The soft underbelly of Vulnerability Management is people. For those in the trenches, the kindred spirits working shoulder to shoulder, there is little acknowledgment save the unspoken satisfaction of mitigated vulnerabilities before the next wave comes crashing ashore.
It is a daunting prospect to consider the work created by a short-term, let alone a long-term, lapse in diligence toward your Vulnerability Management practice. Inevitably, a sobering realization sets in. Success in this endeavor means mitigating vulnerabilities faster than they are discovered.
This is the proverbial fork in the road. Do you acquiesce, silently admitting defeat, and come to see yourself as a victim in some cruel game of cybersecurity cat and mouse, or do you take stock of your situation, adopt a solutions mindset, rollup your sleeves, and get to work?
My recommendation is the latter. Defeat, silent or otherwise, is not within me—at least not for long. Cultivate your humility, let it guide you. Realize that no one knows everything. There is nothing wrong with asking questions, and pretending to be an authority doesn’t really work.
If you have an Information Security (InfoSec) support program, I strongly encourage you to seek them out and embrace a partnership with their internal Vulnerability Management team. By partnership, I mean a collegial collaboration with common purpose—a mutually beneficial teaming with shared outcomes.
It cannot be understated the value of the trust that will develop between you and your InfoSec SME team with forthright and earnest effort put toward common goals. These relationships will sustain you in your cybersecurity efforts—and career—in ways that you cannot predict.
Trust factors into Vulnerability Management in many ways. Let’s say a plugin fires erroneously and you have done your due diligence. You followed the documentation, validated the conditions, even read the NASL script, and firmly believe you have a legitimate false positive.
Let’s be clear. When InfoSec hears “false positive”, the Aesop fable about crying wolf may well be operative on some level. However, because of your willingness to partner with them, having done your homework, and approached them collegially and with humility, you now have an audience where you might not have otherwise.
Right or wrong, regardless of your experience level, you are now regarded as a credible practitioner worthy of consideration. Your InfoSec team will likely look at your evidence with an open mind because you are being sincerely consultative rather than confrontational and playing the victim.
Over time and after having navigated many similar instances, shared camaraderie with like minded people can transform any fears, doubts, or worries that you may have had into real Vulnerability Management expertise and eventually the honor and reputation of a trusted advisor.