The expert view Davey Winder
In the real-world scenario of ensuring the best security posture for your organisation, I’m less worried about the distinction between a vulnerability and a threat than I am about how the relationship between vulnerabilities, exploits, threats and risk work together to undermine a business’ best data security efforts. That I sometimes see these terms being used in a transposable fashion by those responsible for securing data assets as well as, all too often for my liking, those who write about breaches is, frankly, disappointing in 2019. Infosec is no longer a dark art but a comprehensively documented business process: getting these things right really does go beyond semantic willy-waving.
Keeping up with changes to the threat landscape, where all manner of threats exist, is key. Not all threats are created equally, at least not as far as your exposure to them is concerned. However, the threatscape is hugely dynamic and you need to continuously gather intelligence to stay on top of changes; changes that may mean a previously benign threat morphs into a hostile one. This means more than just feeding data into some security system or other; it means being proactive in determining what the threats to your business are, and then testing the ability of your defences to protect your data from them.
By understanding how threat intelligence best fits into your security model, by applying that intelligence in a hands-on way, you arrive at the vulnerabilities within your business, your network, your applications that could be exploited by an attacker. It’s a power game: on the one hand you have the weakness of a vulnerability and on the other the strength of an exploit that can be used to push through it and on towards your data. The trick is to take the power back by knowing your weaknesses and eliminating them before the attackers can strike successfully.
Which is where risk enters the relationship. There are any number of equations used to explain risk, the most common being that risk = impact x probability/cost. In the context of information security it can also be thought of as simply risk = threat x vulnerability. Remove the vulnerability and you dilute the threat, which then reduces the risk.