The more digital transformation accelerates, the more organizations are faced with complex changes and challenges. Customers and end users expect access to products and services anyplace, at any time, from any device. The war for their satisfaction and loyalty is fought on the battlefield of applications and the experiences they deliver.

From ever-increasing amounts of incremental data and required process improvements, to new business models and essential skills training for teams, application security is critical for all organizations, in part because there is no standard business metric used to measure the risk posed by threats and vulnerabilities.

The vast majority of organizations run a hybrid production landscape composed of traditional and modern applications, as well as associated external dependencies. Triple-digit vulnerabilities are a common daily occurrence. At the security operations management desk, questions almost always relate to remediation prioritization and the related business impact is typically missing.

Which vulnerabilities should we target first for remediation?

Business risk observability lists publicly disclosed vulnerabilities and exposures, and stack ranks them numerically (0-10) order of their severity. The qualitative ratings are Critical, High, Medium, and Low, and are usually referred to as the Common Vulnerability Scoring System, or CVSS scores. Vulnerability management and scanning tools leverage these scores and the vulnerabilities classified as critical – which tend to be the ones targeted first for remediation. However, CVSS scores alone provide an incomplete picture because they don’t account for the business context of an application.

In addition to being an integral part of CVSS categorization and scoring for all public vulnerabilities through Cisco Talos, Cisco provides a unique and differentiated approach by extending runtime application security intelligence to include business transactions. Business transactions are the end-to-end, cross-tier processing path used to fulfill a request by a business application.

For example, in a retail application the checkout process is a business transaction with high revenue impact. In a healthcare application, medical record reporting is a business transaction with a high impact to compliance requirements. Both examples represent priorities for vulnerability management and remediation – a scoping differentiation that Cisco provides. This typically brings down the enterprise vulnerability envelope to double digits, optimizing focus and time to resolution.

Which vulnerabilities are likely to have the most impact to the business?

Cisco’s differentiated scoring of runtime vulnerabilities by business transaction brings real value and agility, but operators continue to prioritize vulnerabilities based on severity only now it’s prioritized on a per-business-transaction basis. That’s where Cisco’s innovative business risk observability comes into play. Cisco Business Risk Observability is an industry first, representing an evolution in how organizations can view, understand, and take action based on a new business risk score.

The Cisco business risk score is a unique approach using correlated data to produce insights that combine the standard CVSS severity score with a real-time risk-based vulnerability score from Cisco Kenna Security. This real-time vulnerability score takes into account what is currently happening in the wild for each vulnerability, and then conveys the likelihood of exploitation using that particular attack vector.

Business Risk score for a business transaction
Business Risk score for a business transaction

In practical terms, the Cisco business risk score provides a more efficient and optimized way to stack rank and evaluate risks, and the need for remediation, based on the real-time nature of the correlated risk information and insights. The Cisco business risk score helps to scale down the number of alerts that require prioritized remediation into the single digits, a huge optimization when compared with the current vulnerability landscape of all business applications and their related dependencies. For example, when the CVSS score is high, and the real-time vulnerability score is also high, the Cisco business risk score would trend up, highlighting both heightened risk of exploitation and correlated business impact. Cisco brings observability and security together by enabling operators to immediately focus on issues with the highest business risk and potential impact, and then follow top recommended actions – including the ability to employ automated mechanisms.

High CVSS score and high real-time vulnerability score
High CVSS score and high real-time vulnerability score

Unique scenarios with Cisco Business Risk Observability

Two other interesting and unique scenarios that can also occur from using the business risk observability are:

  • The CVSS score is high, but the real-time vulnerability score is low. In this case, although the severity of the vulnerability is high, the likelihood of exploitation or the related business impact is low. This level of insight provides an important distinction which helps operators differentiate between what’s important versus what’s urgent, using business risk as the ultimate arbiter. Many times, a fix or a patch to remediate the highlighted vulnerability would require rewriting a big piece of code or even recompiling a traditional application, consuming resources and time that might be better served prioritizing the remediation of another more high-impact vulnerability.
  • The CVSS score is low, but the real-time vulnerability score is high. In this case, the operator most likely would have deprioritized or even ignored this vulnerability due to its low CVSS severity score alone, being completely oblivious to its potential business risk and impact. Although very serious, this scenario is quite common. The Cisco business risk score changes the paradigm by uncovering the predicted exploitation and the real-time activity around this specific vulnerability, once again helping to prioritize the team’s focus on the remediations that matter most through the business risk observability lens.

According to the Cisco Cybersecurity Readiness Index, companies urgently need to act on the security posture of their applications and related workloads. Only 12% are in a state of mature application-security readiness, while 65% are in the early or formative stages. Cisco’s application strategy aims to ensure greater resilience against the growing attack surface of the experience economy where applications are no longer an adjunct, but rather they are the business itself.


For more information about business risk observability, visit Cisco Full-Stack Observability.

Watch Video: Cisco FSO Business Risk Observability Demo




Carlos Pereira

Cisco Fellow

Chief Architect, SI&A