Looking Back: What We Learned in 2024

Looking back on 2024 to start the new year, we had the great opportunity to host and be part of several conversations and demonstrations that we hope were valuable learning opportunities for everyone who joined us. Let’s take a moment to review some of the highlights from those 2024 events before we leap into 2025. 

Risk-based Vulnerability Management Demands Dynamic Prioritization 

Staying true to the annual recap theme, the first highlight comes from our recent end-of-year panel discussion. This far-ranging discussion is worth watching from beginning to end. However, there was an acknowledgment during the webinar that relying on one scoring standard for risk prioritization doesn’t hold up in today’s environment. 

Cecil Pineda, Co-Founder of CISO CX, talked about using CVSS as a sole prioritization standard: 

“We always talk about risk-based vulnerability management, but for some reason, we still go back to using CVSS as a measuring stick. I hated using it, because of the volume of vulnerabilities, because of the net volume of assets we have, it is so hard to make decisions based on risk, because there are so many factors. When you look at one asset, is it internet facing? Is it processing or storing content? There are so many factors that we need to consider to measure an asset’s criticality to the organization.” 

While CVSS is a valuable tool for your vulnerability prioritization efforts, relying on it solely can lead to inefficiency and wasting time remediating vulnerabilities that aren’t the most critical risks to your organization. 

Check out Cecil’s comments on the topic around the 6-minute mark of the on-demand webinar. 

Vulnerability Prioritization Strategies 

Prioritization is a significant consideration in vulnerability management. While discussing the nuances of operationalizing EPSS earlier in the year, Nucleus Co-Founder and CTO Scott Kuffer, along with Cyentia’s Jay Jacobs and FIRST’s Stephen Shaffer, identified a four-tier model for vulnerability categorization. 

1. Validated exposures 

2. Active exploitation 

3. Predictive exploitation 

4. Impact and likelihood of exploitation 

This decision tree approach makes it possible for organizations to assign EPSS scores to their Service Level Agreements to foster more efficient remediation. Employing EPSS scores adds a predictive element to the mix, assessing criticality and the likelihood of exploitation, enriching vulnerability remediation even further than just a criticality score alone. 

Hear more from Scott, Stephen, and Jay in the webinar Predictive Vulnerability Management: Operationalizing EPSS with Business Context. 

Understand the Human and the Technology Sides of Vulnerability Management 

Departing a bit from the technical side of vulnerability management, Co-Founder and CEO Steve Carter held an in-depth discussion into the human side of vulnerability management with Nikki Robinson, STMS – Cyber Resiliency and Recovery at IBM. 

The recording is an exploration of the human factors that play a part in the effectiveness of a vulnerability management program, including: 

Context Switching and Cognitive Psychology 

Cognition and metacognition are key aspects of how individuals process information and make decisions. Understanding how these cognitive processes impact decision-making leads to more effective risk mitigation strategies. It also helps to guard against context switching and the negative effects it can have on your team. 

Unconscious Bias and Relationship Building 

Unconscious bias influences how individuals perceive and respond to security challenges, leading to miscommunication and inefficiencies in vulnerability remediation. Being aware of unconscious bias and opening dialog between and within teams will help prevent bias in the decision-making process, improve relationships between teams, and strengthen your overall security program. 

Human Computer Interaction and Cyberpsychology 

Exploring the principles of human-computer interaction and cyberpsychology helps understand how individuals interact with technology and security systems. It also helps create user-friendly solutions that enhance usability and mitigate human error. Leveraging cyberpsychology insights can also help organizations better understand user behavior to tailor security strategies to align with human cognition and decision-making processes. 

If you want to dive into the human side of vulnerability management more, watch the recording of How to Build an Effective Human-Centric VM Program. 

That’s a Wrap on 2024 

These highlights are just a taste of what we learned in the past year. Each of our webinars is available to watch on-demand as often as you’d like. Browse the selection and dig into conversations about vulnerability management best practices, metrics and benchmarks, research, strategies, and more. 

We’ve got a lot in store for 2025, and we hope you join us!