- You think the number of pages, size, or weight of the vulnerability reports you just printed has any relation to measuring security.
- You believe that if your vulnerability management solution doesn’t detect 100% of the vulnerabilities at large, it’s not worth implementing.
- You believe that broken information security standards should be disregarded, instead of improved upon or fixed.
- You don’t understand that vulnerability management doesn’t work without proper asset management.
- You think that assets don’t need some sort of risk rating methodology.
- You believe that it’s the job of information security professionals to track patches.
- You think that you can manage information security with an Excel document.
- You like to implement controls before you implement the control standard.
On a serious note, I am just trying to throw a hook out there to get your attention. Did it work?
Tomorrow I want to focus on some of the standards used to measure vulnerabilities. This way we can all understand the terminologies used in future discussions and posts.
One Response to You will disagree with me if…
Leave a Reply
You must be logged in to post a comment.
Some possible additions:
- You believe assertive measures are just as acceptable as detective measures.
- You think vulnerability detection schedules and vulnerability remediation service level agreement (SLA) timelines are not related.