If your security program is still focused on patching, responding to vulnerability scans and mitigating the monthly churn of product updates/hotfixes and the like, then you need to change.
Sure, patching is important, but that should truly NOT be the focus of your information security initiative.
Today, organizations need to raise their vision. They need to be moving to automate as much of prevention and baseline processes of detection, as possible. They need to be focused on doing the basics better. Hardening, nuance detection, incident investigation/isolation/mitigation — these are the things they should be getting better at.
Their increased vision and maturity should let them move away from vulnerability-focused security and instead, concentrate their efforts on managing risk. They need to know where their assets are, what controls are in place and what can be done to mitigate issues quickly. They also should gain detection capability where needed and know how to respond when something bad happens.
Check out tools like our 80/20 Rule for Information Security
for tips on how to get there. Feel free to reach out and engage us in discussion as well. (@lbhuston)
We would be happy to set up a call with our security experts to discuss your particular needs and how we can help you get farther faster.
As always, thanks for reading and stay safe out there!