In this episode of Redefining CyberSecurity Podcast, host Sean Martin and guest Andrew Braunberg discuss risk-based vulnerability management and its potential to improve security operations and risk management programs.
Guest: Andrew Braunberg, Principal Analyst at Omdia [@OmdiaHQ]
On Linkedin | https://www.linkedin.com/in/andrew-braunberg-74a69/
On Twitter | https://twitter.com/abraunberg
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of Redefining CyberSecurity Podcast, host Sean Martin engages in a thought-provoking conversation with Andrew Braunberg, a principal analyst at Omdia. They explore the world of risk-based vulnerability management and its potential to revolutionize security operations and risk management programs.
The discussion delves into the challenges of traditional vulnerability management, including the reliance on Common Vulnerability Scoring System (CVSS) scores and the increasing volume of software vulnerabilities. They stress the importance of context, value, and verifiable risk reduction in prioritizing actions to effectively mitigate risk.
Andrew shares insights on the convergence of risk management and vulnerability management, as well as the role of telemetry in gaining a comprehensive view of the digital landscape. The conversation also touches on the need to understand the external threat landscape and consolidate threat information for better predictions. They discuss the expansion of vulnerability management into dev environments and the broader view of vulnerability, encompassing exposure management and misconfigurations.
The potential for self-serve tools and services in risk-based vulnerability management is explored, along with the consolidation of security control validation and attack path validation capabilities. Throughout the episode, the importance of rethinking security programs and embracing a proactive security posture based on risk reduction is emphasized. Collaboration and communication between security teams, asset owners, and management are highlighted as crucial for effective vulnerability management and risk mitigation.
The conversation provides valuable insights into the world of risk-based vulnerability management and the shift towards proactive cybersecurity. So if you're seeking innovative approaches to vulnerability management and risk reduction, tune in to this enlightening episode of Redefining CyberSecurity Podcast with Sean Martin and Andrew Braunberg.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Omdia research finds risk-based vulnerability management set to encompass the vulnerability management market by 2027 (press release): https://omdia.tech.informa.com/pr/2023/09-sep/omdia-research-finds-risk-based-vulnerability-management-set-to-encompass-the-vulnerability-management-market-by-2027
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Hello everybody, you're very welcome to a new episode of Redefining Cyber Security here on ITSP Magazine. This is Sean Martin, your host, and I'm thrilled to have you on joining me again today as we explore the world of operationalizing security in a way that, uh, not just protects the business from risk, but actually helps them grow and protect the revenue they generate as well.
And, uh, there's a lot. And making that happen, uh, looking at two sides of the same coin in many cases. And today, uh, one of the coins popped up on my LinkedIn feed as it often does that, that, uh, triggers something for me. And it's a topic that. Covers two things. One that I love, risk management, and the other that I can't understand why we have such a hard time with is still vulnerability management.
And, uh, there's evidently a convergence of those two worlds, uh, in, in, uh, in, um, in the markets, if you will, uh, with the growth of the vulnerability management space, taking on some risk, uh, aspects and moving more toward a proactive. Security posture, which the, uh, the team at Omdia have been looking at a lot.
And I'm thrilled to have Andrew Bromberg on. Andrew, thanks for joining me. Yeah,
[00:01:19] Andrew Braunberg: great to be with you.
[00:01:20] Sean Martin: Thank you. And, uh, so I believe you, you led the research that, that, uh, produced the reports. I think there are probably many hands involved, but, uh, you're the one that gets to chat with me about this today.
Right,
[00:01:34] Andrew Braunberg: right. Well, happy to be happy to be here to do. But yes, was a primary author of a recent, what we call Omnia Universes, which are comparative reports. This one on risk based vulnerability management just came out. I think it became publicly available just last week. Perfect.
[00:01:52] Sean Martin: I mean, I'm excited to jump on it quickly here and get people to think about what the world ahead looks like.
for them in their security operations and risk management programs, uh, starting today, right? Uh, they have a lot to think about today. Before we get into the report and a bunch of stuff surrounding it that I think, uh, our audience will want to hear, Andrew, um, maybe a few words about your role at Omdia and, and, uh, maybe a few highlights of your journey into that role.
