systems.
Sponsored by
when communicating to management and executives. The objective
is to address the highest risks and plug the biggest holes first. As the
program evolves, risk assessment becomes something that is built
into the IT process within the organization. “As the system matures,
coders need to learn to do threat analysis, and so do network or
system engineers as they’re building and deploying systems. You
need to start having secure code reviews, and there need to be
standards checklists,” says VanIperen.
One thing to keep in mind is that new scanning tools, more complex
IT environments, and increased activity logging generate greater
quantities of data that must be analyzed to identify legitimate
vulnerabilities and risks. New AI systems based on machine learning
that are capable of processing vast amounts of data may be the
future of cyber risk management. “When you’ve looked at threat
intelligence systems and artificial intelligence analysis that have
been out there, some of the most successful systems are self-
trained,” says VanIperen. But he also points out that when AI based
systems become part of a cyber risk-management program, some
things change.
For instance, once a self-teaching AI system has built an operational
body of risk knowledge it uses to make risk judgements about
cyber activity, it is nearly impossible for humans to deconstruct how
the AI system is evaluating risk. If for some reason the AI system
went off-line, the humans would be inundated with data and have
RISK ASSESSMENT AND PRIORITIZATION IS A TRIAGE PROCESS
10. In order to use vulnerability scans effectively in a risk-
management strategy, you need to be able to triage
and analyze risk, and there aren’t tools that can do that
effectively today alone. Doing that requires systems and
people.
New AI systems based on machine learning that are
capable of processing vast amounts of data may be the
future of cyber risk management.
1 2
KEY POINTS
10Sponsored by
little criteria for evaluating it. The other challenge is that AI systems can be gamed just like people, and odd situations can
return costly false positives. “The best system can be making the right choice 99 percent of the time every day, and then it
might encounter a burst of fringe cases that cause it to give unpredictable assessments,” VanIperen says. “We continuously
train people to know when they’re being manipulated. We also need to train the systems to know when they are being
manipulated.”
RISK ASSESSMENT AND PRIORITIZATION IS A TRIAGE PROCESS
11. SURINDER LALL
Surinder is a highly skilled security
professional with over 20 years of
experience in the technology field.
Surinder is one of only a handful of
security professionals who has been
awarded the coveted LL.M - Legum
Magister (Master of Laws). This
coupled with his extensive experience
and qualifications within the fields
of compliance, governance, and
Information security allow him to be
an effective strategist throughout the
security, compliance and governance life
cycles.
Senior Director Information
Security
Viacom
LinkedIn
“I
f you don’t know specifically where the risks are or how they impact the business, then you’re
going to have considerable issues in mitigating any of that risk,” says Surinder Lall, senior
director of information security at Viacom. “If you don’t know where it’s coming from, how
you’re going to address it, and what platforms you need to put in place, you could be randomly
performing vulnerability scans on your IT infrastructure for hours on end and running generalized
reports but not really getting anywhere.” This is especially challenging in the media space where
technology and new ways of monetizing content are always necessitating innovative security
strategies.
In a complex IT environments that have tens or hundreds of thousands of infrastructure
components, each with its own set of vulnerabilities, the key to prioritizing mitigation activity lies
in risk assessment. “First you have to understand what you’re trying to protect,” says Lall. This
involves defining what has real commercial value to the business, because that’s where you need
to focus mitigation efforts. “Security departments often scan everything except the most critical
things because they’re afraid they might break something. My argument is if you don’t break it then
someone else will,” he notes.
Defining asset criticality comes down to the commercial consequences of exposing that asset,
and how that translates into a loss for the business. “There’s no simple formula,” Lall says. “It’s
more art than science.” That includes considering costs associated with asset exposure, such as
loss of customer trust and the consequential damage to business. But it also includes regulatory
considerations. “You have to factor in legal liabilities too,” he explains. “So think about GDPR
[the EU’s General Data Protection Regulation], and look at the massive fines that could result if
Security departments often scan everything except the most
critical things because they’re afraid they might break some-
thing.My argument is if you don’t break it then someone else
will.
THE KEY TO RISK PRIORITIZATION IS RISK ASSESSMENT
11Sponsored by
12. 12
You have to factor in legal
liabilities too. So think
about GDPR, and look
at the massive fines that
could result if something
is not fixed.
Sponsored by
something is not fixed.”
