St r a t e g I c Vu l n e r a b I l I t I e S
9.1 Introduction
Now that you have gained a comprehensive understanding of what
vulnerability management (VM) means from a technical, procedural,
and management perspective, we will explore how vulnerabilities
show up on a larger, strategic scale and how they can be remediated.
No technology or special process will identify these things. It requires
experience and a particularly pragmatic mind-set. e manager must
understand the enemy not only by their methods but also by their
motivations and goals. e specific targets and attacks are less signi-
cant when analyzing strategic weakness. is chapter explores VM
at a very high level in the organization where business strategy and
technology strategy are considered in more abstract terms.
To put strategic vulnerability into perspective, it is important to
remember the basic relationship of VM to other key IT and busi-
ness functions. Figure 9.1 shows these relationships and the type of
information conveyed to each from VM. Risk management and busi-
ness strategy reside in the tier of strategic alignment, whereas change,
incident, and configuration management are operational processes in
IT. At a discreet technology level, VM is a supplier to other processes,
including risk management. However, VM is also an integral part of
the risk management process and not a separate entity. is fact gives
it a dual operational–strategic position leading to the tight process
coupling which will be discussed later in this chapter.
Vulnerabilities are found in strategy and require a less technical
approach to assessment. But VM can also be applied as a strategic
decision-support tool that influences the decision-making process.
Strategic vulnerabilities should be assessed prior to committing
the resources of the organization, and therefore facilitate risk man-
agement in the business planning process. Unless this approach is
taken, considerable additional cost can be incurred through tactical
276 Vulnerability ManageMent
remediation activities. Although on rare occasions organizations find
a simple tactical means to recover from potential disasters, many situ-
ations require the extensive deployment of operational resources.
In many cases, strategic blunders result in a blame-finding scenario
where disasters occur that force strategic VM to be applied to faults in
the risk management process itself. For example, access to the anthrax
spores in 2001 was possible because the strategic focus of security was
only on the risk of intelligence data leaking to enemies. It did not
take into consideration that a dangerous material was being handled
that could be used with lethal intent. is failure, in my opinion, was
the result of a failure to include assessment of motivational factors in
identifying potential perpetrators.
Strategic Vulnerabilities
* Competitive Assessment
* Operations Assessment
Technical Vulnerability Management
Information Technology
Operations Engineering Security
Business Strategy
* Strategic Alignment
* Business Intelligence
* Competitive Assessment
Strategic Risks
Tactical Risks
Status &
Systems Support
Risk Management
Figure 9.1 Strategic vulnerabilities interacting with technology sphere.
strategiC Vulnerabilities 277
To further clarify the definition of a strategic vulnerability, lets
consider the military view: “e susceptibility of vital instruments of
national power to being seriously decreased or adversely changed by
the application of actions within the capability of another nation to
impose. Strategic vulnerability may pertain to political, geographic,
economic, informational, scientific, sociological, or military factors.*
So, now we can modify this definition to address more directly the
private sector. We can change the words “national power” to busi-
ness” and “another nation” to “competitors, detractors, or social actors.
en, the definition takes a much more relevant shape:e suscepti-
bility of vital instruments of business to being seriously decreased or
adversely changed by the application of actions within the capability
of competitors, detractors, or social actors to impose. Strategic vulner-
ability may pertain to political, geographic, economic, informational,
scientific, or sociological factors.
A very effective way to identify vulnerabilities is to examine the
sources of threats and the targets, as shown in Table 9.1. What can
be distinguished from this table is that targets can be categorized by
general attack area:
Dictionary of Military and Associated Terms, U.S. Department of Defense, 2005.
Table 9.1 Vulnerability Types
External threat Strategy
Natural disaster• Financial
Terrorist attack• Cash flow•
Hacker-activists• Stock price•
People Proprietary information•
Employees• Sustaining resources
Customers• Infrastructure and information
Terrorists• Computer systems•
Supply chain Networks•
Vendors• Suppliers•
Raw-material suppliers• Leadership
Manufacturers• Publicity
Stock price•

Get Vulnerability Management now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.