[00:02:22] Andrew Braunberg: Yeah, I'm in the I'm a principal analyst in the security operations service at Omnia. I've been over there about 18 months or so, and since I came on board, I've been mostly focusing on, you know, what we call these proactive bits that are increasingly becoming more proactive. Reporting for security operations teams.
Uh, before that, uh, I, I had been at NSS labs for, for quite a while running their qualitative analysts, uh, arm to that traditional security testing house.
[00:02:56] Sean Martin: I think, uh, everybody listening knows NSS. Yeah. I hope so. Anyway. Um, well thrilled to have you on let's, let's, let's kick it off. So I, I think what the report shows is, uh, there's, there's a trend for the merging.
The convergence of risk management and vulnerability management, where, uh, the activities and operations perhaps are driven more by risk than, and just by pure, uh, figures. Meantime to, uh, to patch maybe, um, so I don't know, I, I probably summarized it probably not well, so I'm hoping you can kind of give us a view into, you What risk based vulnerability management is and maybe how we arrived to a point where we actually look at this now as a, as its
[00:03:44] Andrew Braunberg: own market.
Yeah, absolutely. And I think best to kind of start at the beginning, which would be, you know, what was what we can call maybe legacy vulnerability management, not, not doing well, what was it not keeping up with? Uh, and I, and I would say maybe also that, you know, we certainly view a risk based VM as, as kind of that next generation, that evolution.
Uh, you know, if anything, we need more vulnerability management than we did, you know, even 10 years ago. Uh, you know, I think we're all familiar with the big three players there. They've been around now for decades. Um, you know, most of them kind of coming in the market, uh, you know. Kind of focused on that visibility aspect of having sensors that gave them a feel for the assets within the organization and then obviously doing the vulnerability scanning to understand what some of the exposures might be.
The problem was kind of twofold for why we're kind of moving to this. This risk based approach. One was the sheer volume of CDEs, right? If you look at the National Vulnerability Database, uh, you know, we're up around 200, 000 registered software vulnerabilities. Uh, the rate of growth has really kind of, uh, accelerated in the last, uh, five or six years.
Uh, and so you're, you're left with this, you know, uh, Your bucket of things to worry about, uh, has been getting bigger and bigger. And the usual way, uh, that folks would try to prioritize, uh, often was just based on that CBSS, right? That security score that's going to be attached and often not even the Full CVSS score, and we can kind of get into some of that, but more just that base score, right?
And so then if you're just putting this into a spreadsheet and filtering by CVSS score, you know, boy, you still got a lot to do every day, right? So your ability to keep up and to really understand, uh, you know, is that really the best metric for me to decide whether I should tackle this, you know, in cycle, out of cycle?
I mean, there's a lot of of risk as we know associated with some of this patch activity as well. So, uh, what these risk based guys came in and started doing, and there's, you know, now that market's probably, you know, easily a couple dozen vendors, and certainly those traditional vulnerability guys have been moving in this direction as well, uh, is to look for For a better way.
Well, let me back up. I mean, one, well, I guess one is that prioritization, but the other is that we're no longer in that environment where maybe a couple well placed network scanners are really going to give you that full visibility into your digital domain, right? So we've got the one question of how do we understand our complete digital landscape?
And then, you know, how do we make sure we can prioritize what it? Action would best reduce risk, uh, given the everything on our plate, right? And so it's interesting, you see that most of these newer guys that come in are not so interested in developing their own scanner technologies. They just want to be open to pulling in a lot of this telemetry that now is available from a lot of other Security and other controls, right?
And all the emphasis has really been around, uh, this idea of figuring out how to best prioritize, uh, what the risk associated with each vulnerability on each particular asset, uh, is. And so I don't know if that's a short, quick description of what they're doing, but that, let me, let me stop there and see if that made sense at least.
