What's New in Vulnerability Management with Dr. Nikki Robinson, IBM Lead Security Architect

Show Notes

Ready for a crash course in cybersecurity? Grab your note-taking tools and join us for a riveting conversation with the esteemed Dr. Nikki Robinson, the trailblazing STSM and lead architect at IBM, and a Cybersecurity Influencer of the Year. Armed with a wealth of knowledge and insights, Dr. Robinson guides us through the labyrinth of vulnerability management, unpacking the latest tools, processes, and strategies that are setting new benchmarks in the security realm.

Prepare to delve into the nuances of CVSS 4.0, CISA, the known exploited vulnerability catalog, and the exploitability predictability scoring system (EPSS), as Dr. Robinson brilliantly elucidates their vital role in vulnerability scoring and prioritization. She underscores the importance of these tools in aiding organizations streamline their remediation efforts, a pressing challenge many security leaders grapple with today. This enlightening episode promises a clear understanding of the complexities of cybersecurity, helping listeners appreciate the challenges and solutions in today's rapidly evolving digital landscape. So buckle up and let's decode cybersecurity together with Dr. Nikki Robinson.

Transcript

Speaker 1: 0:03

Dr Nikki Robinson, thank you for dropping in, and everybody who is watching and listening. Thank you for dropping in as well and listening into this SMW quick clip. I still don't have a good name for it, but we're here today with Dr Nikki Robinson and she is the STSM and lead architect at IBM Cybersecurity Influencer of the Year.

Speaker 1: 0:27

Congratulations, thank you and author, last time I talked to you, we talked about your book Mind the Tech Gap, and that came out last October. So if you're listening to this and watching, again, pick that up. And you're also working on your new book on vulnerability management, and so maybe we can talk a little bit about what's going on in the vulnerability management space, and so nobody better to talk to about this than you. So what is new?

Speaker 2: 0:56

Okay. So lots is new and that's why so Chris Hughes and I decided to write the book on vulnerability management and there's been so much going on, so I got into security because of vulnerability management and it was partially because it was like, okay, we have some tools, we have some processes, we got CVSS, we have a couple of things, but we really need more right. And in the last year or so we've got a CVSS 4.0 is out now. We've got CISA, kev the known exploited vulnerability catalog. We've got EPSS exploitability predictability scoring system. So we've all these new you know tools and techniques at our disposal. And so I was really motivated and interested to write the book and hopefully pull some of these resources together for people and and really talk about, you know, kind of taking a modern approach to vulnerability management.

Speaker 1: 1:50

Awesome. It's a coincidence and maybe you would call it a synchronicity, maybe if you're sort of into that stuff, but yesterday I talked to Jay Jacobs, who is the founder and the partner at Cyancha, so you know he was working on the exploit. Why could I never get that?

Speaker 2: 2:11

It's because we have 5000 acronyms. Yes, I know we need a lot.

Speaker 1: 2:16

So many acronyms, exploit, predictability scoring system, and so is that something that that you've been working on as well, or how are you playing in that space?

Speaker 2: 2:25

So it's funny because I primarily had been more on the CVSS side and so I didn't really help with any of the development or anything like that around EPSS. But once it was released, I saw what a great compliment it was to CVSS and how it just you know, because I think one of the challenges we saw with just using CVSS is that it's a great place to start right Like it's a great. We have to have some sort of scoring system, and so CVSS solves a lot of that for us, and with their latest release they get even more, I think, nuanced in how they're really scoring vulnerabilities, which is great. But I saw just this extra component that organizations can use, because when there's so many different statistics out there, but a lot of them talk about 10K backlog of vulnerabilities or 100K backlog of vulnerabilities in large organizations, and so the idea is, you know, what tools can we use to help us prioritize and hone our remediation efforts? And I felt like EPSS was a great tool for that.

Speaker 1: 3:23

Yeah, yeah, that's a theme that we're hearing more and more. Cisos and security leaders are having a hard time. I don't want to say a hard time, but I don't want to say struggling either, because I don't want, but the thing is okay. Here's the caveat. I'm not pointing anybody out. They're not struggling more than anybody else or in any other profession. Everybody is struggling in the cyber security space, everybody's trying to keep up and I think, having tools that allow us to prioritize you know we need them both EPSS and CVSS are developed by first and and they're a great organization they're doing a lot of work around.

