I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on – my normal topics – and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security.The discussion focused around this question – what percentage of malware infections happen due to: Vulns without patches available ? (aka new vulns) Vulns with patches available, but not applied (unpatched vulns)? Some other vector – mis-configuration, social engineering, etc ? Anecdotally – let me emphasize that – anecdotally, in our discussion we thought the breakdown was something like this: new vulns – less than 10% vulns with patches not applied – 20-30% other vector (misconfiguration, social engineering, etc) – 60-70% Let me encourage you to use your own numbers if you don’t think that breakdown is right, as I don’t think it detracts from the discussion at all. Let’s look at this graphically using the zone-h numbers: So now, let’s think about what this means in terms of product vulnerabilities and products. The bottom two bars are vulnerability, or software quality, related. So, when I try to measure vendor progress on security quality or count vulnerabilities, success along those lines only affect the bottom two bars. The remainder of managing security risk (55%) depends on other factors completely.But, even without perfect products, look how much of the malware problem can not be eliminated by improving security quality or reducing vulnerabilities. This really emphasizes how important other security disciplines are to the goal of protecting computers from malware. Security management and efforts to make users slightly more clueful jump out as to efforts that could have large impact on operational security.So, while the importance of these disciplines is by no means a new insight, going through this exercise really puts into things into perspective (for me) with respect to practical security progress in the enterprise.In the meantime, we should all encourage vendors to work towards those perfect software products to reduce the other two sections as well. Related content opinion The Snake Oil Days of Internet Health By securityjones Sep 27, 2011 6 mins Business Continuity Data and Information Security opinion 5 Top Trends Redefining CSO Priorities By securityjones Aug 23, 2011 9 mins Identity Management Solutions Business Continuity Data and Information Security opinion Protecting the Supply Chain: The CSO Rides Shotgun By securityjones Aug 08, 2011 4 mins Business Continuity Data and Information Security Physical Security opinion Career Advice? One Word. Are You Listening? … Cybersecurity By securityjones Aug 03, 2011 3 mins Careers Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe