Why CIOs Should Focus On Vulnerability Management Right Now

Mar 31, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

Few aspects of business look anything like they did even a week or two ago. Business travel is now virtually non-existent. Millions more employees are working from home, stressing corporate VPNs and enterprise applications. Businesses are completely rethinking how they engage with partners, prospects, and customers. 

And at a time when CIOs are consumed with maintaining business continuity, hackers and bad actors sense an opportunity. They assume most IT chiefs are distracted enough to let their guard down and leave their enterprise vulnerable.

In addition to their day-to-day responsibility for IT infrastructure, networks, applications and end-user environments, CIOs also own (or at least share) the responsibility of protecting the assets, networks, and applications that house the data their businesses run on. And as cyber threats proliferate and enterprises scale, that job has never been more difficult or complicated. To hackers (who now are working overtime), an expanding infrastructure simply looks like a growing attack surface–and a tempting target. Every new computer system, IoT device, or application brings with it more vulnerabilities that bad actors can exploit.

The typical enterprise, in fact, has millions of vulnerabilities. While a small percentage — just 2% to 5% — are likely to emerge as legitimate threats to any enterprise environment, the traditional ways of managing vulnerabilities aren’t likely to be much help in pinpointing those most likely to be weaponized. Vulnerability scanners offer little insight into the specific risk that each vulnerability poses to an organization. One security analyst for a global insurance firm told me that those scans produced lists so long as to prove “meaningless.” 

Without a better approach, Security teams often come to IT with lists of thousands of so-called “critical” vulnerabilities, insisting that they all be addressed ASAP.  IT teams then waste precious cycles patching vulnerabilities that may not present much of a risk to their organization while ignoring others that do. This prevents them from putting more time into other, more strategic digital transformation projects.  Meanwhile, indiscriminate patching of business-critical applications can cause downtime and threaten SLAs, effectively increasing the risk of downtime. 

To make matters worse, this IT overhead and increased risk doesn’t actually buy you better security outcomes. It’s wasted time, wasted energy, and avoidable risk. Over time, this produces a persistent disconnect that harms working relationships and leads to unpleasant, productivity-killing turf wars. Security feels unsupported by IT, and IT feels bullied by Security.

An outdated, everything-is-a-risk approach to vulnerability management makes the CIO’s job harder, adds overhead to all teams, increases IT risk, and is ineffective at reducing Security risk. So even though vulnerability management (VM) might strike you as just another security function or cost center within your larger organization, it deserves a much closer look.

VM: It’s not just for Security anymore


In recent years, it’s become apparent to many CIOs and their counterparts in Security and Dev that protecting IT infrastructure is a team sport–one in which cross-functional collaboration is a key power play. No single function can fully secure the enterprise by itself. IT, Security, and Dev teams all need one another. 

Managing and remediating vulnerabilities is the natural inflection point for this collaboration. VM is important to all of these groups. And frankly, they all deserve better than what they’ve had. Especially now.

Fortunately, the marketplace is moving toward a more modern approach to VM–one that harnesses advanced technologies and the boundless scale of the cloud to overcome the limitations of the broken status quo. The new generation of VM gives Security and IT visibility into the actual risk their vulnerabilities present so they can make informed decisions over what’s worth patching now and what isn’t. Better still, it offers a way for these groups to fully align themselves around reducing risk, removes unnecessary overhead from the process, and delivers reduced risk for IT and Security. Who could argue with that?

As for CIO themselves, focusing on risk allows them to communicate progress to every C-level executive and board member in language they understand about something they regularly focus on. And it gives them an opportunity to lead with confidence in an age where business challenges and cyber threats evolve by the day, and confidence is too often in short supply.

Learn more by downloading our new eBook, 5 Things Every CIO Should Know About Vulnerability Management

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is just as critical to IT as it is to Security and DevOps.

Download >

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.