What they’re actually saying, when somebody’s been within the function lengthy sufficient to cease performing, is normally some model of this: the stuff we closed quick was the stuff that was low cost to shut. The stuff that’s nonetheless open is the stuff that will require us to re-architect a service, take a vital system offline or battle with a enterprise proprietor who doesn’t need to hear it. So, we preserve closing simple criticals to maintain the dashboard inexperienced, and the exhausting issues age quietly within the backlog the place nobody appears to be like.
That is the a part of vulnerability administration no person needs to say out loud: we now have constructed a whole governance trade round measuring the incorrect factor. SLAs inform you how disciplined your ticketing course of is. They inform you nearly nothing about your precise threat.
The compliance lure
I’ve watched this sample play out throughout sufficient packages to be assured it’s not an outlier. A company commits to a thirty-day SLA for vital vulnerabilities. The vulnerability administration workforce will get measured on that SLA. So, they get very, excellent at hitting it — for the vulnerabilities which might be simple to hit it on.
What will get closed quick: something an agent can patch remotely. Something in a containerized workload that rebuilds nightly. Something the place the seller has already shipped a clear replace and the change advisory board will approve it with out debate.
