Regarding Jacob Williams’ idea of using “Accepted Insecure Time” instead of “Service-level Agreement” when discussing vulnerabilities and patches. There is logic in this. Indeed, the term SLA hides the essence of the problem: as long as the vulnerability is not fixed (even if IT performs patching in the SLA window), the company can be HACKED. And this is no longer performing service operations, but something else, something more important.
On the other hand, where should this new term be used?
🔹 IT thinks in terms of services. Do you propose to go to them with your newspeak? Looks unconstructive. Nowadays it is common to speak to businesses in their language. Why do you speak to IT in the language of information security? 🤔
🔹 Or are you going to bring this to the business and then translate it into an SLA for IT? Isn’t this an extra unnecessary step? 🙂
BTW, it will be “принятое время незащищённости” (ПВН) in Russian and creates additional allusions to PWN. 😉
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.