Vulnerability Prioritization & Risk Management: A CISO Guide
The Evolving Role of the CISO
The Professional CISO Podcast hosted by David Malicoat recently featured Jim Desmond who shared his unconventional approach to vulnerability prioritization and risk management. Jim is the Senior Vice President and Chief Security Officer at Asurion and one of Brinqa’s most outspoken customers. In this episode of the podcast, Jim shared his philosophy on how organizations can transform their approach to risk management by making smarter, data-driven decisions.
Jim began by acknowledging the shifting landscape for CISOs, emphasizing the increasing tension between short-term business goals and long-term risk management. In his view, CISOs often face pressure to present an overly optimistic picture of the organization’s cybersecurity posture to satisfy immediate financial objectives. He argued that this needs to change, suggesting that CISOs should be empowered to voice concerns without fear of compromising their careers.
Jim’s methodology empowers his team to pinpoint where their efforts will have the most significant impact. As he puts it, “we’re not just patching vulnerabilities; we’re strategically reducing business risk.” So, Jim focuses on assessing the potential impact by asking key questions: Is the system internet-accessible? Does it contain sensitive data? Is the software close to end-of-life? By consolidating data from multiple tools and systems, layering metadata onto vulnerability data, Jim ensures his team is directing their efforts where they will have the greatest impact to the business.
For example, a low-scoring vulnerability on an isolated test machine is far less urgent than a higher-scoring issue on an internet-facing system that handles sensitive data. This methodology helps Jim’s team to “focus their energy in the right place,” allowing them to reduce risk more efficiently.
A Secret Weapon to Correlate Cyber and Business Risk
Jim attributes much of his success in prioritizing vulnerabilities to the use of Brinqa’s platform. Brinqa enables his team to integrate data from multiple sources, tag vulnerabilities by product and owner, and assess various factors such as exploit availability, business impact, and regulatory compliance. With this more comprehensive view, his team can rotate their perspective on the data—viewing vulnerabilities by host, product, or even the responsible executive.
Brinqa’s ability to automate processes, like tagging assets and integrating exploit intelligence, allows Jim’s team to respond rapidly to zero-day vulnerabilities, cutting response time from days to hours. This approach not only drives operational efficiency but also helps elevate the conversation around risk management to a strategic business level.
Driving Change Within the Organization
Implementing a risk-based vulnerability management program at a global company like Asurion required strong leadership and the right team members. Jim brought together a cross-functional team and focused on automation to streamline the vulnerability management process. By using Brinqa to provide visibility into high-risk areas, his team quickly gained momentum, leading to a significant drop in the organization’s overall risk score.
The impact was immediate: infrastructure and DevOps teams became more engaged because they could now see the direct effect of their remediation efforts. This shift in mindset transformed routine tasks like “Patch Tuesday” into strategic risk-reduction initiatives.
The Path Forward: Embracing a Complete View of Risk
Throughout the discussion, Jim reinforced the need for CISOs to adopt a broader perspective on risk management. Instead of being content with checking boxes for compliance frameworks, CISOs should aim to align their strategies with the organization’s long-term business objectives. Jim’s insights serve as a call to action for cybersecurity leaders to rethink how they manage vulnerabilities and integrate risk data into their decision-making processes.
Learn More and Take Action
Jim’s approach to vulnerability management serves as a model for organizations looking to optimize their cybersecurity programs. To dive deeper into his insights, listen to the full podcast episode.
About Brinqa
Brinqa’s Unified Exposure Management platform consolidates risk data across IT, applications, and cloud environments, enabling organizations to prioritize remediation efforts based on business impact. By providing comprehensive insights and automation, Brinqa helps enterprises reduce their attack surface and improve security posture. Book a personalized demo today.