Back to
69 posts

To Gauge Risk from Third Parties and Employees, Scalability and Automation Are Essential

We continue our series on assessing third-party risk, where we’re describing scenarios in which an automated, cloud-based system can help you identify security and compliance gaps among vendors, partners and employees.

As discussed in this series’ first installment, it’s short-sighted to put great effort into protecting your IT environment while ignoring the security and compliance policies and procedures of your trusted third parties.

We illustrated this principle with the hypothetical example of two CISOs — Jane and Emily — who almost simultaneously hire the same outsourcer, and grant it privileged access to their respective companies’ sensitive data and IT systems.

Continue reading …

Assessing Risk from Vendors and Other Third Parties Is Key to Business Success

Jane and Emily are CISOs at two large companies which about five years ago almost simultaneously hired a well-known outsourcer that provides back office business services. Both companies entrusted the outsourcer with sensitive corporate data and granted it special access to their IT systems.

Both Jane and Emily had spent a lot of time, effort and money boosting their respective companies’ physical and IT security, and tightening their compliance with external regulations and internal rules.

However, these two successful CISOs differed in a key area: third party risk management. Jane had given short shrift to this important but overlooked area. Meanwhile, Emily had made it a priority to create a formal, comprehensive, centralized and automated program for assessing third-party risk.

Continue reading …

Prioritizing Remediation: Visualize and Share the Data, Apply It to Your Organization

This is the last part in our series on prioritizing vulnerability remediation, where we’ve been outlining basic requirements so you can always identify the IT assets you must patch right away.

In our first two posts, we met Steve, an infosec manager whose organization’s inability to manage its IT environment’s vulnerabilities had turned him into an insomniac. We also described the first three requirements for success:

  • compiling a complete, detailed IT asset inventory;
  • logging the constant stream of vulnerability disclosures;
  • and correlating external threat information with your IT assets’ vulnerabilities.

In this last installment, we discuss the last two of the five requirements: having dashboard tools to visualize and share your threat landscape; and making precise assessments of your organization’s risk scenarios.
Continue reading …

Qualys Beefs Up Cloud Tool for Security Consultants

Like all security consultants, you face intensifying challenges, demands and pressures as your customers’ IT infrastructures become more complex and hackers get more aggressive and effective.

Organizations entrust you with the complex and critical task of making comprehensive and accurate security assessments of their IT environments. Every customer engagement is a high-stakes job.

You must stay abreast of the latest, ever more sophisticated cyber attacks, as well as understand your customers’ increasingly heterogeneous and distributed IT environments. To succeed, it’s not sufficient to rely on your know-how and experience, however vast those might be. You also need the best software tools available to do your job.

Continue reading …

Prioritizing Remediation: Plug into the Firehose of Vulnerability Disclosures and Correlate

This is part two in a three-part series on prioritizing vulnerability remediation, where we’re explaining five basic requirements for identifying on an ongoing basis which IT assets you must patch right away.

In our first post last week we met Steve, a nightmare-stricken infosec manager who loses sleep over his organization’s inability to manage its IT environment’s vulnerabilities. We also described the first requirement for success: compiling a complete, detailed IT asset inventory.

In this second installment, we’ll spell out two more requirements: Logging the constant stream of vulnerability disclosures; and correlating external threat information with your IT assets’ vulnerabilities.

Continue reading …

End the Nightmare of Vulnerability Disclosure Overload: Keep Calm and Prioritize

Overwhelmed by the mounds of vulnerabilities in their IT environments, many organizations struggle to prioritize remediation, but you can overcome this challenge with the right approach

Prioritize vulnerability remediation with Qualys ThreatPROTECT so you don't lose sleep.

Steve, an information security manager, is again rattled awake at 3 a.m. by a recurring nightmare: He’s at work and his desk suddenly gets transformed into a mile-long Whack-A-Mole cabinet with thousands of holes. But instead of toy moles, what springs up from the cabinet holes are red square signs, each displaying a different CVE number.

Mallet in hand, a flustered Steve quickly realizes there’s no way he can hit every CVE sign before time runs out. Worse, he gets no points for hitting the ones that pose no threat to his IT assets: He only gets rewarded when he whacks one that could seriously compromise his IT environment.

Continue reading …

Are Your Vendors, Partners and Other Business Allies Putting Your Organization at Risk?

Qualys SAQ Automates the Process of Assessing Your Third Parties’ Security Posture

How compliant are vendors and other third parties with information security standards, your organization’s internal policies and government regulations? Making these assessments has never been easy, but it’s getting increasingly complicated, and the stakes are getting higher. While your organization may have gone to great lengths to secure its IT infrastructure, networks and assets, the vendors and other third parties with remote access to your systems and data can make you vulnerable to breaches.

Continue reading …

So Many Vulnerabilities, So Little Time: ThreatPROTECT Identifies the Assets You Must Patch Now

If you are an information security professional, you’ve probably experienced vulnerability disclosure overload. We’re referring to that acute sense of feeling burdened that can afflict even the best infosec teams. This ailment strikes when infosec pros grapple with the constant release of vulnerability announcements, amounting to thousands per year.

Continue reading …

Here’s a registration discount code for AppSec Europe courtesy of Qualys

Rome_ad_QualysQualys is a sponsor of this year’s AppSec Europe, and if you use our code QLYS-EU100 you will get a €100 discount on your registration for this event, to be held in Italy from June 27 to July 1st.

The conference is organized by OWASP, a nonprofit with 200 chapters in 100 countries whose mission is to “make software security visible.” OWASP, which stands for Open Web Application Security Project, seeks to help individuals and organizations worldwide make informed decisions about software security risks.

Continue reading …