[00:07:34] Sean Martin: I love it. I love it. And, uh, I can only, I've not done it. I've done a lot of things, but I've not been an analyst, uh, sitting there trying to patch stuff that comes in. Um, so I don't know the pain. I can only imagine how immense it might be having a full list every day to come, come to work too. Um, so that's not fun, but if, if I can get a risk based view with a vision or some context and some insight into how this impacts operations, how this impacts business.
And how my work then can help protect the business. I think it becomes more interesting as an analyst, but then also, um, I'm presumably focusing on things that really matter, which ultimately helps the business. And it isn't just for purposes of saying you got me this budget. I've patched X number of things.
I'm doing a good job, right? Yeah,
[00:08:31] Andrew Braunberg: you hit a couple really important pieces there around context and value, right? And if we can shift this conversation to one of verifiable risk reduction, then having a conversation about ROI becomes a little more straightforward, right? But the context really comes in two main, uh, buckets.
And, but one of, one of them Is that, you know, if we go back to thinking about CVSS and how they think about these additional, uh, pieces, uh, beyond, uh, severity associated with the actual vulnerability, you've either got an environmental piece or a temporal piece, right? Uh, and the environmental would get into, uh, very specifically asset criticality and that gets to business value, right?
Some assets are just worth protecting more than other assets. And if you have a really firm understanding of asset criticality, then understanding impact of risk is a lot easier. Even if you don't put an actual quantitative, like assign a number to it, it still helps you relatively to determine if something should be prioritized over something else just based on Uh, that and then a temporal bit is also something that these guys are spending just a huge amount of time on and the main kind of a bit of a threat intelligence around, uh, you know, something new is exploit code, right?
So when you again, when you're thinking about prioritization, if there's no, if a, if a CVE has not been exploited yet in the wild. And there's no sign of that. Uh, then, you know, that gives you a pretty good feel that that might be something you could defer or maybe ignore for a little while. And, and, and so just understanding those two bits of data really give you, I think, it, it, If you've got that in your head, you've got a pretty high level view of how these guys would attack the problem and think about prioritization based on the very latest current threat landscape in the, in the specifics of your business that you're trying to run and protect.
[00:10:38] Sean Martin: So, uh, thousands of questions in my head. I'm just thinking about how, like, things like, uh, do you actually have an attack path open in your environment that can be exploited? So do you work with things like MITRE ATT& CK and and other programs? So, so maybe let's, I want to stick Kind of to the, maybe the outside threat.
We know there are vulnerabilities. We know there are exploits, how active they are. We know what they go after. We know that we have intelligence on what industries they're targeting at the moment, that kind of stuff. How you mentioned in the context of telemetry. So what, what's possible now that may not have been.
A few years ago, because we have XYZ sources of information to now ingest and digest and come up with the externally, uh, based story.
[00:11:38] Andrew Braunberg: Yeah, I think there's a lot of, of, uh, telemetry. I think that, uh, certainly hadn't been consolidated, uh, previously. Um. And so part of this whole value add of these products is, you know, again, bringing together, uh, this wealth of, of information, uh, but really the, you know, when you talk to these vendors and they're showing off these products, really.
The secret sauce for a lot of them is really around that understanding of what's being exploited today. And that can, you know, be them getting into GitHub and looking around. I mean, they've got all, they've got different ways they go and try to figure that out. Uh, but it, it's It's to the point where, and you know, some of these guys have been around for a while now, uh, but there's, there's kind of been this constant back and forth between is the real secret sauce in their ability for model building.
So their analytics, you know, some advanced analytics, many of them are using some, you know, artificial intelligence, ML kind of things, you know, not the generative stuff that's been all the buzz this year, but just the old school, you know, let's build some predictive models kind of thing. Um, You know, is that what's really the differentiator for our product or is it really our ability, uh, to, uh, again, be able to pull in all this thread information, uh, and just to, um, to make better predictions there so that, you know, I think what we're seeing in the market today, uh, particularly since, uh, FirstOrg, you know, we're seeing Has now come out with this EPSS, which is this exploit prediction scoring system.