You also have to consider the seriousness of different threat vectors, for
instance the likelihood that a particular vulnerability will be exploited. But this
is extremely difficult to quantify, and changes continually. And even a perceived
low-risk vulnerability can have a big impact if it results in a breach, just as
the impact of a low-value asset exposure can far outweigh the value of the
asset itself. Given these intangibles and the need to prioritize, Lall says most
organizations focus on the substantial threats. “They focus on how to protect
themselves against legal liability, such as violations of GDPR, PCI DSS [Payment
Card Industry Data Security Standard], and the big laws. And they focus on how
to mitigate risk to the obvious higher-value assets.”
Lall sees AI-assisted vulnerability-scanning tools as useful in providing more
continuous monitoring of asset activities, especially solutions that factor in
business criticality. But he says a manual process is still required to teach them
which are the high-value assets. “AI hasn’t reached the maturity where it’s able
to look at something and say ‘hey, this is sensitive stuff.’” Some systems are
able to identify keywords and number configurations, but it comes back to how
those assets are used in the business. The machine-learning process needs to
occur over time, using data classification and business-based risk scoring.
THE KEY TO RISK PRIORITIZATION IS RISK ASSESSMENT
Defining asset criticality comes down to the commercial
consequences of exposing that asset, and how that
translates into a loss for the business.
A low-risk vulnerability can have a big impact if it
results in a breach, just as exposure of a low-value
asset can have business impacts far greater than the
value of the asset itself.
1 2
KEY POINTS
12Sponsored by
13. NICK GREEN
Nick Green is vice president of
information security at Live Nation
Entertainment and Ticketmaster. Live
Nation is the largest producer of live
music events in the world, producing
29,000 events globally and managing
over 3,200 artists. Ticketmaster is one
of the world’s top 10 e-commerce
sites, selling more than 484 million
tickets annually. He is passionate about
security fundamentals, automation, and
deploying solutions at scale to meet the
challenges of global organizations.
Vice President , Information
Security EMEA/APAC
Live Nation Entertainment &
Ticketmaster
N
ick Green, who is responsible for IT security at Live Nation Entertainment and
Ticketmaster in all regions outside North America including Europe, Asia, Australasia,
and Africa, is involved in pretty much every security issue facing all of Live Nation’s
brands and business groups. This encompasses a huge global network handling very high
transaction volumes. Managing vulnerabilities across business units and geographical regions
is an enormous task that includes scanning, ranking and reporting risks, and remediation
monitoring.
Before any of that is possible, Green says you have to know what your network encompasses.
“You’ve got to find all your systems and applications,” he says. “Within Ticketmaster, we’ve
built custom systems that take in all this data from all different kinds of sources.” Building
an inventory includes identifying an owner for every asset. “You need to make sure you can
attribute each one of these systems or applications to an owner,” Green explains. “We pay
special attention to making sure the owners are people, not teams. The owner is the person
you talk to when something’s not getting fixed.”
Once you know what you’ve got, then you can get serious about scanning and managing
vulnerabilities. “We use a well-known scanning tool, but we have to feed that tool with
inventories from all kinds of sources,” he says. “We feed it everything from DHCP scopes to
network router tables, to other discover metrics. So there’s a whole array of tools that feed into
our vulnerability scanners.”
Vulnerability scanning is just the beginning. You have to rank risks and report them out to asset
We use a well-known scanning tool,but we have to feed that
tool with inventories from all kinds of sources.
IN A LARGE ORGANIZATION, KNOW THE RISK OWNERS AND ADAPT TO THEIR NEEDS
13Sponsored by
LinkedIn
14. 14
I’m always bending to
the needs of the business
groups, because if I want
somebody to work on
something, I have to
present it to them in the
format they require.
Sponsored by
owners for remediation. When it comes to ranking risks, Green says,
“There are a number of risk frameworks and methodologies out
there. We’ve tended to take the best of a lot of them and customize
them to keep it as simple as possible. You want to avoid getting
caught up in analyzing vulnerabilities to the point where you’re
trying to put actual dollar figures on them, and you’re reaching out
to 10 different people to find out what’s important. A lot of the risk
decisions are based on business knowledge. It would be valuable
to have a security risk score that worked similar to a credit score so
business owners could more easily interpret the results.”
Reporting threats—which involves tracking risks and releasing them
into the business pipeline—can be tricky in a complex business
environment. Different business units may be using different
reporting platforms and incident ticketing systems. “I’m always
bending to the needs of the business groups,” says Green, “because
if I want somebody to work on something, I have to present it
to them in the format they require. I can’t dictate how different
business groups work.” Variations between different business groups
also impact vulnerability remediation, because the business units
may not agree with the security team’s risk rank and prioritization.
Green tracks everything through a central ticketing system that
ties to the ticketing systems used by particular business groups.
