X Close Search

How can we assist?

Demo Request

Prioritize Vulnerabilities in Cloud-Native Environments

Post Summary

In today’s rapidly evolving technological landscape, healthcare delivery organizations (HDOs) and their vendor ecosystems face a pressing dilemma: how do you efficiently manage and prioritize the ever-growing number of vulnerabilities in cloud-native environments? The stakes are higher than ever, with patient safety, operational continuity, and compliance hanging in the balance. This article dives into the challenges, frustrations, and solutions discussed by two seasoned cybersecurity professionals, offering actionable insights for professionals in healthcare and cybersecurity industries.

From addressing the chaos of vulnerability overload to shifting toward a threat-centric approach, this discussion provides a roadmap for organizations aiming to streamline their vulnerability management programs (VMPs). In this piece, we analyze the content of the video, expand on its ideas, and contextualize them for healthcare and security leaders who are navigating this complex terrain.

The Growing Burden of Vulnerabilities: A Crisis of Scale

The cybersecurity industry is grappling with an overwhelming volume of vulnerabilities - far more than it can handle effectively. As one speaker aptly pointed out, "We are now up to a major vulnerability release every week, compared to every month or year in the past." This escalation is fueled by various factors, including:

  • The rise of AI-generated code, which often introduces new security risks.
  • Attackers leveraging automation tools to exploit vulnerabilities faster than organizations can patch them.
  • Shortened remediation windows, with some threats exploitable within minutes to days after disclosure.

The speakers highlighted the immense frustration this creates within organizations. Vulnerability management professionals are often stuck in reactive roles, overwhelmed by alerts and forced to rely on spreadsheets to track and prioritize issues. This approach not only breeds inefficiency but also leads to burnout, as teams struggle to distinguish genuine threats from noise.

The Disconnect: Vulnerability Management in Silos

One of the most significant challenges in vulnerability management is the lack of integration between different organizational units. Security, engineering, and management teams often operate in silos, leading to miscommunication and inefficiencies. As the speakers shared, vulnerability data often lacks context, resulting in engineers receiving massive lists of issues to address - many of which may not even be relevant to their systems.

This disconnect is further exacerbated by the fragmented tooling landscape. Organizations typically use multiple tools for scanning infrastructure, applications, containers, and more, each with its own scoring system. As a result, teams face the daunting task of reconciling disparate data sources, trying to identify which vulnerabilities truly matter.

Key Symptoms of Dysfunction:

  • Lack of ownership: Teams struggle to determine who is responsible for addressing specific vulnerabilities.
  • Overreliance on generic scoring systems like CVSS, which lack the nuance needed for prioritization.
  • Reactive, SLA-driven approaches that focus on meeting deadlines rather than addressing meaningful risks.

The Shift: From Vulnerabilities to Contextualized Risk

The speakers emphasized a transformative mindset: stop treating vulnerabilities as isolated technical issues and start contextualizing them as business risks. This shift involves answering critical questions such as:

  • Who owns this asset?
  • Is the vulnerability exploitable in our environment?
  • What is the business impact if left unaddressed?

They advocated for moving away from traditional, one-size-fits-all approaches and embracing methods that prioritize vulnerabilities based on their potential impact on the organization. By incorporating contextual data - such as asset criticality, exploitability, and business impact - teams can focus their efforts on the vulnerabilities that truly matter.

The Roadmap to Effective Vulnerability Management

Achieving an efficient and effective vulnerability management program requires a holistic, collaborative approach. Here are the key principles and strategies shared in the discussion:

1. Asset Ownership and Stewardship

Ownership is foundational to any successful VMP. Organizations must identify and establish clear ownership of infrastructure, applications, and other assets. However, ownership shouldn’t feel like blame - it should be reframed as stewardship, fostering pride and accountability among teams.

2. Leverage Data to Build Context

The speakers stressed the importance of using data to bridge the gap between security professionals and engineers. Contextualizing vulnerability data allows organizations to:

  • Eliminate duplicate findings across tools.
  • Prioritize based on exploitability, reachability, and business impact.
  • Deliver actionable insights to the right individuals or teams.