The analytics of it start to become a little bit commoditized and it really becomes a question of being able to understand again, that, that if the first toggle, and you know, you can do this with decision trees too, right? Which is something else we can talk about, you know, but that could be maybe the first, the first decision point is whether, you know, Codes that have been exploited or not, and not even use these, these models at all, just do it with a few steps through a, through a decision tree.
Um, but that, um, that really is kind of the key bit in the question right now around that, uh, that understanding of the threat landscape more so than your ability to really bring deep analytics to the problem.
[00:14:10] Sean Martin: So, so bringing it inside now. So we, let's say we have a good view. A way to kind of shed the noise, understand what's valuable from the external perspective.
How do, how does some of these vendors then shift to help teams recognize what's important to their environment, to their industry perhaps, and their environment, given that some things are in the data center, like legacy systems, old win 95, whatever it might be, right? Um, how, how do they help get that view?
To kind of wrap that picture up with a nice bow.
[00:14:52] Andrew Braunberg: Yeah, and this, I mean, this is kind of a really, uh, a tricky part for the security teams too, because remember if the, if the recommendation is really one of, uh, remediation through patch, you know, we, we, the security team's dealing with another. Another team within the organization, uh, that they need to convince, you know, that this is an action that's worth, uh, taking.
Uh, and so really, I mean, and it's another, uh, good reason, uh, around that, that model building to make sure there's transparency in the way. Uh, that you're delivering this information, right? So you're presenting the score. Often it's just a number, uh, and there's no rhyme or reason to the way the vendors kind of, you know, it could be, it could be zero to 10.
It could be zero to a hundred. It could be a credit score looking number that goes up to 850, you know? So you already have an explained kind of generally with bounds around this. So how, how significant, uh, this risk score is. Um, but then you've really got to make the, you've got to be able to make the case to whoever that asset owner is, or that the person that, that, that owns that, uh, maintenance, uh, that this needs to be done.
And that's much easier, again, with some transparency and becomes easier as you start building a WINS that you're making recommendations. Uh, that makes sense. Uh, your only alternative here now, and this gets to your kind of attack path, uh, comment earlier, uh, is to think about maybe some temporary mitigations that might be available given the, um, uh, the current controls that are in place.
But I can tell you one thing about these RBVM guys as a whole. Uh, their visibility into ATT& CK PASS and existing controls is not great. I mean, that's an area where I think kind of, you know, almost, almost universally they're, they're, they're falling down. Uh, we're, you know, compared to what you could think of an ideal that would really be, uh, much more helpful for, for doing, uh, for doing remediations.
[00:17:03] Sean Martin: Yeah, I can see as much telemetry in that seems like they're they've been focused on and doing well at you'd want the same partnerships on the inside with the AppSec, the SecOps, the Yeah, DevOps.
[00:17:21] Andrew Braunberg: Yeah, well that not to keep you know, it's hard everything you mentioned. I'm like, oh, yeah That's cool. On the AppSec side.
I mean that is one of the things these guys are all doing a better job So, you know, we've been talking about CVEs about known vulnerabilities in production code. But most of these guys have all moved to also be able to work, you know, do that shift left into dev environments. And to be able to do pretty much the same thing for Uh, for, uh, for, uh, code that that's not in, uh, production yet.
Uh, and, and that, it gets to this bigger conversation around not just shifting left, but also an expansion of bone, what, what we mean by vulnerability, right? And so you'll see some of these guys kind of changing their, uh, go to market messaging and to exposure management, right? Uh, which can include misconfigurations, conclude.
include, you know, credential issues, et cetera. And, and again, if you're going to, if you're going to prioritize risk and say you've got the next best action for risk reduction, you know, you need to have that broader view. Both from, uh, you know, the universe of assets out there and all the exposures that they might be, uh, might be bringing risk to your, to your organization.
So that's another big trend that's going on right now as well.
