In cybersecurity, vulnerability management is crucial for safeguarding digital and physical assets against ever-evolving threats. Yet a fundamental soft skill is often overlooked: communication. How to convey vulnerabilities, collaborate on remediation and support stakeholders through the process will impact the effectiveness of security measures.

This blog will explore redefining vulnerability management by integrating empathetic communication. I define empathy as the ability to understand and share the feelings of another. Whether knee-deep in code or navigating the digital landscape from a non-technical standpoint, this blog promises insights and strategies to strengthen vulnerability remediation via communication.

The Current State: Unveiling the Challenges

Picture this: a typical vulnerability management program following a linear lifecycle path of discovery, assessment, prioritization, reporting, remediation and verification. It is a structured approach, but riddled with communication bottlenecks that impede efficiency.

One glaring issue that surfaces during remediation is the reliance on traditional methods of communication. Email attachments flooded with rows of vulnerability data and columns of unnecessary information inundate technical owners. The owners are then expected to decipher and act promptly. With excessive and often irrelevant information, this communication style turns a straightforward path into a maze, leaving stakeholders to navigate it alone. Can we truly expect optimal results when we burden stakeholders with such convoluted information?

Envisioning the Future: Empathy as a Catalyst

Now, looking towards a transformed vulnerability anagement landscape that bridges technical skill with human connection. But what does empathic communication entail? I will break down Optiv’s approach into the four pivotal components shown in the diagram below: refinement, engagement, understanding and sustainment.

Image

Component 1: Refine – Ensuring Clarity and Relevance

Refinement in vulnerability management goes beyond data cleansing. It’s about ensuring that every piece of information – data or documentation – is clean, relevant, homogenized and categorized. This approach enables users to derive meaningful insights and pinpoint discrepancies with ease.

Impact on Vulnerability Management Lifecycle

From a VM perspective, the importance of refinement cannot be understated. Without clean and relevant data up front, every subsequent step in the lifecycle risks being ineffective. Simplifying the data shared with technical owners is paramount, as well as ensuring that it is easily digestible and actionable.

Here is a real-world example to illustrate this point.

In consulting with a client to enhance their security configuration controls on middleware technologies, I encountered a situation where overly complex communication methods hindered the remediation process. This process involved extracting an Excel document from Qualys, creating a ticket and sending an email to the technical owners to notify them a ticket was open and needed to be completed within a month. However, the document was over 40 columns long, making it overwhelming for the technical owners. The issue was not the process of extracting the document and creating a ticket, but rather the lack of refinement and communication. The vulnerability analyst did not effectively communicate the essence of the request and failed to clean up and refine the Excel document. This resulted in technical owners being confronted with an overwhelming and disorganized set of data, leading to ignored tickets and a lack of remediation work.

Stakeholder Perspective

From the perspective of technical owners, the consequences of inadequate refinement are profound. In the example above, the cumbersome communication processes led to a breakdown in trust and effectiveness. Technical owners felt overwhelmed and lacked clarity on who to contact for questions or clarification. Without a clear understanding of priorities and responsibilities, remediation efforts were often ignored or sidelined.

To help clearly define what remediation needs to occur and why it should occur, technical owners would like to see the following information within a ticket:

1. Asset Information: The specific asset that the vulnerability was found on, including its name and IP address
2. Vulnerability Title: A clear title or name of the vulnerability for ease of reference
3. Severity Level: The severity of the vulnerability, indicating its criticality and urgency
4. Results: Findings from the VM scanning tool indicate the asset is vulnerable
5. Solution: A detailed description of the remediation steps or solution needed to fix the vulnerability

Additional Factors to Strengthen VM Lifecycle Within Refinement

Define Roles and Responsibilities: Implement a RACI (responsible, accountable, consulted, informed) chart to clarify roles and responsibilities—not only within the VM team, but also for the Information technology (IT) team. This ensures that everyone understands their role in the remediation process and knows who to contact for specific actions.

Review VM Documentation: Regularly review VM procedure documentation to ensure alignment with the remediation process. Solicit feedback from technical owners to identify areas for improvement and update procedures based on continuous learning and evolving best practices.