3. Automate Wherever Possible

Automation is crucial for reducing manual effort and improving efficiency. For example:

  • Automated attribution can assign vulnerabilities to the correct owners.
  • Lineage mapping can trace vulnerabilities back to their origin, identifying whether they stem from code, libraries, or infrastructure.

4. Adopt a Risk-Based Approach

Risk-based prioritization involves layering multiple factors, such as:

  • Whether the vulnerability is actively exploited in the wild.
  • The likelihood of exploitation given the organization’s specific environment.
  • Potential business impact if the vulnerability is left unaddressed.

5. Collaborate Across Teams

Successful vulnerability management requires close collaboration between security, engineering, and executive teams. Security professionals must translate technical findings into business terms, enabling executives to make informed risk decisions.

Breaking Down the Funnel: From Noise to Actionable Insights

The speakers introduced a seven-stage funnel that illustrates how organizations can reduce the noise of vulnerability alerts and focus on what truly matters. Starting with 100% of vulnerability findings, each stage applies filters to narrow down the list, such as:

  • Identifying duplicates across tools.
  • Removing non-exploitable vulnerabilities.
  • Focusing on externally-facing assets.
  • Prioritizing based on business-criticality.

By the end of this process, only 0.5% to 2% of vulnerabilities are deemed worthy of immediate action - enabling teams to work smarter, not harder.

Overcoming Burnout and Building a Resilient Future

The speakers acknowledged that vulnerability management is often a thankless and exhausting role, leading to widespread burnout. However, they offered hope, emphasizing that there is a path to improvement. By embracing automation, focusing on context, and fostering cross-functional collaboration, organizations can drive meaningful change.

"We don’t need more detection - we need direction. Let’s stop shouting into the void and start giving teams actionable solutions."

Key Takeaways

  • Prioritize by Risk, Not Volume: Treat vulnerabilities as risks, considering factors like exploitability, exposure, and business impact.
  • Ownership Matters: Clear asset ownership - or stewardship - is essential for effective vulnerability management.
  • Automate and Contextualize: Use automation to eliminate noise, deduplicate findings, and provide actionable insights.
  • Build Collaboration: Foster partnerships between security, engineering, and executives to align goals and streamline processes.
  • Shift Away from SLAs: Focus on impact-driven remediation rather than rigid timelines.
  • Leverage Data and Intelligence: Use threat intelligence and contextual data to identify vulnerabilities that pose the greatest risk.
  • Adapt to Scale: Embrace solutions that can handle the growing complexity of cloud-native environments.

Conclusion

The world of vulnerability management is undeniably complex, but it is not insurmountable. By reframing vulnerabilities as business risks and leveraging data-driven insights, organizations can cut through the noise and focus on what truly matters. For healthcare delivery organizations and their cybersecurity counterparts, this approach not only enhances security but also ensures the resilience of critical systems - ultimately safeguarding the patients and communities they serve.

The journey may be challenging, but with collaboration, automation, and a risk-based mindset, the industry can move toward a future where vulnerability management is less about reacting and more about leading with purpose. Let’s fix this - together.

Source: "Mauve Hed & Francesco Cipollone - Navigating Challenges of Risk-Based Vul. Mgmt. in a Cloud World" - LASCON, YouTube, Nov 30, 2025 - https://www.youtube.com/watch?v=bDtJA551vpI

Related Blog Posts

Key Points:

Recent Perspectives

5 Steps to Launch Phishing Simulations in Hospitals
How to Modernize Healthcare Data Security with AI
Healthcare Cybersecurity Maturity Calculator
Shared Responsibility Model: Vendor vs. HDO Roles
Why Access Control Matters for PHI Encryption
STRIDE Threat Model for Clinical Applications
How to Embed GRC into Continuous Software Delivery
New
Censinet Risk Assessment Request Graphic

Censinet RiskOps™ Demo Request

Do you want to revolutionize the way your healthcare organization manages third-party and enterprise risk while also saving time, money, and increasing data security? It’s time for RiskOps.

Schedule Demo

Sign-up for the Censinet Newsletter!

Hear from the Censinet team on industry news, events, content, and 
engage with our thought leaders every month.

Third Party Risk
Enterprise Risk
Provider Solutions
Vendor Solutions
About
Terms of Use | Privacy Policy | Security Statement | Crafted on the Narrow Land