“Sometimes we’ll go to them with a high-priority vulnerability. It’s
easy to fix. It goes through the pipeline and boom, it’s fixed the next
day or the next hour. Sometimes they might push back and say, ‘This
IN A LARGE ORGANIZATION, KNOW THE RISK OWNERS AND ADAPT TO THEIR NEEDS
15. Before meaningful vulnerable management is possible, you
must know what you are protecting. This means building an
asset inventory that includes asset owners.
If a business group does not agree with the security
team’s risk rank and prioritization, it should be able to
explain why.
1 2
KEY POINTS
15Sponsored by
isn’t really a problem, and here are the reasons why.’ We adjust the risk on that and prioritize it accordingly,” he says.
Green conducts vulnerability scanning daily, weekly, or monthly, depending on the systems, but more granular, closer to real-
time scanning has costs. “You start talking about a lot of data and a lot of infrastructure,” he cautions. “If you’re trying to scan a
network as large as ours daily or in real time, there’s a heavy cost associated with rolling out that kind of platform.”
IN A LARGE ORGANIZATION, KNOW THE RISK OWNERS AND ADAPT TO THEIR NEEDS
16. BOBBY ADAMS
Bobby Adams is an intuitive technical
leader offering hands-on skills and
experience in enhancing system
capabilities for both private and
government organizations. He has a
natural ability to determine solutions
to minimize system vulnerabilities and
improve security functions.
Senior Security Architect
TD Ameritrade
O
ne of the biggest things I see in complex IT environments is people being paralyzed by
all the analysis that needs to happen and all these tools that are telling you there are
lots of threats in the environment,” says Bobby Adams, who heads a team responsible
for security architecture at a large brokerage firm. Paralysis sets in when people are faced with
too many alerts and not enough resources to analyze or remediate them properly.
Adams believes the best way to address this problem is to apply a holistic cycle that tracks
incidents and vulnerabilities from discovery to remediation and involves the entire enterprise.
“Taking a holistic approach to security throughout an enterprise environment is key,” he says.
“You need to get that holistic life cycle in place and make sure that you have buy-in from all
the other technical teams. You need that because you can’t do security by yourself.”
What does this kind of holistic cycle look like? Adams outlines these key elements:
• Document your program and get agreement from all stakeholders, including network
administrators, server administrators, their management, and directors. Stakeholder buy-in
across the enterprise is critical.
• Perform accurate scans routinely or even continuously across the entire enterprise.
• Tightly integrate scanning tools with other tools such as the configuration management
database so that security tools are constantly aware of all assets on the network. “You can
actually orchestrate and automate a lot of that kind of integration,” Adams points out.
• Aggregate all threat intelligence from all tools and vendors into one centralized tool
You need to get that holistic life cycle in place and make sure
that you have buy-in from all the other technical teams.You
need that because you can’t do security by yourself.
A HOLISTIC, ENTERPRISE-WIDE STRATEGY IS ESSENTIAL
16Sponsored by
Website | LinkedIn
17. 17
We’re continuously scanning
for old vulnerabilities all the
time. We’re looking for how
many have been detected,
how many have been
patched, and then we track
that over time.
Sponsored by
that automates threat intelligence. “Aggregating that threat
intelligence to a single pane of glass makes it a lot easier to
analyze what’s happening in your environment,” Adams says.
• Validate and prioritize vulnerabilities. Many scanning tools
provide information about the severity of vulnerabilities, which
should be part of your aggregated threat intelligence.
• Remediate vulnerabilities and install patches on a prioritized
basis as quickly as possible. Also, validate through continuous
scanning to see that those remediations are in place. “That
vulnerability management life cycle is extremely important. You
need to do it in a timely manner, and continuously,” he stresses.
• Track scanning and remediation metrics to measure the
effectiveness of your program.
Continuous scanning is an important part of Adams’s program for
both detection and validating remediation. “We’re continuously
scanning for those old vulnerabilities all the time. We don’t remove
those from our scanning signature. We’re looking for how many
have been detected, how many have been patched, and then
we track that over time.” Adams also likes to compare data from
different tools. “I like to have multiple results from multiple tools.
If I can use a tool that’s not really a vulnerability scanner, but it can
provide useful data, I will absolutely use that.”
A HOLISTIC, ENTERPRISE-WIDE STRATEGY IS ESSENTIAL
18. Many scanning tools provide information about the severity
of vulnerabilities. This needs to be part of your aggregated
threat intelligence.
Continuous scanning is an important part of any
vulnerability management program for both
vulnerability detection and validating remediation.