[00:18:51] Sean Martin: Yeah. And I mean, this might be controversial, maybe just the way I asked the question, but it's, it's a point I often make on almost every show that, that if we just do something different from the beginning. We, and it almost always boils down to patch management.
Funny enough, if we, if we always do something different, we can save the patch team. So much headache because we're not deploying a system that's always vulnerable. We're not deploying a code stack or a set of API calls that are always vulnerable. We're always, and these, this team is just always overwhelmed because of the choices we make and the cloud services, the app stack, that whatever it is that we're deploying, right?
So my, my controversial question to you is, are we just. Kind of adding to an existing way of tackling this problem and expanding. And are, are we, are we missing the point in how we manage vulnerabilities? Almost to, and you touched on a little bit with the AppSec piece. If we can, and this goes back to the DevOps and then the, the, yeah, the IT ops kind of feeding them to say.
If you build the environment and you build the apps this way from the beginning, we actually save time versus trying to do all these weird calculations to, to then tell a story of why you have to fix what you broke in the first place.
[00:20:23] Andrew Braunberg: Yeah, no, I think I get your drift and, uh, you know, I, I guess I would say we've got to start somewhere with trying to build this.
This proactive mentality, right? And honestly, I mean, I think it's interesting watching the shift over the last 10 years or so, probably we could go back, uh, you know, we can probably give MITRE, uh, ATT& CK kind of, uh, some of the credit there for just getting people to be thinking about. You know, those pre breach steps, right?
You know, oh yeah, there are some things going on here, which I had a little more visibility, right? Uh, but yeah, I mean, I absolutely agree. I mean, as far as curved world, but you know, I think we can start making that shift. You've seen so much consolidation of these tools and, and, uh, you know, uh, between the, the traditional AppSec and the, in the cloud tools as well, because there's so much dev gets done for cloud platform.
Um, you know, I think that consolidation will, uh, be helpful in driving your point that, you know, there is an earlier, uh, time that this really just brings so much more value, obviously, which I think is the point you're making. Uh, it's certainly a point I agree with, but that said, I mean, we've got billions of lines of code that are out there now that, you know, we need to keep maintaining until we get to that better, that better point.
[00:21:50] Sean Martin: I'm always, as I was thinking of a circle, maybe we do have to go around the circle, but I'm like, can we not just cut across, but, uh, so this is where we are and, uh, things are changing and with, with change in products. And actually I want to ask you, are these products services offered? Cause if I look back in time, the best way to find these.
Weaknesses were through a penetration test where you'd have, you'd hire a team and come in and they'd, they'd look for them. And then eventually you got to do your own. And, and then there were, that's where we're stuck with. I can't do all this list. I don't know what's important. So now we have these tools to help us prioritize now with risk.
Is it still, have we moved closer to self serve and do these tools enable? Companies to do it themselves. Yeah, I think services. What was the state of that
[00:22:44] Andrew Braunberg: there? Yeah, I think if we're talking about, uh, risk based vulnerability management generally, then yes, we're, we're, we're in a better place. Uh, again, I mean, we can argue about, you know, the level of real visibility into the attack surface, but, uh, for the telemetry you're, you're bringing in.
Uh, you know, it's very much kind of a dashboard productized. You know, the analysts can get a grip, push those, you know, none of these guys also, which I don't think I've mentioned, you know, really interested in building their own ticket systems or even patch systems, right? It's like, you know, ServiceNow ticket, Jira ticket.
That's what those guys want to work in anyway, so, you know, we're just like a real addition that, you know, you get outside of the IT group, you better, you know, use the security group, you better use the tools that, uh, these other teams, uh, want to use. Um, now. If we, if so, that would be specific to RBDM. If we just take a step up, though, and get into some of those other areas around security control validation and attack path validation, then I hear that what you're saying, you know, resonates from a pain perspective better for me in the sense that, you know, trying to move, we've got all these terms that people are using around continuous automated red teaming and pen testing as a service.
