When a high-profile vulnerability surfaces, executives and customers want to know whether it affects you. With a one-page brief and a short process, you can capture the key details and reach the answer without scrambling.

As a CISO, I received the same question whenever a vulnerability became famous. Are we affected? A colleague shared the headline, wanting to know whether it affected the business. A customer’s security team sent a questionnaire asking whether we’d patched it. A repeatable process for investigating your exposure to a vulnerability lets you address these concerns without scrambling.

First, a useful resource for you. Then, a discussion about what’s behind it:

I created a short Vulnerability Investigation Brief you can use to capture and share your analysis of an important vulnerability and your exposure to it. Download the template and make it your own, as Markdown and Word.

Now you have the template. It’s designed for high-profile vulnerabilities about which you need to communicate with stakeholders, for instance in “celebrity” vulnerability situations. Let’s explore how to get the most out of the template.

A checklist for assessing your exposure.

You should design your vulnerability management program so that routine vulnerabilities are handled routinely and automatically with minimal ad-hoc attention. But some vulnerabilities, including those that arise from third-party dependencies, require special attention.

When a vulnerability of such significance surfaces, go through the following steps to understand your exposure:

1. Confirm you even run the affected product, version, and configuration. That takes asset visibility, and you often find you don’t, which closes the investigation.
2. Check whether it’s realistic for an attacker to reach the flaw. A disabled feature, a blocked port, or a segmented network can remove your exposure or buy you time.
3. Re-rank the vendor’s worst-case severity for your exposure, compensating controls, data sensitivity, and asset criticality.
4. Convert the call into an action someone owns by a real date, or decide it needs none. An assessment nobody acts on is only an opinion.

These steps apply to a compromised dependency that you need to investigate, such as a backdoored software package. In this case, if you determine that you’re affected, you’ll shift to incident response mode (I have a template for IR too).

Communicating the vulnerability investigation.

The Vulnerability Investigation Brief is designed to address the questions that your colleagues, especially executives, want answered:

• Bottom Line explains what the vulnerability is and how it affects the organization.
• Quick Facts summarizes key details about the situation with placeholders to explain the significance of the vulnerability, affected resources, attack vectors, and more.
• Are We Affected? offers guidance for answering this critical question.
• Defensive Actions captures the work that needs to be done, complete with who will be doing what, why, and when, to move the situation forward.
• What We Don’t Know lets you capture the gaps, which signals discipline and tells the reader when to expect more.

The template is designed for the internal audience. But the details captured within it are the foundation for an outbound message you might need to draft for your customers and other external parties. Work with the right comms team or person for externally-facing content.

Don’t let the hype take over.

Every so often, a vulnerability arrives with its own branding. I first saw the term “celebrity” vulnerabilities in Trustwave’s 2015 report, which defined it as vulnerabilities that “receive memorable names, and sometimes logos, from their discoverers.” Security expert Troy Hunt later observed that such branding “has a way of drumming up excitement and sensationalism in a way that isn’t always commensurate with the actual risk.”

The celebrity vulnerability might be minor and you might not even be exposed to it. Yet, the media hype about the issue can draw outsized attention that distracts from more important work, as questions about it ricochet through the company and to its suppliers.

Don’t get distracted by the noise. Run the vulnerability through the checklist and template to address any concern calmly, celebrity or not.