I had a conversation last week at Google Next about why the industry keeps failing at the same thing.
The thing we keep failing at is not vulnerability detection. We are excellent at vulnerability detection. We can find ten thousand things wrong with your environment before lunch.
The thing we keep failing at is getting any of them fixed.
Here is the sentence that matters. Security teams are not mechanics. Security teams identify the issue and report it to the owner to fix. Security finds. IT, DevOps, and engineering fix. And those three groups are not paid to make security happy. They are paid to keep the lights on, ship features, and deliver business value faster than last quarter.
So when security walks in with a ten-page list of remediation demands, what they are really handing over is ten pages of rejection, dressed up as prioritization. Nothing happens. Security gets frustrated. IT gets resentful. The attackers keep winning.
There is a better way. It fits on a sticky note.
What This Means for the CIO, CTO, and CISO
Security teams are not mechanics. They identify the issue and report it to the owner to fix. If your remediation list does not respect the capacity of the teams who actually own the systems, nothing will get fixed.
CVSS scores are an input, not an answer. A 9.8 that has no path into your crown jewels is less urgent than a 7.6 that chains into your SAP environment. Attack path context beats raw severity every single time.
The winning cadence is small, rapid, and weekly. Three things per team per sprint. Five if the team is large. Never more than seven. Anything above that number is noise dressed as strategy.
The Inside Perspective
When I was a CISO, I had a simple math problem. Twenty people on my team, each capable of roughly a hundred things a day. That is two thousand discrete actions per day, ten thousand per week.
I could not tell you what the right ten thousand actions were. Nobody can. The market is not that clean, the environment is not that stable, and the attackers are not that predictable. What I could tell you was how to bend the ratio.
If my team was doing twenty right things a day, and I got them to forty, I was infinitely happier. Then sixty. Then eighty. The goal was never perfection. The goal was progress. Every week, a better ratio than the week before.
That math only works if the remediation list is short, specific, and defensible. The moment I hand a developer a hundred-item backlog and tell them everything is critical, I have told them nothing is critical. They file it in the appropriate place, which is the recycle bin, and they go back to shipping features.
The CISOs I watched succeed did three things differently.
They built trust with the CIO and CTO before they ever needed a favor. They knew the names of the engineering leads. They understood the release schedule. They asked what hurt before they asked for anything.
They walked into remediation meetings with three things. Not three hundred. Three. Here are the three things that matter most this week. Here is why. Here is the attack path if we do not fix them. Can you put them in the next push?
They reported back honestly. If the three things got fixed, they said thank you and named the engineer. If two got fixed and one slipped, they asked why and adjusted the next ask. No passive aggression. No scoreboarding. Just collaboration between adults who were all trying to keep the company alive.
Security teams are not mechanics. We identify the issue and report it to the owner to fix. If the list we hand over does not respect the capacity of the people who actually own the systems, we have built a rejection machine and called it a program.
The Outside Observation
Now I watch this pattern play out at scale, and the failure mode is almost always the same.
A CISO buys a vulnerability management platform. The platform works. It finds everything. It produces a dashboard with forty-three thousand findings, color-coded by severity, sorted by CVSS.
The CISO hands the dashboard to the IT leadership team. IT leadership looks at the dashboard. IT leadership panics for approximately twelve seconds, then schedules a meeting to discuss prioritization. The meeting does not produce a priority list. It produces a follow-up meeting. The follow-up meeting produces a working group. The working group produces a steering committee. The steering committee produces a framework. The framework does not produce fixes.
Six months later, the same CISO stands in front of the board and reports that they have remediated forty-seven percent of critical vulnerabilities. The board nods. The number sounds good. Nobody asks whether the forty-seven percent that got fixed included the three vulnerabilities that an attacker would actually chain together to reach the payment processing environment. Nobody asks because nobody, including the CISO, knows.
This is the heart of the problem. CVSS is a universal score applied to a universal world. Your environment is not universal. A vulnerability that matters deeply in a financial services company with an on-premises SAP backbone does not matter at all in a pure cloud-native SaaS shop. Treating them the same is how you spend your budget on the wrong things.
