Your score means your cybersecurity and risk assessment strategy is primarily siloed.

• Your cybersecurity strategy is largely reactive and focused on solving the latest problems. Your security goals are not aligned with business goals, and you are not tracking business risk metrics/benchmarking or performing quantifiable analysis to determine ROI on security investments.
• Your security organization does not closely track performance, cost, and risk management efforts. It fails to work with business stakeholders to regularly review performance metrics or to align risk objectives and cost with business needs. There is no cross-functional collaboration or alignment of priorities and performance.
• Your organization doesn’t use a risk-based approach to prioritize and justify mitigation efforts. Vulnerability assessments and business risk management objectives are not automated. Monitoring threat intelligence for the likelihood of exploitation is largely manual.
• Your security organization does not have holistic visibility into your entire attack surface. Your organization does not use automated assessments to identify gaps in coverage, and tracking cybersecurity performance is done through manual reviews of spreadsheets.

4 Steps You Can Take Today To Improve Your Business Alignment

If you're early in maturing your vulnerability management (VM) program and becoming business aligned, there are four steps you can take to uncover what matters most to the business and attain more complete visibility into those systems:

1. Understand your business environment and set KPI baselines. It’s essential to identify and prioritize business-critical services and applications, identify service and application owners and other stakeholders, and establish and evaluate existing security and applicable IT policies and processes.
2. Define architecture, integration, and deployment plan. You’ll need to create a sensor deployment strategy to ensure that your VM program doesn’t have any blind spots. This means that, in addition to using a network scanner, you may need passive monitoring agents, cloud connectors, and agent-based sensors. Obtaining buy-in from the rest of the organization is essential at this point.
3. Discover and map assets. Identify all subnets throughout your environment and develop a scan strategy to discover all assets located within those subnets. Establish scan policies and profiles for each, based on agreements made with individual owners and stakeholders.
4. Scan all discovered assets for vulns. Perform authenticated scans, whenever possible, for all known assets across your entire attack surface, including transient assets. It’s essential that you perform continuous assessments of all known assets and dynamically discover new assets the moment they join the network.

Your score means your cybersecurity strategy is moderately aligned to the business strategy. 

• Your cybersecurity strategy and goals take prioritization into account, but they are not closely aligned to business objectives. Metrics are collected and reviewed, but not evaluated in context to business risk.
• Your security organization tracks performance, cost, and risk management efforts but only does so irregularly. The ad hoc nature of reviews creates gaps when resources are constrained. Your organization fails to work with business stakeholders to regularly review performance metrics or to align risk objectives and cost with business needs. There is limited cross-functional collaboration or alignment of priorities and performance.
• Your organization does not consistently apply a business risk-based approach to mitigation efforts. Vulnerability assessments, business risk management review, and the monitoring of threat intelligence for targeted exploit likelihood are infrequent, ad hoc, or largely manual.
• Your security organization has an incomplete understanding of its attack surface. Your organization has established some risk and performance metrics to make relevant data available to the business. Your organization does not use automated assessments to identify gaps in coverage, and cybersecurity performance is tracked primarily through manual reviews of spreadsheets.

4 Steps You Can Take Today To Improve Your Business Alignment

1. Understand your business environment. It’s essential to identify and prioritize business-critical services and applications, identify service and application owners and other stakeholders, and establish and evaluate existing security and applicable IT policies and processes.
2. Continuously assess all your assets. All too commonly, assessment plans call for monthly scans — sometimes even less frequently. But if you don’t perform assessments frequently enough, you’ll be basing your remediation decisions on old, outdated information. It’s essential that you perform continuous assessments of all known assets and dynamically discover new assets the moment they join the network.
3. Add business context by tagging assets with descriptive metadata. Use tags to identify business-critical assets. Tagging allows you to measure risk by business entity (what “job” do these assets support?) or by team (who do I need to work with to remediate potential issues?). With Tenable, you can tag assets both automatically (using rules) and manually.
4. Prioritize vulnerabilities based on risk and determine action. To effectively prioritize the vulnerabilities that pose the most risk, you need to understand the full context of each vulnerability. This requires detailed information about the vulnerability, threat and exploit intelligence, criticality of affected assets, and predictive technology to determine likely future attacker activity. Then, take the appropriate action to effectively manage the risk based on what you previously determined during the initial discover phase, as you developed a comprehensive understanding of your environment.

Congratulations, your score means that your cybersecurity strategy is well-aligned to the business.

• Your organization has a formal cybersecurity strategy that is aligned to the business’s objectives. You keep your program aligned by regularly collecting and reviewing the business-aligned metrics/benchmarking to continually improve. You perform quantifiable analysis to determine ROI on security investments.
• You regularly work with business stakeholders to align risk objectives and cost with business needs. There is cross-functional collaboration and alignment of priorities and performance. You closely track performance, cost, and risk management efforts.
• You use a risk-based approach to prioritize and justify mitigation efforts. Vulnerability assessments and business risk management objectives are automated and varied. You automate the monitoring of threat intelligence for the likelihood of exploitation.
• Your security organization has a holistic understanding of your entire attack surface. Your organization uses automated assessments to identify gaps in coverage, and tracking cybersecurity performance is not done through manual reviews of spreadsheets.

4 Steps You Can Take Today To Improve Your Business Alignment

1. Take your vulnerability management program to the next level. Strive to maximize your efficiency by tracking and benchmarking your business process integrity metrics internally, as well as against industry peers. This includes remediation maturity, which measures your speed and efficiency, and assessment maturity, which quantifies how well you’re scanning your environment
2. Gain a comprehensive understanding of your attack surface. This includes operational technology (OT) and cloud assets, as well as web apps. Employ machine learning technologies to accurately prioritize the remediation of assets that have yet to receive an authenticated scan.
3. Perform periodic reviews of the entire plan. Once you’re aligned with the business, it’s important for security and business leaders to regularly meet to ensure the teams remain aligned and to benchmark progress against internal and industry peer metrics.
4. Gamify risk reduction. There’s always room for improvement, even on the best teams. Holding contests to see which team can reduce the most risk — whether for prizes or for bragging rights — boosts morale, inspires teams to strive for more, and increases camaraderie.