Sedum ground cover

Too often business managers see reported vulnerabilities and either overreact to them or get paralyzed by the quantity of vulnerabilities. Instead it’s important to understand if the vulnerabilities are worthwhile-to-address risks.

Don’t Get Lost In The Vulnerabilities

The lockdowns found me in my garden more. One of the things I learned those couple years was that I started out intently focused on the annoyance of weeds – pulling them, pouring boiling water on them when they popped up in the cracks of my driveway, generally trying to kill them. But at some point my focus shifted and I began to see the whole yard – I especially noticed where different plants thrived or failed to. I moved things around. Happy, healthy plants – including working on achieving thicker ground covers (like that sedum pictured) – look beautiful while making the conditions less hospitable to weeds.

Vulnerabilities, which include unpatched software and misconfigured systems, can be thought of like weeds. They look bad. They might overrun the place. These vulnerabilities may represent potential breaches and the possible loss of your business’ data.

  • A vulnerability is equivalent to a weakness
  • A threat is a potential danger that exploits the weakness
  • A risk is the likelihood and impact of the threat exploiting the vulnerability

But to equate a vulnerability and a risk is akin to mistaking an unwanted weed for a months-long drought. This vulnerability and risk miscalculation is common and can lead to serious problems, because you’re not allocating your resources where they will do you the most good.

A Fuller View Than Just Identifying Vulnerabilities

Automated assessment software alone can point out network vulnerabilities. It can also lead to either a false sense of security when you address some vulnerabilities – like you buy a new weeding tool while the failing sprinkler system goes unaddressed – or a feeling of being overwhelmed by the number of found vulnerabilities and so you do not act.

These automated tools are helpful in identifying potential problems, but lack any kind of nuanced understanding that’s needed to address the scope of the threats. To solely rely on software pronouncements is to often miss the big picture.

Risk assessment requires human judgment, the ability to interpret the vulnerabilities and assess the potential damage they could cause to the overall health of your organization. A risk assessment needs the guidance of someone who understands the interconnectedness of your business’ network, is able to anticipate credible threats, and help you bring about a solid defense posture.

Lean On Tested Guidelines Like NIST (National Institute of Standards and Technology)

To promote a secure digital environment follow established best practices, the methods perfected by experienced risk assessors. For example Bryley risk assessors follow the NIST SP 800-30 Guideline for Conducting a Risk Assessment to guide organizations through the complex task of safeguarding their digital assets.

NIST states in its Cybersecurity Framework that the goals of a risk assessment are:

  • Identify: Recognize the vulnerabilities that could compromise your organization’s defenses.
  • Estimate: Assess the potential impact each vulnerability could inflict on the overall health of the organization.
  • Prioritize: Organize how you will mitigate these vulnerabilities based on their potential impact, so you address the most critical threats first.

A NIST-guideline risk assessment is made to give you the answers to the following vital questions:

  • What are your organization’s key IT assets?
  • What type of data breach would have the most significant impact, a devastating blow that could cripple your operations?
  • Who are the potential threats, the malicious actors seeking to exploit your vulnerabilities?
  • What are the internal and external security vulnerabilities, the weaknesses in your defenses that could be breached?
  • What would be the impact if any of these vulnerabilities were exploited, the potential consequences of a successful attack?
  • How likely are these vulnerabilities to be exploited, the probability of an adversary trying to breach your defenses?
  • What cyberattacks or security threats could impact your business’ ability to function, disrupt your entire organization?

By coming to a true understanding of the complex factors of their computer systems, organizations can get beyond a simplistic identification of vulnerabilities to accomplish the work of having a robust and resilient network. Mitigating the true risks can then help you prevent or reduce security incidents which in turn can save your business a significant amount of money and/or the potential reputation damage that often accompanies a breach.

Compliance Requires A Risk-Based Defense

Many regulatory bodies require a risk-based approach to security. Risk assessment is the basis to having a formidable defense against cyberthreats, and so it is therefore a requirement toward compliance with regulatory standards like HIPAA, GDPR and PCI-DSS.

What You Can Expect

When you contract Bryley for a risk assessment a qualified assessor will follow these steps:

  • System Characterization: Understanding the scope and boundaries of the system being assessed, including the identification of assets, data, personnel, and other relevant factors.
  • Threat Identification: This includes unauthorized access, misuse of information, data exposure and loss of data.
  • Vulnerability Identification: A detailed look into your network’s attack surface.
  • Control Analysis: This is an examination of your current defenses and an analysis of their performance in mitigating identified risks.
  • Likelihood Determination: An analysis that shows the probability of an identified threat exploiting an identified vulnerability.
  • Impact Analysis: If the threat exploits the vulnerability, what will be the harm?
  • Risk Determination: Combining the results of the Likelihood Determination and the Impact Analysis to calculate levels of risk.
  • Control Recommendations: Based on the risk data, what are the mitigating factors to address?
  • Documentation: A comprehensive report of the process, results and recommendations.

To equate a vulnerability and a risk is akin to mistaking an unwanted weed for a months-long drought

A risk assessment can help your organization to peace-of-mind because it analyzes what are legitimate risks versus less chancy vulnerabilities, so that you can have a plan to fix those things that could lead to the greatest potential harm. Is a risk assessment right for your organization? It requires more of an investment than a software-only-generated vulnerabilities list, but it is the sensible starting point for a cybersecurity improvement program. How will you know what’s worth spending your cybersecurity and network-development resources on without a proper assessment of your as-is risk state?

To begin to find out if a risk assessment is right for your organization, consider a complimentary 15-minute consult with Roy Pacitto, or contact Roy at or 978.562.6077 x2.