Uh, you've got all the BAS vendors still, you know, how much of that simulation, you know, what, how much, uh, you know, heavy lifting is that as their professional services, you know, component, how, how much, uh, all of those vendors are kind of moving into a more consolidated. Uh, it's what, uh, you know, Omnia calls, I know everyone says, apologies for the acronyms.
We call it IST, which is Incident Simulation and Testing. We certainly see consolidation among those guys, just like we do, like we were talking around exposure management being that bigger bucket. than just traditional, let's say, you know, legacy VM, but it's, it's growing out in, in lab. Um, and so, uh, I think there's a lot of work going in to trying to further productize, uh, on in that other, you know, what, again, what we call the IST bucket.
And that I think is a, is a, is a heavier lift, you know, I mean, because, you know, the year point. Uh, it's hard, you know, it is hard to productize a pen test, right? Uh, but there is a lot of energy going in over there to try to do that. And once you get those bundles around, again, security control validation, attack path validation, you know, those, those, that bundle of capabilities could really be uh, an important addition too.
This other, this other kind of bundle of technology, which is, you know, let's call it exposure management for lack of another better term, uh, right now. And then you really have, you know, when you're really thinking about risk reduction and your options for remediation or mitigation, um, I think you've got a really good view of what's going on in the enterprise.
And
[00:25:56] Sean Martin: I think that that view becomes possible. Um, the question I have is how, how does that change multiple layers of, of the security program from the teams responsible for patching? Do they need to reskill on certain things from the management team and, and how they manage the team down? Um, with that in mind, uh, also in terms of up to show that.
They're producing the results and then meeting the expectations. And then even from security leadership to, I mean, we're talking risk here. So how does that, how does that technical story then ultimately translate up into, into the business story around risk? So how do teams need to rethink differently and prepare for this shift themselves across people processing and other tech, as you mentioned?
Yeah,
[00:26:52] Andrew Braunberg: um, yeah, that, that, that's the big ride. I mean, processing people are always tougher, you know, than technology. I guess there's. Couple ways to answer that. I mean, one is, you know, we are just predicting this shift in span. You know, if we began, got the traditional preventative bucket around, you know, AV and firewalls and everything else that kind of tried to stand in front of your solutions and then all the reactive stuff that we all know and love around detection and response, uh, you know.
None of those investments are going away or those future investments. Uh, what we're saying is, you know, we should change, try to change the conversation to one again of thinking about return on investment in that, if that, if risk reduction is your metric there, instead of just, you know, mean time to response or, you know, we, we need a better method for figuring out what's working and we think.
Proactive really lends itself to those kind of conversations, uh, and particularly as we move this conversation up into other, comparatively with other types of enterprise risk, right? And so I think from an operational perspective, certainly, you know, for the, for the next couple of years, you know, I don't think there has to be a lot of pain for any of these groups.
Again, we're going to, we're going to be pushing out these recommendations through the usual You know, folks aren't having to learn a lot of new, uh, capabilities or use new tools outside of the, you know, this, uh, probably the SOC. Um, but, you know, we, um, we probably need to shift our thinking. And if you look at the largest organizations right now, I think this is.
This is already happening where you kind of just take a step back and you say, you know, we really do need to kind of reassess how we approach cyber risk in this shift to a dedicated, you know, cyber risk team starts making more sense when all these tools are in place, and you can kind of make the argument that you do really have a holistic view of what your risk profile is, at least, you know, within the cyber realm, uh, and so, so I see more of a kind of need for change as you, as you kind of move up out of those, uh, you know, operational, uh, areas.
Uh, and then, of course, you want to be able to make the case that you do have A view that allows, uh, the quantification of risk at some point, right, uh, which, um, you know, allows you to really have more of that board level conversation about what the actual cost of any of these risks would be, you know, those are all longer term.
They're actually, I think, going to be harder to do because again, you know, I really do think at the operational levels we've been mostly talking about. Thank you. Building trust is something you're just going to do. It's either going to work or it's not. You're going to, you know, these guys are going to take your advice or they're not.
