The shift to work-from-home (WFH) over the past year has prompted a logical shift in hackers vulnerability exploit targets, including Citrix’s Application Delivery Controller (ADC) reportedly for the first time. Though the data point is important, Recorded Future points out that often less than 1% of vulnerabilities have been weaponized within the past month or year. According to the report, “As such, it is imperative that security professionals know which vulnerabilities that impact a company’s technology stack are included in exploit kits, used to distribute ransomware, a remote access trojan (RAT), or are currently being used in phishing attacks”.
The report highlights the importance of security rationalization and validation—assessing and understanding the controls that are working (and thus delivering desired security) and those that are not. Yet the security budget is an area of both potential overspend and underspend. Many companies have poorly optimized budgets. According to Mandiant, companies only use on average 25 percent of the full utilization capacity across all tools in their security stack, resulting in significant waste and redundancies.
In a world of constrained budgets, security validation is critical for companies to:
- optimize security spend,
- improve cyber performance,
- decrease the likelihood of suffering an attack, and
- lower the downside financial risks associated with poor cybersecurity.
The report highlights the importance of rationalizing security resources not just towards critical vulnerabilities generally but vulnerabilities that pose the highest risks. This means limited staff time and money should be allocated to the highest risk areas.
But how are ‘high’ risk issues defined? It requires not just an internal security view but an outside-in view—the view from outside the corporate network to the inside through a CyFi® (Cyber-Financial) lens. Only a combined inside-out and outside-in view provides clear guidance on where to allocate resources for maximum security returns.