In this episode of Defense in Depth, I joined David Spark and Mike Johnson – CISO at Rivian to discuss the topic of vulnerability management. We make the argument that simply finding vulnerabilities is not enough, and true vulnerability management requires prioritizing, tracking, fixing, and assessing risks.
What we need is a comprehensive approach that includes IT hygiene, asset management, and understanding the business context so we can properly prioritize the risk and remediation.
It also worth noting that patch management is not vulnerability management. Patch management is more of a routine maintenance of systems, where vulnerability management addressing the risks of unpatched systems.
Lastly, for effective vulnerability management we also recognized the importance of a nuanced approach that considers business impact and risk.
You can listen to the episode using the link below or on the CISO Series website. I would love to hear your thought about it.
