Risk-based Vulnerability Management (RBVM) is Dead… Long Live RBVM

The hardest part of being a CIO isn’t deciding what to fix ,it’s deciding what NOT to fix.

The Million-Dollar Noise Machine

Vulnerability management was by far the most frustrating and utterly bloated security budget item in all companies. We spend millions of dollars essentially using math to convert a crappy, noisy list of CVEs into a slightly less crappy list (aka “Cyber Risk Quantification”).

With nearly 250,000 CVEs listed on NIST’s dashboard , the scale of the problem becomes immediately apparent. Even when these are categorized by severity like critical, high, medium, and low ,the number of critical vulnerabilities is overwhelming.

The human cost? We stay late and patch servers for CVEs we knew were irrelevant and unexploitable. But some tool, somewhere, marked the issue as “critical,” and there goes our weekend.

And despite the effort spent on RBVM, we still had little confidence in our security posture. Pentest consultants quickly shredded us. Our SOC tools were poorly tuned. We essentially had to wait for a breach to know if we were actually secure.

The False Precision Problem

The traditional RBVM approach relies heavily on what the industry calls “Cyber Risk Quantification” a process that assesses and calculates the potential financial impact of cyber threats on an organization. But here’s the…