Second installment in our interview with John Sapp Jr how AppSOC is contributing in his Cyber Risk Governance strategy.
John is an empowering leader and peer in his organization, with buy-ins on what they were aligning on and how AppSOC was operationalized to serve their needs. Beautiful orchestration!
My highlights (but to read in John's words is way more powerful):
+ CVSS Score limitation – needing additional asset attributes to see the totality of their environment
+ Vulnerabilities rooted in code, microservices and software library packages
+ Traceability from infrastructure to code – code to infrastructure - and who owns what
+ Developer relations and managing developer effectiveness - the challenge of data overload and a prioritized view they know what to focus on first.
+ Not all critical alerts are the same, nor should you ignore all medium alerts, because they might be more disruptive if they have a higher probability of being exploited.
+ Adversarial thinking: … zero-days that everybody's talking about and scrambling to fix … a medium level threat that’s been sitting there unnoticed for years. It's easy to exploit and it exists in 90% of the environments today. This might not show up as a CVSS critical alert, but if you factor in exploitability, I can prioritize risks that most people aren’t looking for.
+ Who are the stakeholders? Developers, their managers, the business leaders, the IT management, and up to the business managers.
Understanding the extended value to the broader enterprise, with AppSOC’s insights into the application hierarchy, stakeholders are proactively engaging.
Here's our second "Customer POV" blog with more excerpts and video clips from John Sapp, CISO of Texas Mutual. Learn how he prioritizes security issues, and communicates business risk to get stakeholder buy in. https://lnkd.in/gGmAChVJ
#VulnerabilityManagement #CyberRiskGovernance #CyberSecurity #RiskManagement #InfoSec #CyberThreats #SecurityStrategy
