Combining Cybersecurity & Lean Six Sigma Expertise for Fast, Effective VM Evaluation
Highmark Health Solutions (HMHS) provides technology, like its integrated end-to-end administration solution, to health plan customers and their combined 10 million members.
The application Vulnerability Management (VM) function is shared across three primary areas: Development, Quality Assurance, and Information Security. While there are many established practices within the VM program that are typically found in an organization of this size and maturity, the client was concerned with their level of risk.
HMHS selected CyLumena to provide an evaluation of their application Vulnerability Management program to identify process gaps and recommend areas for improvement in execution and outcomes. CyLumena provided both cybersecurity and Lean Six Sigma expertise, enabling a powerful combination to achieve a more mature security posture and VM continuous improvement.
“Based on the interactions with CyLumena, I have found that their team is seasoned and professional, their findings are very insightful, and their recommendations can be put into action. The thoroughness of their assessment and reporting processes has provided us with a basis for implementing improvements to our application security program. I can state with confidence that the results have been a success.”
Jason Martin, Manager, Vulnerability Governance
Rising Risk via Application Security Vulnerabilities
The primary goals of working with HMHS were four-fold:
- Identify improvements to the Vulnerability Management program
- Provide additional security and tool training to the product development teams
- Instill performance measurement, reporting, and greater accountability
- Enable timely, efficient remediation and testing of application vulnerabilities
The client was experiencing difficulty remediating application security vulnerabilities promptly, leading to increased risk for the company and its customers.
Common challenges seen within an application Vulnerability Management program include, but are not limited to:
- Teams not observing stage gates
- Developers implementing fixes to vulnerabilities without first testing with QA
- Critical vulnerabilities are released into production
- Developers can’t scale up testing and provide test coverage
- Developers don’t have a list of approved/authorized APIs
- There are delays in code delivery because of inadequate testing support
- Limited developer security knowledge
- Lack of triage for complex vulnerabilities
- Ticket tracking is inefficient and manual
- Testing does not address complex scenarios
- Lack of standardized reference or training materials
- Insufficient requirement documentation
Pandemic Accelerates Technology Decision
Capitalizing on the flexibility of the Lean Six Sigma (L6S) methodology and toolset, the CyLumena team clearly defined the problem the client faced, measured key process influencers, and analyzed their data to arrive at root causes.The engagement focused on the Application Vulnerability Management program’s overall processing flow, gathering information from interviews and discussions with internal HMHS resources and identified subject matter experts.
The project was segmented into three primary workstreams:
VM Processes Evaluation:
This VM process workstream included reviewing all documentation, assessing current-state processes, and offering recommendations for process improvement opportunities.
Application Vulnerability Testing Evaluation:
We provided an assessment of the current application vulnerability testing process employed by the Quality Assurance (QA) team, outlining findings and recommendations for process improvements to the overall testing process and application vulnerability remediation.
Application Vulnerability Reporting Evaluation:
We assessed the current application vulnerability capabilities, providing recommendations for improving reports and the application VM reporting process.
Creating More Secure Healthcare Applications via Robust Vulnerability Management Processes, Testing & Reporting
The L6S approach allowed the CyLumena team to follow-through efficiently, eliminating waste and ensuring a standardized engagement from which we provided a prioritized list of 31 improvement recommendations for HMHS’ Reporting, Testing, and Vulnerability Management processes.
Our recommendations can be summarized into six areas:
- VM Governance
- Process Improvement
- Staff Onboarding & Education
- Documentation Standards
- Leadership & Culture
- Performance Measurement, Reporting & Accountability
As the client implements the recommendations, they will reduce the number of vulnerabilities introduced into their platforms and minimize the lead time required to remediate. New vulnerability employees will be best prepared for high performance on the team, receiving needed security training and access to up-to-date, standardized documentation.
Through improved governance and leadership approaches, the team will improve performance and accountability, ensuring that vulnerabilities are addressed quickly and that Service Level objectives are achieved.
Automation can deliver significant value for this client’s VM process related to the remediation, testing and verification of vulnerabilities, freeing up resources and improving cycle times.
Performance management will maintain metrics that are practical, achievable, and reports are timely, relevant, and support agile business decisions. Most importantly, a culture will continue to grow that builds robust security controls into every stage of work.
Figure 1: The CyLumena team provided a ‘PICK chart’ to display our 31 improvement recommendations prioritized by benefit and ease of implementation.
Figure 2 & 3: The CyLumena team used statistical and graphical analysis tools like Main Effects Plots and Pareto Charts to uncover gaps and areas to address from the client’s data.
Where Does Your Vulnerability Management Program Need to Become Stronger?
This client is armed with the data and direction to chart a new course to stronger application security and a higher-performing VM team. How can CyLumena bring L6S and our cybersecurity expertise to bear on your VM program?