If you’re reading this, congratulations, you survived not only a global pandemic but also compromises of both the world’s most widely-used corporate email system and the infrastructure pipeline that energizes half of the United States. Seriously, take a deep breath and give yourself a pat on the back; we’ve been through a lot in a very short time. Ahhhhh...
Ok, now that you’ve exhaled the ick from our recent past, it is indeed time to move on, but not before we slide in a little dose of cold, hard truth. Yes, the pandemic is subsiding, but the threats to our infrastructure are only going to increase as more and more aspects of our lives rely on technology to function and support our society at scale.
As the recent attack on Colonial Pipeline proved, technology is so deeply ingrained in our lives that we simply are not wired to care about it or even notice its stranglehold on our day-to-day activities. In the same way we don’t count our breaths, our heartbeats, or our eye blinks throughout the day, our critical technology infrastructure is just “there” doing its thing and keeping us going.
As the old saying goes, “out of sight, out of mind,” and that couldn’t be more true for the connected technology that keeps the gears of our society and economy turning. In this case, we’re not talking about the touchy-feely gizmos like your iPhone or your pocket-sized drone that get all the “whiz-bang” headlines and consumer attention. We are talking here about the digital pipes, knobs, and switches that underpin all of that technology behind the scenes. You know, the boring stuff. And therein lies problem number one: our technology that is most under threat is equal parts boring, vital, and invisible. We can’t see it, so we don’t pay attention to it, and yet, it’s critical to life as we know it.
The second problem with our infrastructure technology is slightly more nuanced than the first, but it gets to the core of human behavior: we don’t talk about our vulnerabilities. Admitting our weaknesses is a skill that most of us are reluctant to learn. Exacerbating this endemic challenge are the facts that many of our world’s most critical technology vulnerabilities are already in the public domain and that an organization’s own technology footprint often sprawls programmatically — like a virus — without the organization ever noticing. Thus, not speaking about our vulnerabilities is essentially ignoring real problems and allowing them to self replicate. That’s a problem. Let’s fix that.
Normalizing vulnerabilities and socializing their existence internally is literally the first, easiest, and most practical step in building the elusive “culture of security” that CISOs and security professionals have been preaching from the rooftops for years. After all, vulnerabilities are just the technical exhaust released by a growing enterprise and not some stigmatized deformity that only affects one in a million unfortunate souls.
We should acknowledge and frame our technical vulnerabilities simply as work that needs to be done and then we should just do the work. That’s how companies function. And just like a rising star coming up through our own corporate ranks, if we don’t do the work now, threat actors will eventually emerge to capitalize on our apathy. Quite simply, talking about our vulnerabilities is how we start to address, prioritize, and remediate risks to our organizations.
Imagine you’re standing at the watercooler and Bob from IT walks up and kicks off a casual conversation with “Hey, did you know our version of Microsoft Exchange just had a CVE issued on a new zero-day threat?” You don’t need to be in security or IT to know that this comment has something to do with risk to your organization and email. Maybe you engage him on this if it’s of interest to you, or maybe you change the subject, but whatever the case, it was brought up in your normal conversation.
Now, imagine that you just had that conversation with Bob and you’re back at your desk when an email shows up with a link from a customer to update your company’s banking information so you can get paid. The email stands out because you don’t usually get emails from customers looking to pay you.
You remember your conversation with Bob.
You recall something about email and threats.
You ping Bob.
It’s a phishing email.
If you enter your banking information, thieves will make off with the money in your bank account.
You report the email.
Bob socialized your vulnerabilities.
You and Bob saved the company.
You and Bob are heroes.
This casual conversation scenario is easy to imagine both in practice and in efficacy, but in today’s world of sprawling technology and shadow infrastructure weighing you down with unseen risks, it’s the vulnerabilities themselves that are actually hard to discover and manage at scale. Every organization today has assets online that are public and discoverable by threat actors probing them, looking for vulnerabilities. The sooner and more frequently your organization identifies these vulnerabilities and takes action to remediate them, the less likely it is that exploits and threats against them will materialize.
Your normal, one-on-one conversation with Bob resulted in a good outcome for your organization from you recognizing a risk before it became a threat. Now imagine the outcome of 1,000 yous having normal conversations about vulnerabilities with 1,000 other Bobs every day.
We built Coalition Control to give every person in every organization the ability to see and socialize their vulnerabilities. With free Automated Scanning & Monitoring, anyone in your organization can instantly see and monitor where your organization has assets, see if and how they might be vulnerable, and learn what steps to take to remediate any risks. Once you’ve signed up with just your business email address, you can even invite others to join you on the platform so they can see and start to socialize your vulnerabilities, too. This is how good cybersecurity becomes great.
At Coalition, we believe security is a team sport. Any success in the game is achieved only by the combined efforts of many, and when it comes to vulnerabilities, talking openly about them with your teammates is the first and most important step in a winning strategy for controlling risk, together.