Bank OZK's vulnerability risk index shows patching priorities everyone understands

Explaining vulnerability risk to non-technical executives can be hard. With his CSO50 award-winning Vulnerability Exception Risk Index, Bank OZK CISO Jason Cathey has devised a way to turn vulnerability data into a simple risk metric.

While regular patching for vulnerabilities is important, not all vulnerabilities are created equal. Their impact on the business can vary widely depending on severity and the system on which it appears. IT teams need time to prioritize critical systems and vulnerabilities, meaning patch debt can accrue.

For boards that don’t understand the ins and outs of vulnerability data, it can be hard to understand how much risk an organization is actually taking on and whether that sits within its acceptable risk tolerance. For patching teams, it can be hard to know where to focus patching efforts.

“Anyone that monitors risk, they always want a metric,” says Jason Cathey, CISO at Bank OZK. “They want an index or a single number that they can trend and watch to see if it goes up or down and see where it sits in line with their risk appetite.”

However, vulnerability data, he says, doesn’t fit easily into a single metric. 

Communicating risk with a single metric

Headquartered in Little Rock, Arkansas, Bank OZK – previously known as Bank of the Ozarks – operates in ten states in the U.S. and has over $20 billion in assets. Founded in 1903, the company has more than 3,000 employees across 255 locations.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!