Speaker 2: 3:58

You know sort of how do we hone, whether it's scoring systems or developing content, because they have a great user guide, but it's essentially the score that is assigned to vulnerabilities. So from informational low, medium, high, critical that whole scoring system and all the different metrics that they use to Calculate that and create that calculation Is CVSS, and so if you go into NVD, the National Vulnerability Database, and you're looking for CVE IDs and there's an associated CVSS score, there's your vulnerability score and so it's a. It's a good place to Like. I said, it's a good place to start. You sort of have to add your own system context or organizational context and figure out kind of what it means to you. I think there's a lot of focus on. You know, hey, remediate the criticals and highs, which is good, but you know, if you've got a massive backlog of vulnerabilities, you need some additional tools in the tool belt to help you kind of hone in on what's important.

Speaker 1: 4:51

Okay, and how does one become a cybersecurity influencer of the year? I mean, I can, I can, I can take a guess. There's so many things that you've done. I'm just thinking. You know the influencer. The whole influencer thing is so fascinating to me. I don't know how people become influencers, period. You know, I don't. I don't know how it, how it works, but is there like a committee of cybersecurity influencers? Is there an academy?

Speaker 2: 5:20

No, I think you know it's so funny. I think I kind of fell into it, honestly, because I, you know, I sort of straddle between being a practitioner and doing academic research. You know I still develop research and you know I was still having the academic community, but I'm also a practitioner and so I do a lot of technical hands-on work, but then I also have the podcast and like writing books and speaking at conferences.

Speaker 2: 5:45

And so to me, influencing like I even mentioned this when I accepted the ward, which was very nice, but I just said, hey, I don't think being an influencer means Likes or follows or like in the traditional sense. To me it's about did I impact someone positively to maybe pursue a doctorate degree? You know, I have a lot of people reach out to me like I don't know if I want to do this or not and just sort of help, give them guidance and mentorship and, you know, hopefully, give them a different perspective or, you know, help them make a decision. So to me, influencing is like can you positively impact someone's life? So I, I don't know. I don't know if there's a committee If there is, I'd like to meet them, but hopefully, hopefully, it was just that you know I had a positive impact and that's how I I hope that you know hope to continue to be a positive impact on the, the cyber community at large well, the world is your committee and.

Speaker 1: 6:39

You know that's what I'm gonna go with that, because you know, if there isn't an audience and you're not touching people, you're not reaching people, then you know who are you influencing. But clearly you're out there promoting the industry and In a world where people don't really understand cybersecurity, I try to talk to my friends about cybersecurity and it's just nobody really gets it, and so we need people like you who bring it to the masses and sort of make it a little bit more popular. So if that means owning the moniker Influencer and having you know, having that, having that as a badge of honor, wear it proudly and I'm so proud of you for everything that you've done. Is there, is there anything else that we can squeeze into the next 30 seconds or so, whether it's you know you're when your book is gonna be released, or is there anything specific that you want people to know?

Speaker 2: 7:32

Yeah, I think just that. Yeah, the book will be coming out beginning of May next year. They're saying May 7th, but I really hope it's May the 4th, Because I'm a big Star Wars nerd, so I'm really hoping it's May the 4th. But yeah, so the book is called effective vulnerability management. I'm writing it with Chris Hughes, so yeah. So I guess, check, take a look, maybe in May, hopefully to be helpful, and I don't know, maybe I'll, maybe I'll write another book next year. I don't know, we'll see.

Speaker 1: 8:01

Influenced away. Keep writing those books. I mean, you are, you've influenced me. Now I want to write a book.

Speaker 2: 8:07

And if I write, after this, we'll set you up.

Speaker 1: 8:09

All right. All right, if I write a book, I'm definitely putting you in the acknowledgments. I'm gonna say the in the cybersecurity influencer of the year 2023 influenced me to write this book and I am dedicating it to her. You know what? Maybe I name my kids after you. How much, how far do you want this influenced?

Speaker 2: 8:26

Influenced. Yeah, we're gonna have to keep it going. I'll have to be.

Speaker 1: 8:32

All right, dr Nikki Robinson. Thank you for dropping by thank you for having me.