1 2
KEY POINTS
18Sponsored by
All these inputs provide a lot of data and threat intelligence that require deeper analysis. Adams’s team is looking for ways
they can automate their incident response front end to perform an even more in-depth investigation of all the alerts. He
wants to create incident cases, have automated security orchestration and automated incident response, and be able to
present all that in one place, drawing from every single tool in the environment. “I think the most critical thing is getting that
data in front of the eyes of the people who need it the most,” says Adams.
A HOLISTIC, ENTERPRISE-WIDE STRATEGY IS ESSENTIAL
19. JOHN TRUJILLO
John Trujillo has 30 years of experience
in the IT industry. He began his career
in application development and then
migrated to enterprise infrastructure
and information security. Since
2001, he has worked for Pacific Life
Insurance Company, where he leads the
information security and IT infrastructure
practices for his business unit. He holds a
BS in Computer Information Systems and
an MBA from the University of Redlands.
AVP, Technology
Pacific Life Insurance Company
J
ohn Trujillo believes vulnerability and risk management for digital assets is part of a larger
business challenge. “If I lose a system to a physical event or I lose a system to a logical
attack, the business ultimately doesn’t care. In the aggregate, you need a comprehensive
risk assessment and management program, of which security is a critical component.”
From that perspective, the question becomes how you evaluate vulnerabilities of your digital
assets to decide which ones are most critical. “I think you need to understand the business
function of the assets that you’re securing,” says Trujillo, who heads the information security
and IT infrastructure in his unit at Pacific Life Insurance Company. “You have to understand the
costs of losing any given configuration item, and then have that configuration item roll up into
applications, which in turn roll up to the business processes.” He believes any vulnerability-
management program needs to be integral to business process and enterprise architecture.
“You need a program that at its inception partners with the enterprise architecture, because
the enterprise architecture has to be constructed in such a way that your risks are mitigated.”
To accomplish this, and to have effective risk management, there need to be standards,
perhaps similar to a credit score around how risks are identified, how they’re ranked, and
how they are either accepted or remediated. This would include having remediation plans
tied to business risk criticality, so that higher risks have higher priority, and there is enough
information for business decision makers to decide how to handle certain risks. “After a certain
amount of time you either have to remediate the thing or re-accept it formally. But all of the
specifics around that are dependent on your particular industry and your particular company’s
appetite for risk,” Trujillo explains.
You need to understand the business function of the assets
that you’re securing.
YOU MUST UNDERSTAND THE BUSINESS FUNCTION OF DIGITAL ASSETS
19Sponsored by
LinkedIn
20. 20
When you get to a place
where machines can do
it, it becomes feasible
for a company to start
moving toward continuous
vulnerability testing and
automating the prioritization
of remediation.
Sponsored by
Given the growing complexities of enterprise architecture and the
increasing reliance on web applications and extended networks
to conduct routine business, effective vulnerability management
depends on more continuous scanning and analyzing much larger
volumes of data. Trujillo believes new tools are emerging to make
this possible. “I definitely see a time where AI-assisted penetration
testing is going to help companies do that continuous penetration
testing,” he says. “Today I can’t afford to hire 1,000 hackers to bang
on my environment. So we accept that risk to the degree that it is a
risk.”
If it’s not feasible to hire an army of hackers, it’s also difficult and
costly to analyze all the data their efforts would generate. And
it’s not just data from continuous vulnerability scanning. There is
also data from all the security and activity logs that are available
for analysis. “Humans are the weak link,” says Trujillo. “But when
you get to a place where machines can do it, it becomes feasible
for a company to start moving toward that kind of continuous
vulnerability testing and automating the prioritization of
remediation. Now I can start aggregating all my data and logs into a
data link and have AI and machine learning start analyzing it.”
However as you move to more automated, AI-driven tools
YOU MUST UNDERSTAND THE BUSINESS FUNCTION OF DIGITAL ASSETS
21. To have effective risk management, there needs to be
standards around how risks are identified, how they’re
ranked, and how they are either accepted or remediated.
As you move to more automated, AI-driven tools for
vulnerability scanning and analysis, you need to have a
solid vulnerability-management program in place.
1 2
KEY POINTS
21Sponsored by
for vulnerability scanning and analysis, you need to have a solid vulnerability-management program in place. “All your
governance has to be in place, your policies and procedures have to be in place, because you have to know where it is you
want the machine to look, and what you want it to look for,” Trujillo concludes.