Asset Discovery and Categorization: Ensure comprehensive asset discovery and categorization to provide a clear picture of the environment. Identify ownership of assets to expedite remediation efforts and prioritize based on the criticality of both the asset and potentially the vulnerability. This process ensures that when vulnerability analysts engage with technical owners in Component Two, they understand the assets being scanned and can confirm the correct ownership. This reduces miscommunication and ensures that remediation requests are directed to the right stakeholders, minimizing wasted time.

Component 2: Engage – Encouraging Comprehension and Collaboration

Engagement is about fostering understanding, empathy and collaboration. Engagement can help bridge the gap between vulnerability management and practical implementation. This involves participating in conversations, empathizing with other perspectives, understanding their experiences and responding accordingly.

Impact on Vulnerability Management Lifecycle

Imagine identifying a critical vulnerability and emailing the information to the technical owner requesting remediation. What might appear to be a straightforward fix – such as updating a registry key or applying a security patch – can present significant complexities that the technical owner must resolve.

The research conducted before sending and requesting remediation is crucial. Diving deeper into each vulnerability allows us to craft a narrative that helps illustrate the broader implications, articulating the “what” and the “why” behind the remediation effort.

To articulate vulnerability data and reasoning effectively to technical owners, VM analysts can adopt strategies such as:

1. Tailor Communication to the Audience: Avoid jargon and technical terms that may not be familiar to the technical owner. Use simple, clear language to explain the vulnerability and its potential impact.
2. Contextualize the Vulnerability: Clearly describe the vulnerability, how it works and why it poses a risk. Emphasize the potential business impact of not remediating the vulnerability.

Stakeholder Perspective

One of the biggest frustrations reported by technical owners is the constant change in direction from vulnerability managers or a lack of structure regarding remediation priorities. Frequent adjustments to SLAs, changes in how applications and assets are categorized and shifting priorities make it difficult for technical owners to focus their efforts effectively.

Challenges Technical Owners Face:

1. Lack of Visibility: Owners have no efficient way to check the status of their remediation work and often must wait weeks for feedback unless they request ad-hoc scans.
2. Overwhelming Workload: Additional work requested by VM analysts on top of the current tasks a technical owner deems a priority can lead to technical owners feeling overwhelmed. It’s important for an analyst to identify how your request can impact their workload and to find a middle ground that meets both of your needs while adhering to the SLA policy adopted by the organization.
3. Miscommunication: Without clear and consistent engagement, technical owners are left unsure of where to focus their efforts, leading to inefficiencies and frustration.

Building trust and maintaining open lines of communication will help better understand the issues that technical owners face. This understanding is crucial for the next phase while collaboratively identifying and addressing barriers to remediation. Effective engagement ensures that technical owners feel supported and understood.

Additional Factors to Strengthen VM Lifecycle Within Engagement

Asset Discovery and Categorization: Ensure clarity in asset ownership, criticality and decommissioning processes to prevent inaccuracies in vulnerability data and facilitate effective communication amongst different business units.

Data Aggregation and Correlation: Establish mechanisms for aggregating data from vulnerability scanners, asset management tools and threat intelligence feeds. Implement quality control measures to ensure the integrity of vulnerability data and enhance decision-making capabilities. By aggregating data, VM analysts can avoid opening duplicate ticket requests on vulnerabilities identified. This approach allows you to provide richer and more complete information to stakeholders by aligning multiple sources to validate your findings. Additionally, it helps to prioritize remediation efforts more effectively by confirming the urgency and criticality of the vulnerabilities through corroborated data.

Prioritization: Develop risk-based approaches for prioritizing vulnerabilities and communicate prioritized vulnerabilities to technical owners clearly and consistently. Regularly reassess and readjust prioritization based on evolving threat landscapes and business priorities. Additionally, allow technical owners to request small extensions via an exception process to accommodate other business initiatives. Provide sufficient information to enable the business to quickly and easily conduct a risk/cost analysis on how fast a vulnerability should be remediated. Effective prioritization should consider the workload of the stakeholder, ensuring that actions are better aligned with both security needs and business operations.

Component 3: Understand – Promoting Mutual Insight and Support

Understanding entails genuinely empathizing with challenges and viewpoints others have. This requires being attentive, open-minded and responsive to the concerns and needs of all vulnerability management stakeholders.

Impact on Vulnerability Management Lifecycle

From a vulnerability management perspective, a primary responsibility is to prepare thoroughly and request remediation actions from technical owners. This task can be challenging, especially when held accountable for delivering results in monthly reports to managers and directors.

