Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk
Cybersecurity Canon Book Review: “Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk” (2020) by Andrew Magnusson, book reviewed by Alpha B. Barry
I don't recommend this nonfiction book for the Cybersecurity Canon Hall of Fame, but if you are interested in the topic, this is a good one to read.
Throughout my career, I learned the hard way that cybersecurity starts with setting up IT infrastructure along state-of-the-art architecture patterns that maximize technical security. While this cannot prevent successful cyberattacks, it makes the attackers life harder, and gives cybersecurity teams a better chance to detect intrusions, before real harm is done. It also increases the chance that attackers with medium or lower skills will turn their attention elsewhere. Thus, I am always keen to read and recommend books that can increase my knowledge on technical cybersecurity, secure IT infrastructure operations, and security architecture.
Colleagues entering this field sometimes ask me for suggestions on what they should read to build up knowledge in technical cybersecurity. I always struggle to answer this question, since the list of suitable introductory books on technical cybersecurity is quite small. What do I mean with “suitable” in this case?
- An introduction to technical cybersecurity should be suitable for readers from any profession. Thus, the authors must have assumed that the reader has no prior knowledge on technical cybersecurity and does not have an academic background in technology.
- An introduction to technical cybersecurity should be relevant to readers with a professional interest, e.g., an IT manager or executive, or even a business leader. Thus, the author should link technical cybersecurity to business goals relevant for this audience, such as continuity of business, or risk minimization.
- An introduction to technical cybersecurity should be “stand alone,” in the sense that the reader should be able to grasp the content without a need to study secondary literature.
I was provided a copy of “Practical Vulnerability Management” by the author and found it an excellent read. The way the book is written clearly indicates that the author has worked in vulnerability management for a long time and he is able to bring this experience across in a way that is easy and even fun to read.
The book is separated into two parts. In the first six chapters, the concept of vulnerabilities and vulnerability management is explained in detail. This part is a good read for everyone who would like to understand what vulnerability management is and how vulnerability management processes look like in cybersecurity operations for an organization of a certain size.
The book also explains the different goals of IT security, IT risk management, and IT operations, and can help a junior cybersecurity practitioner to understand why others in the IT organization might not join her/him enthusiastically in making vulnerability mitigation a top priority. The chapter on organizational support and office politics is especially helpful in this regard.
When I first came into the responsibility of managing the IT infrastructure for a larger organization, I had no clear idea of vulnerability management. This book would really have helped me at that time to learn during one afternoon what I had to learn over a much longer timeframe of everyday professional life. Thus, the first part is a clear “must read” for every IT leader with an interest in cybersecurity, but without a clear idea of vulnerability management.
More senior readers might very well stop reading the book after the first part. The second part is a CS project, where the reader will build her/his own vulnerability management system, based on open-source components. Given that I apparently have too much time on my hands these days, I did a large share of the project, and implemented a rookie-grade vulnerability management system on a Raspberry Pi.
For readers with a semi-solid or better background in technology, and an interest in finding out how vulnerability management really works in practice, I would really recommend doing the project. It is a good learning experience for, e.g., a graduate student in cybersecurity or CS, or a junior cybersecurity specialist in a larger organization. My own technology skills are quite rusty after 2 decades in management and consulting, but the author goes to great lengths to explain the build-up of the vulnerability management system step-by-step, which helped me along. The book also gives enough background on basic technology, such as the Linux OS, database management, and scripting, to allow those with a less than solid foundation in technology to succeed.
The only major issue I encountered implementing the project results from the fast-moving world of open-source software: some of the software repositories named in the book were already outdated by the time I started implementing (e. g., the recommended repository for the OpenVAS vulnerability scanner is based on a deprecated version that does not run on Ubuntu 20.04. I had to find another source for a working repository, and finally chose to compile my own version. This actually made the project more fun for me, but other readers might find this tedious.)
In addition to refreshing my rusty tech skills, doing the project gave me valuable insight: for a skilled IT/cybersecurity professional, it is possible to build a decent vulnerability management system based on 100% open-source components in a couple of months. Thus, going forward, I will compare the functionality of any commercial vulnerability management solution to the system resulting from the project I did here, and ask myself: “Does it provide enough added-value functionality to justify the price delta between the license cost incurred, and the cost for a couple of developer person months, plus this book?” I would not be surprised if many commercial products fail this test.
The final two chapters of the book expand the scope of vulnerability management and give a future outlook. I found those parts outlining the differences between vulnerability management in a classic on-premise infrastructure and vulnerability management in cloud-based environments especially valuable. Hybrid and cloud-native IT-infrastructures have become the norm, and vulnerability management must address this. Senior readers who skipped the chapters on the vulnerability project should definitely read these chapters in addition to the first part of the book.
Overall, “Practical Vulnerability Management” is a great read for everyone who would like to get a good overview on the topic, and an equally good read for all those who would like to get into the details of building up a vulnerability management system on a low budget.