In the past several weeks the number of ransomware attacks led me to share a couple of articles related to cyber security on social media. The first article, "Is it time to drop "cyber" in security" discusses that cyber issues are not just “techie” problems limited to the IT department. Cyber security risks impact the entire organization and need to be part of an organizations overall risk and security programs. "How can we make the cybersecurity profession agile" discusses integrating Agile management practices in cyber security. The proliferation of ransomware and other malware targeting deprecated and unpatched software is a timely to consider both of these points.
The crippling effects of ransomware such as Petya and WannaCry on people and business worldwide has continued to make the mainstream news. I am certain this has been a hot topic in many boardrooms and C level executive suites.
The fact that patches for the vulnerabilities these attacks exploit were addressed by Microsoft and others long before the recent attacks demonstrates that many organizations lack effective patch management programs. The need to update software and replace EOL systems is a key theme in the recent executive order on Cybersecurity and Critical Infrastructure release by the White House.
One of the leading reasons organizations struggle addressing these vulnerabilities is the lack of clear guidance and policy on the matter from management. The expectation that the software products used to address system patching and maintenance will provide organizations with policies and procedures set organizations up for failure. Policy must come first. Products are simply the tools used to implement not provide your organizations policies. No tool is perfect, all products have their own vulnerabilities and shortfalls, but with clearly defined policies your organization can set reasonable and effective goals, develop contingency plans and metrics that can demonstrate the programs progress and value to your organization.
This is where I feel that the interview, Agile approach for delivering products and services is ideal. Start by targeting vulnerabilities that present the greatest strategic risk to your organization. When you have those under control, grow your program to address vulnerabilities representing lower risk to the organization or add efficiency. Minimizing the number software products permitted in your environment reduces the cost and effort required to patch and maintain your systems.
The Agile concept of reducing the amount of “Work in Progress” helps your team get the amount of work they need to get down each month to an achievable amount that delivers value. As your team accelerates, the amount of work accomplished increases. Develop a monthly cycle of sprints to evaluate, test, deploy, and remediate vulnerabilities targeting the risks that have been identified by your organization. Review the results of each month’s patch cycle, activities that resulted in waste are fixed or eliminated. Process improvements are fed into the next patch cycle to facilitate continuous, measured improvement so your program can adapt to meet your needs as they evolve and address risks to your orginization as they emerge.