Being on the vulnerability management side during this phase can be particularly frustrating when technical owners do not follow through on remediation requests. Vulnerability engineers and analysts often find themselves in a position where they need to persuade and collaborate

There are a few key strategies to keep in mind during this phase to help navigate these challenges:

1. Adaptability: Adapt the approach based on the situation and be prepared to adjust the strategies as needed.
2. Communication: Understand and respect how different technical owners prefer to communicate will reveal various methods – from highly responsive individuals to those who may not fully align with the objectives or prioritize their tasks over requests received.
3. Relationship Building: Invest time in building strong relationships with technical owners. Understanding their perspectives and constraints can improve communication, making them feel supported and understood.
4. Empathy and Patience: Recognize that technical owners have their own pressures and workloads. Approach interactions with empathy and patience, aiming to collaborate rather than confront.

A common scenario encountered as a consultant involves identifying a critical vulnerability that need to be remediated within seven days. When approaching technical owners about the urgency of remediating this vulnerability within the specified timeframe, the feedback often includes concerns about other pressing work under tight timelines. Technical owners may indicate that they will not be able to remediate the vulnerability within the SLA that the organization has adopted as a policy. While analysts cannot change the policy, they can provide insight and support to help address the risk to the business.

Strategies for supporting technical owners in these scenarios can include:

1. Risk Exception Form: If remediation within the SLA is not feasible, consider assisting the technical owner with filling out a risk exception form. This can expedite the process and ensure the business understands the risk. Some ways to support this could be: co-filling the form, automating the risk exception process where technical owners can request an exception by pressing a button on the ticket and providing the necessary information to fill out the risk exception form by themselves.
2. Business Unit Decision: Emphasize that it is up to the business unit impacted by the vulnerability to decide whether the technical owner’s current work is more pressing than remediating the vulnerability.
3. Highlight the Risk: Clearly articulate the potential impact and risk associated with the critical vulnerability. Providing detailed risk assessments and potential consequences can help business units prioritize appropriately.

Stakeholder Perspective

Technical owners often face significant challenges when tasked with remediation work, particularly when priorities are unclear or communication channels are inefficient. It is common for technical owners to perceive remediation tasks as additional work that may not seem urgent, leading to miscommunication and frustration.

For instance, in my experience collaborating with technical owners to prioritize vulnerabilities for remediation, numerous issues were encountered due to a lack of communication from management. One scenario involved the adoption of the latest version of the CIS CSC security framework, which was not effectively communicated to the technical owners. During this gap analysis, the process required evaluating each OS system to identify the hardening controls recommended by the new framework that the organization should adhere to. This involved a review of each control, determining whether it should be adopted based on several factors such as the presence of more secure existing controls, infrastructure limitations or the need for risk exceptions for legacy operating systems. Conducting this analysis could take several hours per OS, requiring technical owners to dedicate significant time to walk through each control, discuss its relevance and decide on its adoption.

For controls that the organization decided not to adopt, we had to document the reasons for auditing purposes, adding to the complexity and length of the task. Despite the cumbersome nature of this process, it was vital for the organization as security configuration management plays a crucial role in identifying and mitigating vulnerabilities. Effective security hardening can sometimes offset the inability to remediate certain vulnerabilities directly.

The lack of prior communication about the new framework adoption made this task challenging. Most technical owners were unaware of the change and the new requirements, leading to prolonged discussions and delays in completing the tasks

Here are three important strategies that managers and vulnerability analysts can implement to ensure effective communication and understanding:

1. Early Communication and Documentation: Notify technical owners in advance about the gap analysis needing to be conducted, providing detailed documentation of the CIS CSC framework and specific controls to be reviewed. Doing so, you demonstrate an understanding of their need for preparation time and respect their existing workload.
2. Clear Agenda and Timeframes: Share a meeting agenda outlining key discussion points and agree on a realistic timeframe for completing the analysis. Setting clear deadlines shows empathy for their scheduling constraints and ensures everyone is aligned, which helps prevent misunderstandings and frustrations.
3. Training: Conduct briefings and offer training sessions to familiarize technical owners with the new

Additional Factors to Strengthen VM Lifecycle Within Understanding

Define Remediation Process Workflow: Ensure that any alterations or enhancements to the remediation process are clearly articulated to all stakeholders, fostering clarity and alignment across the board.