YOU MUST UNDERSTAND THE BUSINESS FUNCTION OF DIGITAL ASSETS
22. JAYESH KALRO
Jayesh Kalro combines a strong technical
background with business-management
skills. He has led regional technical
teams from diverse backgrounds, and
has experience working with North
America, Latin America, Europe, and
the Asian market. With proven ability in
building high-performing teams, he feels
at ease communicating with all levels
of management both internally and
externally.
Director, Global Practice, CA
Services
CA Technologies
F
or Jayesh Kalro, vulnerability management comes down to clarifying business priorities.
“Your business defines your set of priorities, and your data is the most important thing
that you’re trying to protect. Where is that data stored? Those are your critical assets.”
says Kalro, the director of global practice at CA Technologies. Many vulnerability-management
tools provide you with a scanning tool that can serve as the starting point for identifying
vulnerabilities and threats, but you really have to look at the vulnerabilities, enrich that data
with threat intel sources, and active exploits to assess your true risk posture. Identifying
vulnerabilities is just the first step in managing your organization’s risk effectively.
Most businesses want to prioritize identification of vulnerabilities relating to external-facing
business, financial data, or customer data. “You want to make sure that these areas are secure
and that they are your highest priority for remediation,” he says. If you are using separate tools
to aid in prioritization, then you will need to decide what is most important to the business and
use that as your criterion. “In 99 percent of cases, businesses know that they want to protect
their customer data,” Kalro explains. “Companies cannot compromise anything with respect
to their customers because it directly impacts their business. No one wants to make headlines
because of a breach associated with customer data loss.”
Successful vulnerability management also relies on strong processes. “How do you prioritize?
How do you get that data and make sense of the data? I would say that having a strong process
is something that a lot organizations miss out on,” Kalro says. Smart vulnerability-management
software can produce a report of key vulnerabilities to address, but from that point on
resolution depends on proper internal processes. For example, one follow-up process would
Your business defines your set of priorities,and your data is the
most important thing that you’re trying to protect.
TO MANAGE VULNERABILITIES EFFECTIVELY, DEFINE BUSINESS PRIORITIES AND
IDENTIFY CRITICAL ASSETS
22Sponsored by
LinkedIn
23. 23
Using vulnerability management
tools that provide clear
prioritization for patching
specific assets that have active
exploits can mean the difference
of a job that is never done
versus an organization that is
better protected with a reduced
risk profile.
Sponsored by
be to have that report automatically kick off a help-desk ticket and
assign it to a security engineer or administrator who would fix the
vulnerabilities, then close the loop by monitoring that the patch
was implemented successfully and provide a dashboard of risk
measurements to management.
There are some ways that, in Kalro’s opinion, businesses can
speed up the process of identifying and acting on vulnerabilities
in their environment. “You can build a process to collect all of this
information, and you could pretty much automate the whole thing
as long as you have the right data available,” he says. Mapping the
organization’s most critical assets and the vulnerabilities associated
with them can go a long way toward helping a business prioritize
effective risk management. The real value will be seen when you
have visibility to active exploits that could directly impact assets
critical to your business. This supports a clear path to prioritization
of what to remediate first. Finding a solution to provide this level
of detail eliminates much of the work that security teams currently
tackle and never finish.
Kalro has seen a couple of organizations capitalize on automation
to speed up their vulnerability-management processes. “Because
they had the process laid down, they were able to react with more
TO MANAGE VULNERABILITIES EFFECTIVELY, DEFINE BUSINESS PRIORITIES AND
IDENTIFY CRITICAL ASSETS
24. Businesses must first define their
priorities in order to effectively
manage vulnerabilities in their
environment.
1 Automation can provide
businesses with a powerful way
to speed up their response time
and react to threats with greater
agility.
2 Understanding active exploits in
your IT infrastructure provides a
clear path to an improved cyber
risk profile
3
KEY POINTS
24Sponsored by
agility and speed,” he says. This process proved valuable at one company when a person was suddenly let go. The security
team received a notification about that person’s termination and then simultaneously deactivated his access privileges across
all the systems he had used. This process, which used to take days, was completed within a matter of hours, and the business
was able to more effectively manage the risk of a potential insider threat.
It can be challenging for today’s businesses to manage the vulnerabilities in their environment, particularly if they are
operating with lean resources and juggling multiple priorities. But by defining their most critical assets and the vulnerabilities
connected to them and then automating the processes for managing those vulnerabilities, they can manage these risks far
more effectively and thus better protect their organizations from the threats they face.
TO MANAGE VULNERABILITIES EFFECTIVELY, DEFINE BUSINESS PRIORITIES AND
IDENTIFY CRITICAL ASSETS