In a world where the perimeter of ‘secure’ is always changing, many cybersecurity leaders are working to build resilience against unexpected changes and challenges that may crop up. In cybersecurity, resilience is determined by an organisation’s ability to prevent, withstand, and recover from cybersecurity incidents. However, it’s hard to carry this burden as individuals, especially in an industry that’s rife with burnout and machismo problems. It’s true what they say: we are stronger together.   

It's a fact that cybersecurity incidents are increasing exponentially. Recent research, for example, has found that over a third of organisations experienced three or more data breaches in the past 24 months. With attacks no doubt set to rise as technology becomes more sophisticated, now’s the time for the community to come together and make the world securer. But where to start? The answer may lie in global vulnerability scoring standardisation.

The Pitfalls of Proprietary Scoring Systems

At present, many vendors rely on proprietary scoring systems for vulnerability classification. In some cases, this may even be their USP.  These systems, while in most cases useful, are not only clunky but also limit our ability to measure vulnerabilities on a level playing field, leading to a fragmented understanding of the cyber threat landscape. To consolidate and independently validate these separate scoring systems into one standardised approach is not only important for the wider community, but also imperative for security.  Standardised cybersecurity is not necessarily a new concept, but it is becoming a more crucial part of today’s world to help us build resilience.

It's imperative that we equip CISOs, IT teams, and end users with models to rank and score vulnerabilities like for like. This allows them to make informed decisions clearly. However, this can’t be led by just one organisation.

Supporting Government Led Schemes

Instead of vendor specific scores, a standardised scoring system helps educate and understand vulnerabilities within and across organisations, with greater and broader support systems. This helps build awareness and cyber literacy across end-user organisations. Ideally, these standards would be verified, if not pioneered, by government, alongside other cyber vendors, non-profits, and organisations.

Historically, a lot of standards have come out of government. A recent example of this is the UK government’s Secure by Design pledge, which we were proudly early adopters of. By coming together as an industry, alongside governments, to build resilience, we can create a common baseline for security.

The Complexities of Standardisation

Of course, it’s not as easy as saying ‘we need a system’ and hoping one materialises asap. To create a meaningful, robust standardised system takes years. This sort of system would combine all the principals of open source but beyond that – these will be standards. It needs a robust commentary period. Getting people to agree on a set of benchmarks, having them independently reviewed and run through governments takes time. Ideally, this would be something used across verticals and even countries. It’s a big task for an already stretched industry. It would require consortiums.

We do need a common framework to measure vulnerability severity, but it’s unrealistic to distil it into a single score for all industries. What’s severe for one industry/company, may not affect another with any real impact. Instead, we should be required to embrace complexity. Vulnerabilities are a moving picture. It’s dangerous to oversimplify.

Additionally, a lot of organisations focus on solely meeting already established compliance standards. No IT team is actively begging for more standards to comply with, and we mustn’t forget that ‘compliant’ is not necessarily ‘secure'. Additionally, compliance often leads people to focus on the wrong things when it comes to security. Instead, we should strive for a common framework, with agreed guidance, that allows for detailed and contextual understanding. It’s about setting a benchmark while recognising the intricacies involved. 

Vulnerability Scoring

Vulnerability scoring is already complex, outside of the many different scoring systems. It requires an understanding of context and a flexibility to adapt to different situations. Education is a key component of a task like this too, with a need to empower those using the system. What may be a critical vulnerability for one industry or company, may not affect another. The EPSS standards are a good example of what this looks like in practice.

Equally, vulnerability flagging is crucial for the community because it can help others proactively protect themselves from attacks. By empowering others with a standardised system, leaders can understand how to prioritise remediation.

Community: At the Core of Cyber

There’s a proverb that says: "If you want to go fast, go alone. If you want to go far, go together". This is especially true of the cybersecurity community. It’s important that the industry, no matter the vertical, vendor, or government, comes together to protect, bring awareness and build better security.

 

About Elliott Wilkes, CTO of ACDS

Elliott is a technologist with over 15 years of experience in some of the largest and most complex organisations in the world. He has led large technology efforts across the globe in Europe, Africa, the Middle East, and the US. He’s served as an advisor and technology leader at the White House, US Department of State, the US Department of Defense, United Nations, and UK Ministry of Defence, among others. Most recently, he’s been an advisor on cyber security at some of the highest levels of the US and British military and civilian leadership.