Prioritization of Patching: Establish a clear and consistent method for prioritizing patches based on the severity of vulnerabilities and the potential impact on business operations.

Communication of Patching Timelines: Communicate patching timelines and schedules to all relevant stakeholders, including technical owners, management and end users. Transparency in timelines helps manage expectations and reduces frustration.

Alternate Mitigations: Establish contingency plans for scenarios where traditional patching is unfeasible and devise a systematic approach for addressing exceptional cases that demand further attention.

Component 4: Sustain – Ensuring Continuous Improvement and Trust

Sustainment in vulnerability management involves ensuring continuous improvement in remediation efforts by establishing clear communication schedules, maintaining them and fostering trust to sustain program longevity.

Impact on Vulnerability Management Lifecycle

In the sustainment phase, critical questions must be asked to ensure continuous improvement in vulnerability remediation efforts.

1. Is there an improvement in meeting SLAs?
2. Are too many risk exceptions being received? High numbers of risk exceptions could indicate that technical owners either do not understand the importance of remediation, have an overwhelming workload or face more complex remediation challenges than anticipated. This may require determining if initial research on a vulnerability was thorough enough to account for these difficulties.
3. Seek feedback from technical owners – what is working and what is not?

Answering these questions will help sustain the progress and relationships developed, ensuring a robust vulnerability remediation lifecycle.

Stakeholder Perspective

In the sustainment phase, it is crucial to engage with technical owners by asking targeted questions that help evaluate and improve the remediation process. Here are some key areas to focus on:

1. Validation and Success: Do technical owners feel validated and successful in their remediation efforts and their relationship and communication with the vulnerability management team? This feedback helps reassure analysts about their contributions and highlights areas for improvement.
2. Impediments to Remediation: What challenges are technical owners facing that impede their ability to complete remediation tasks? This question helps identify whether they need additional support or resources to be more effective.
3. SLA Feedback: Are the current SLAs too tight? If technical owners find the SLAs unrealistic due to the complexity of testing and implementing patches, it is essential to communicate this feedback. The organization may need to re-assess and potentially adjust the SLAs to align better with real-world constraints.

Fostering open communication, by asking these critical questions, will ensure both parties work collaboratively to mature the remediation process over time. Continuous feedback from technical owners is essential to refining the program, enhancing relationships and ensuring sustained success in vulnerability remediation.

Additional Factors to Strengthen VM Lifecycle Within Sustainment

Measure Program Efficacy: Establish metrics to measure the efficiency of the VM program. Assess the current state of the remediation process and track progress over time to identify gaps and areas for improvement.

Reporting: Does the organization produce reports to validate remediation progress? Describe the metrics used, the frequency of these reports and how it is documented either via third-party intelligence tool, Excel or PDF reporting.

Stakeholder Reporting: Identify the stakeholders who receive these reports and how often the data is reported. The target audience may include technical owners, IT management and executive leadership.

Feedback Mechanism: Establish a feedback mechanism for technical owners and other stakeholders to provide input on the remediation process. This can help identify areas for improvement and foster a sense of ownership and collaboration.

Testing Procedures: What are the standard testing procedures for validating that vulnerabilities have been effectively remediated? Describe the process to ensure that technical owners are confident their remediation efforts are successful.

Document Lessons Learned: After completing remediation efforts, document lessons learned and best practices. Share this information with all stakeholders to improve future vulnerability remediation activities.

Use of Automation: Leverage automation tools to streamline the vulnerability remediation process, including vulnerability scanning, patching deployment and reporting. Automation can help reduce the manual workload and improve efficiency.

Conclusion

Incorporating empathetic communication into vulnerability management is a vital enhancement for building a robust and sustainable cybersecurity program. By bridging the gap between technical intricacies and human collaboration, organizations can foster an environment of trust, clarity and efficiency. Refining data to ensure relevance, actively engaging with technical owners, understanding and addressing their challenges and sustaining improvements through continuous feedback is key to enhancing vulnerability remediation efforts.

Utilizing an empathetic approach improves the efficiency of technical solutions and strengthens relationships across teams. Ultimately, valuing the human element in cybersecurity strategies enables organizations to build more responsive and resilient systems, capable of adapting to and defending against the ever-evolving threat landscape. By prioritizing empathetic communication, we can transform vulnerability management into a proactive and collaborative effort.