The Future of Vulnerability Management: A Risk-Based Approach in a Changing Regulatory Landscape
The cybersecurity landscape is shifting at an unprecedented pace, driven by increasing vulnerabilities, regulatory pressures, and evolving threats. During a recent webinar featuring cybersecurity experts Chris Hughes and Nikki Robinson, key discussions revolved around the need for a threat-centric and risk-based approach to vulnerability management, as well as the regulatory divergence between the United States and Europe. This blog delves into the webinar’s critical insights, exploring why application security vulnerabilities must be treated as first-class citizens alongside traditional infrastructure vulnerabilities and how organizations can focus on what is most likely to be exploited rather than drowning in an ever-growing sea of CVEs.
Full webinar:
The Regulatory Divide: U.S. vs. Europe
One of the standout discussions in the webinar highlighted the stark contrast between U.S. and European approaches to cybersecurity regulation. The U.S. primarily relies on voluntary guidelines and best practices, with frameworks such as NIST and CISA KEV guiding organizations without direct enforcement mechanisms. However, recent shifts—including SEC cybersecurity disclosure rules and CISA’s Secure Software Attestation Form—signal an increasing regulatory burden, particularly for vendors supplying federal agencies.
Conversely, Europe has taken a more aggressive stance on cybersecurity mandates, with initiatives such as NIS2, the Cyber Resilience Act, and DORA (Digital Operational Resilience Act) introducing enforceable compliance measures. Unlike the U.S., which focuses on advisory frameworks, European regulations come with real financial and legal teeth, enforcing liability and security obligations on software providers.
For global organizations, this divergence creates significant challenges, as they must navigate compliance across multiple jurisdictions while balancing innovation with security.
Secure by design and USA Regulation
From Volume to Value: Prioritizing Real Risks Over Raw Numbers
One of the key themes of the webinar was the overwhelming volume of vulnerabilities in the current cybersecurity ecosystem. With over 40,000 CVEs disclosed in 2024, the old method of patching based on CVSS scores alone is no longer effective. Security teams must transition from a vulnerability-centric approach to a threat-centric model that focuses on actual exploitability.
A significant discussion point was the failure of traditional vulnerability management to distinguish between what is critical in theory and what is actually being exploited in the wild. The CISA Known Exploited Vulnerabilities (KEV) catalog was cited as a crucial tool in helping organizations prioritize the vulnerabilities that pose the greatest real-world threats. Rather than chasing down every new CVE, organizations should focus on vulnerabilities with known exploits, attack paths, and connections to real adversary activity.
Application Security and Infrastructure Security: First-Class Citizens
Historically, application security vulnerabilities have often been sidelined in favor of infrastructure-focused security efforts. The webinar challenged this outdated mindset, arguing that AppSec and infrastructure vulnerabilities must be treated as equal priorities.
With cloud security and software supply chain risks escalating, Application Security Posture Management (ASPM)is becoming essential for organizations looking to gain visibility and control over their code-to-cloud exposure. The panel emphasized that exploitable vulnerabilities in software applications—particularly those embedded in open-source components—are increasingly a major attack vector.
The Role of AI in Vulnerability Management: Hype vs. Reality
Artificial Intelligence (AI) was another major topic in the webinar, particularly in its role in automating vulnerability discovery and enhancing root cause analysis. While AI holds promise in identifying and classifying vulnerabilities at scale, concerns were raised about AI-generated false positives and the risk of overwhelming security teams with low-fidelity findings. A balanced approach is necessary—leveraging AI for efficiency while ensuring human oversight remains a key component of decision-making.
Moving Beyond Patch and Pray: Root Cause Analysis
A fundamental shift in vulnerability management must involve moving away from a reactive patch-and-pray mentality to systemic root cause analysis. The discussion highlighted the importance of focusing on Common Weakness Enumerations (CWEs) rather than just CVEs, identifying the patterns that cause vulnerabilities to recur.
Organizations need to move toward fixing the underlying issues in software development, such as poor input validation and insecure configurations, rather than repeatedly patching symptoms. Security and development teams must work together to address these core security flaws before vulnerabilities are introduced into production environments.
Final Thoughts: The Future of Cybersecurity Regulation and Risk-Based Security
As vulnerabilities continue to surge and regulatory pressures mount, organizations must adopt a risk-based, threat-centric approach to vulnerability management. Security teams should shift their focus from CVSS scores to exploitability, treating application security as a first-class citizen, and aligning their efforts with the realities of modern cloud security threats.
For deeper insights into vulnerability management and software security, check out Chris Hughes’ books:
- Effective Vulnerability Management: Navigating the Vulnerable Ecosystem
- Software Transparency: Securing a Software-Driven Society
The conversation on cybersecurity is far from over. Stay ahead by embracing a risk-driven approach and leveraging ASPM, cloud security, and regulatory intelligence to protect your organization from real-world threats.