It can be really annoying when you reach that point on the security maturity curve when you start to identify vulnerabilities, but management just don’t seem to care. No matter how much red there is in Nessus, you just can’t get the resources to address it, it’s like they just don’t understand. It’s almost like you’re speaking a different language …. and that’s because you are!
Once again, this is where the BSides (free/ low-cost security conferences with a low barrier to entry, originally designed to showcase the talks the ‘big’ cons reject) Cons circuit is a gold mine
At BSides Manchester this year, James Carter talks about how to talk the language of risk. Senior management will understand risk far more than the technical language of vulnerabilities, it’ll also help you understand that vulnerability management is not a zero sum game and to the business some vulnerabilities just aren’t worth fixing.
That not to say the everything in there is everyone’s best approach (look for an upcoming post on ‘owning risk’ and the messaging around ‘risk acceptance’) but it is a genuinely excellent primer to help newcomers to risk based vulnerability management and understand what they SHOULD be reporting on the actually get senior management caring about vulnerabilities.