Nucleus Security’s Year-End Panel on Risk-Based Vulnerability Management

• Scott Kuffer, COO and Co-Founder, Nucleus Security
• Steve Carter, CEO and Co-Founder, Nucleus Security
• Cecil Pineda, Co-Founder, CISO CX
• Gregg Martin, VP, Cybersecurity

This exclusive panel discussion uncovers insights that will define your risk-based vulnerability management (RBVM) strategy for 2025.

Learn from industry leaders, gain practical best practices, and explore the trends shaping the future of vulnerability management.

This is your opportunity to future-proof your VM program and stay ahead in a critical area of enterprise risk management.

Reflect on the key storylines of 2024 and what they mean for the year ahead.

Topics include:

• Strategic shifts making vulnerability management a central part of organizational risk discussions.
• The critical need to prioritize high-risk vulnerabilities and address security debt.
• The evolving role of executive and cross-functional collaboration in successful VM programs.
• How organizations are moving toward actionable, measurable outcomes to drive progress.
• And more!

Organizations need to develop their own clear, tailored definitions and frameworks for RBVM to ensure that their investments and practices deliver measurable value and align with organizational goals.

Our panel underscored the fragmented and often confusing state of risk-based vulnerability management today. 

While the concept is increasingly seen as foundational for robust cybersecurity practices, akin to the adoption of SIEMs, its implementation suffers from inconsistent definitions and overuse of the term by vendors. 

Many cybersecurity vendors claim to offer RBVM capabilities, making it challenging for practitioners to discern which tools genuinely align with the discipline’s objectives. 

This lack of clarity has resulted in organizations struggling to integrate RBVM meaningfully into their security programs, with practitioners often left guessing at the best approach.

Modern RBVM demands a multi-dimensional approach to prioritization, integrating environmental factors, dynamic threat intelligence, and asset-specific data to provide a more accurate and actionable risk assessment.

While CVSS provides a standardized method for assessing the severity of vulnerabilities, it fails to account for the unique context of an organization’s environment. 

Factors like asset criticality, real-world exploitability, and compensating controls play a significant role in determining the actual risk posed by a vulnerability. 

Continuing to rely solely on CVSS can lead to inefficiencies, such as focusing resources on vulnerabilities that may not be the most critical for the organization.

Organizations should prioritize vulnerabilities based on their potential to cause harm within the specific context of the business, leveraging tools and processes that align with organizational risk tolerance and objectives.

Historically, vulnerability prioritization was driven primarily by severity scores like CVSS, often leading to an overwhelming focus on addressing large volumes of vulnerabilities without sufficient consideration of their actual impact on the organization. 

Today, prioritization must evolve to focus on value rather than volume, factoring in the business criticality of assets, the presence of compensating controls, and the current threat landscape. 

This shift requires both cultural change within organizations and the adoption of advanced tools capable of contextualizing vulnerabilities effectively.

Integrating asset management and vulnerability management processes is critical to ensure that security teams have the accurate, comprehensive data needed to make informed decisions about risk.

Effective vulnerability management is increasingly dependent on accurate and comprehensive asset management. 

The convergence of asset inventory and vulnerability management functions reflects a growing recognition that these disciplines are interconnected. 

Accurate asset data—such as metadata about applications, services, and configurations—is essential for contextualizing vulnerabilities and determining their impact. 

However, the traditional separation of these responsibilities between IT and security teams has often led to silos that hinder effective vulnerability prioritization.

Organizations must invest in automation tools that integrate seamlessly with their existing systems to handle the scale of modern vulnerability management challenges while enabling more strategic and efficient workflows.

The sheer volume of vulnerabilities many organizations face—often numbering in the millions—makes manual processes unsustainable. 

Automation emerged as a cornerstone for scaling vulnerability management efforts. 

Automation can streamline tasks such as data aggregation, prioritization, and remediation workflows, enabling teams to focus on strategic decision-making rather than manual triage. 

However, automation is only effective when supported by a centralized platform that consolidates and normalizes vulnerability data from disparate sources.

Vulnerability management should be a collaborative effort across teams, supported by clear policies, regular communication, and a culture of shared responsibility.

Our panelists highlighted the shared responsibility model, where vulnerability management is seen as an organizational effort rather than solely the domain of the security team. 

By fostering alignment through shared goals, frequent communication, and joint accountability, organizations can create a culture where all stakeholders are invested in vulnerability management outcomes. 

This approach also helps overcome the resource constraints and organizational silos that often hinder progress.

Gamification strategies can drive accountability and motivation, encouraging teams to take ownership of their role in vulnerability management.

Routine patching cycles, such as Patch Tuesday, have long been a staple of vulnerability management. 

However, these approaches often fail to address the nuances of risk prioritization. 

Our panel discussed gamification as a potential strategy to enhance engagement and accountability among teams. 

By introducing elements like team-level KPIs, leaderboards, and performance-based rewards, organizations can foster healthy competition and encourage proactive vulnerability management behaviors. 

This approach also helps embed security considerations into everyday workflows, making vulnerability management an integral part of organizational culture.

KPIs should be tailored to reflect both activity and outcomes, providing actionable insights into the effectiveness of vulnerability management practices.

Key performance indicators (KPIs) such as time to remediate critical vulnerabilities, scan coverage, and the number of vulnerabilities resolved annually provide valuable insights into the effectiveness of an organization’s program. 

These metrics are most impactful when they are contextualized—for example, by breaking them down by asset type, team, or technology. 

This granular approach enables organizations to identify root causes of recurring issues and prioritize systemic improvements.

Centralized platforms and continuous validation processes are essential for achieving a mature and scalable RBVM program.

There is a need for centralized platforms that consolidate data from multiple vulnerability sources, including application, API, and infrastructure security tools. 

Such platforms enable a unified approach to risk prioritization and provide the foundation for continuous validation processes. 

Continuous validation ensures that vulnerabilities are not only remediated but that the underlying issues have been effectively addressed, maintaining an organization’s security posture over time.

Organizations should consider adopting CTEM frameworks to enhance their RBVM practices and address scalability challenges.

CTEM (Cyber Threat Exposure Management) emerged as a promising framework for addressing the challenges of scale and complexity in vulnerability management. 

The panelists noted that CTEM can help organizations streamline the entire lifecycle of vulnerability management, from discovery and prioritization to validation. 

While still evolving, CTEM offers a structured approach to integrating disparate tools and processes, enabling organizations to address vulnerabilities more effectively and efficiently.