But it's kind of a day to day thing where you see value in it or you don't. Uh, you know, kind of that top down approach to me is, is really always, I've always. Thought that was a tougher, uh, going to be a tough, tougher sell and to be able to, you know, kind of be able to to defend some of those, uh, those ideas.
So, you know, we're gonna from the bottom up, get to the point where we really can, uh, You know, reasonably attach an impact figure, put a dollar figure on that impact, and now you get into where your system can get in there and really have an informed conversation about how this risk compares to the other business risks that, you know, at the CEO level, they're having to make those decisions about spend.
[00:30:50] Sean Martin: Yeah, I guess it gets, uh, unwieldy and complicated. Cause I, I'm picturing in some of the largest organization, a risk, risk management organization, and the chief risk officer who looks at everything from physical to cyber, to data, to whatever, right? Um, ecology, geography, political, all those risks come bundling under.
And I would expect them to kind of look CISO.
Kind of presenting this risk to a group that cares about the risk and maybe doesn't have a formal, formal operational arm for it yet. I want to, I want to switch to, um, kind of, we talked a little bit about what some changes might be necessary to, to, uh, get the most out of this new, new capability, I'm wondering, are there organizations that are more prime to leverage RVVM?
And maybe some that it's too early for them. I don't know. Other attributes that say you're in a good spot, go, go for it. Or if you haven't got this addressed yet, you're just, you're going to be wasting your time.
[00:32:06] Andrew Braunberg: Yeah, no, I think, uh, well, I mean, I, it helps if you're, if you're large enough to have a ServiceNow or, you know, some of those operational tools in place, that's for sure.
But I mean, all of our research, you know, I mean, you know, just shows. Broad, uh, current deployment for, uh, for generally vulnerability, vulnerability management, uh, solution. So I think, you know, that expertise is in place. These are just tools, you know, that you, you upgrade to, uh, they could even augment some of those historic tools for sure.
Uh, and I think, you know, what our, our research certainly shows, you know, across. Uh, industries, uh, in pretty far down market that these are probably tools you're going to be able to take, uh, immediate value for, from, because again, you know, the other thing our research shows is that, you know, uh, visibility isn't necessarily the biggest problem.
Now it's figuring out, you know, it's had an alert overload, if you're talking about, uh, detection and response side, or just an inability. You know what to do next. It's it's not that you don't have enough to do and these tools are really geared to just to helping you figure out what to do next.
[00:33:25] Sean Martin: Right?
Interesting. I've read some some research that organizations in general are moving. They're not ditching efficiency gains in their transformations, but they're looking more toward innovation and return gains, less than over efficiency gains, but it seems like security is kind of still struggling with the efficiency.
[00:33:51] Andrew Braunberg: Yeah, you know, it's funny. Um, I was just doing another report on, uh, uh, security, uh, orchestration and, uh, automation tools, SOAR tools, you know, uh, and, uh, you know, I don't cover those day to day. Like I do some of these other. Uh, pieces and sick ops, but the research that came back, I just kind of struck me.
I just had assumed, you know, the number one value there was that one of productivity. I mean, just automating and orchestrating. I mean, it's right in the name, right? I mean, isn't that what people are looking for? But by far, the view was that increased accuracy was the main benefit here. And it just kind of, well, when you stop and you think, Oh, well, some of this road stuff, you know, just doesn't get done correctly because it's just, you know, you're under the gun doing it.
[00:34:42] Sean Martin: So, yeah, humans get in the way. I love it. I didn't, I didn't mean to stop you there. But, um, yeah, it's fascinating. I think, uh, I mean, I love this world of risk management and security operations. And obviously there's a lot of stuff that goes into making those things work. And so we, we just talked about kind of getting to current state.
This is a burgeoning world of RBVM, that's going to change. What's the, what's the future like? It's not nothing static, right? So what do you see in the next couple of years?
[00:35:17] Andrew Braunberg: No, absolutely not. Uh, you know, we really do. We're, we're to the point where now looking at all these different folks kind of heading, they're all.
