7 Stages of Vulnerability Assessment Grief

26 May 2018 · Cyber Security for Businesses

About the 7 Stages of Vulnerability Assessment Grief

After performing vulnerability assessments for organizations of all types around the world, we’ve seen the seven stages of vulnerability assessment grief play out time and time again. Publicly-traded and heavily-regulated organizations grow numb to audits and assessments after a while. However, the process is quite shocking for many people that have never received one before.
  1. The first stage, Ignorant Confidence, varies a bit. Some organizations call us after they’ve already been attacked; others call when they want to validate their strong controls. Few really understand the depth or number of their vulnerabilities
  2. The second stage occurs even with the most audited organizations. Virtually all our clients — from Silicon Valley start-ups to governments and Fortune 50 companies — are shocked with how easy our assessments are — during the assessment period. We’ve worked hard to automate the process and make life as easy as possible for you.
  3. Unfortunately, the amount of relief in the second stage is usually proportional the amount of denial we see in phase three. Because the reviews were so painful, when we go over the initial vulnerabilities that we identified, our clients’ jaws drop. The sad reality is that unless an organization has a dedicated information security resource or contracts a managed security service, there are usually a lot of ways to break in. It’s not unusual for us to be able to obtain passwords for a third of employees or gain direct database access to critical systems from the Internet, for example.
  4. We understand the fourth phase of Anger and Bargaining. As automated attacks increase and hackers target small businesses (research shows that as much as 70% of attacks target small businesses), everyone has to up their game. Fortunately, a few small tweaks can quickly eliminate hundreds of vulnerabilities. For example, a Lavawall can quickly resolve a lot of vulnerabilities for sensitive systems that hold customer data or process credit cards.
  5. Sometimes, we’ll give a bit of time for the Anger and Bargaining to relax into the fifth stage of Acceptance and Planning. We don’t leave our clients hanging. We provide prioritized and detailed recommendations to remediate the vulnerabilities that we identified. Although it means that we can no longer perform independent audits for organizations that choose to subscribe to the service, we also provide managed security services that will provide direct assistance to fix the issues and follow-up on remediation.
  6. That brings us to the sixth stage of Relief. It can take months for an IT manager to move from anger to relief. However, once everything gets under control and we prove how easy it can be to properly secure IT, it eventually comes. Typically, we find out about it through follow-up calls or requests to present to boards of directors. The good news is that although many people think that they’ll be punished for the vulnerabilities, most are actually rewarded for having the nerve to hire someone to find, fix, and prevent them.
  7. Our favourite stage is the seventh: Well-controlled IT. We get a lot of positive feedback from IT departments that see their workload decrease dramatically after implementing strong information security controls!