You know, they're coming from different angles, but they're heading where the puck's going here. Uh, and so we think further consolidation across some of these different categories that we've been talking about into a proactive security platform. So very much trying to productize, uh, and bring this all together into that kind of, you know, all the usual single pane of glass, you know, holistic, uh, view, visibility.
Uh, you know, we haven't talked, uh, as much about the attack surface management pieces, but, you know, that external bid is just so critical and so much, uh, as far as some of that attack path particularly. Uh, and then, you know, it's also the other side of that, a lot of people will call it the chasm side, just that ability to really inventory your full asset, uh, universe or just kind of really foundational across all of these areas now.
And then you add on that, these risk management. Uh, uh, analytics that we've been talking about that gives you kind of a foundation where all these things can sit in and create, you know, additional value. Uh, so yeah. Oh, and we haven't even talked about the fact that, you know, the reactive suite guys are all, you know, moving in this direction as well.
So you've seen acquisitions from guys like Palo Alto, um, IBM, uh, you see a trend doing, uh, kind of similar things. Uh, You know, it's all, it's all kind of bundling up.
[00:36:55] Sean Martin: I love it. It's a never, never ending fun story to watch, see, watch it unfold. Um, if my co founder Marco is on with me, he's like, we're at the mark.
And I always say, I have one more question. So I'm going to do it here in the guise of the future. Um, answer it to your best ability, digital sovereignty. I, I see a lot of movement, uh, to keeping data resident in country, and I'm wondering not just for R B V M, certainly for that, but how, how does that do you think, impact how we see some of these shifts?
Um, both terms of how vendors approach the markets and how organizations leverage one or more technologies?
[00:37:42] Andrew Braunberg: Yeah. Um, You know, I don't know that I've got a ready answer for sovereignty on this. Um, I mean, certainly it's always an overlay. I'm kind of trying to think, uh, yeah, I'm not sure I've got, uh, I've got a really good, uh, I, so maybe, uh, maybe my thought is it's not going to be a primary determinant here on how this all, uh, unfolds.
Um, cause we're not really talking about. Yeah, what can I say? Sorry, Sean, I'm kidding.
[00:38:19] Sean Martin: No, that's good. No, I don't either. No, because I think sovereignty kind of plays two roles, right? There's the privacy aspect of all the regulations, but then there's the, we don't want to be subject to other... People's stuff.
[00:38:37] Andrew Braunberg: No, I, we could take a broader, but I don't think there's a short answer, which is rolling this up in the GRC systems. Right. And just thinking generally about government's compliance and risk and how that all is going to happen. Uh, but yeah, that, that's probably a whole other, uh, conversation. So at some point, yeah, it'll, it'll, I
[00:38:56] Sean Martin: think it would be, well, if you start to hear rumblings, I'd be more than happy to have you and you and others from OMDIA join me to.
Sure thing. Have that chat. Yep. Maybe there's something fun there. Yep. But anyway, this is fantastic. I could talk to you for hours, Andrew. I appreciate the invite. Anytime we get into RISC. Yeah, right. You've been incredible. So. Thank you. Thank you so much. And, uh, yeah, for those listening, I appreciate you watching.
I appreciate you joining us today. And hopefully we, We shed some light on some things happening in the, in the phone management space and where things are headed and where they are now and how that impacts your teams. And, uh, I'll ask Andrew if there are any resources he wants to share that, uh, would help folks kind of get a better picture for what's going on here.
Um, we'll include those.
[00:39:40] Andrew Braunberg: Yeah, the, uh, the, um. Risk based vulnerability management, uh, Omnia universe is available. Uh, you just have to, you know, fill out the, the form online. It's probably omnia. com is a good place to go find that. Certainly Google search, uh, that'd be a good one if people really want to kind of see what that, uh, comparative looks like and see some of the vendors that we're working with.
Uh, that's, that's a good start.
[00:40:07] Sean Martin: Love it. All right, Andrew. Thank you, everybody. Thanks for joining me. Please share with others you think would benefit from this and of course, uh, subscribe and we'll see you on the next one.