Exposure management, done right, inverts the equation. It starts with the things the business cares about, maps the paths an attacker could take to reach them, and surfaces only the remediations that actually break those paths. The list gets shorter. The list gets meaningful. The engineering team stops laughing when it arrives.
A 9.8 with no path into your crown jewels is less urgent than a 7.6 that chains into your SAP environment. CVSS is a universal score applied to a universal world. Your environment is not universal.
The Uncomfortable Truth
Most security programs treat remediation as a queue problem. It is not. It is a relationship problem.
Every unfixed vulnerability in your environment represents a conversation that has not happened yet between security and the person who owns the system. The ticket is a symptom. The broken relationship is the disease.
I have watched hundreds of CISOs try to solve this with better ticketing, better SLAs, better escalation paths. None of it works at scale. What works is a small, repeatable list, delivered to a trusted counterpart, with context that makes the ask reasonable.
This is the Wolfpack Trinity, and it is the single most important organizational structure in modern enterprise security. The CIO is paid to keep the lights on. The CTO is paid to deliver new business value faster. The CSO is paid to reduce risk. Left alone, their incentives collide. Aligned, they are a force multiplier.
Alignment does not come from the org chart. It comes from three practices.
First, shared language. The CSO stops talking about CVSS. The CIO stops talking about uptime. They both start talking about business impact. Which system matters to which revenue stream, and what happens if it goes down or gets breached.
Second, shared cadence. Three remediations per sprint is not an ambitious program. It is a sustainable program. A sustainable program beats an ambitious program that nobody follows.
Third, shared credit. When the three things get fixed, it is a Wolfpack win. When a breach gets prevented, it is a Wolfpack win. Security does not hoard credit. Engineering does not get blamed. The board sees a team that operates together.
The Three-Per-Week Rhythm
I want to put specific numbers on this, because vague advice is just permission to keep doing what you are already doing.
Every week, every remediation-owning team should receive three requests from security. Not three tickets. Three requests. A ticket is a demand with a ticking clock. A request is a conversation with a reason.
The three requests should be chosen by context, not score. Context means these three, fixed in this order, break the most meaningful attack paths in the environment right now. The list should change every week, because the environment changes every week.
The security team should be able to explain each request in sixty seconds. What is the exposure. What is the path. What breaks the path. Why this week and not next. If you cannot explain it in sixty seconds, you do not understand it well enough to ask for it.
The engineering team should have a standing slot in their sprint for these three. Not as overtime. Not as a favor. As a recurring line item. Three things per sprint is less than five percent of most engineering capacity. That is a reasonable tax for staying in business.
Miss one? Adjust. Slip two? Have a conversation. Nothing getting through? Something is broken in the relationship, and the answer is not a bigger list.
Signs Your Exposure Program Is Failing
Use this diagnostic. If three or more items in either failing column apply, you are in trouble.
Signs you are list-dumping:
- Your remediation backlog has more than one hundred open items.
- Engineering refers to security requests as that list they keep sending.
- Remediation velocity is measured in tickets closed, not attack paths broken.
- Nobody on the engineering side can name a specific fix they made for security in the last thirty days.
- Your CVSS-based reports have climbed for three consecutive quarters.
Signs you are prioritizing without context:
- Your top ten findings this week are the same as your top ten findings last quarter.
- The list is sorted by CVSS and nothing else.
- Nobody on the team can draw the attack path from exposure to crown jewel.
- Critical means score over nine, not reaches something that matters.
- You report remediation percentage to the board without reporting what got prioritized.
Signs you are doing it right:
- Your weekly list has three to seven items, chosen by attack path context.
- Engineering has a standing slot for security remediation and hits it.
- You know the names of the engineers who fix your top three each week.
- Board reports describe which attack paths were broken, not just how many tickets closed.
- Your CIO and CTO would describe you as a partner, not an obstacle.
The Board Conversation
This is where most CISOs leave money on the table.
If you walk into the boardroom and say you closed four thousand tickets this quarter, the board will nod and ask for less budget. If you walk in and say you broke the seven attack paths that had direct reach into your revenue-bearing systems, the board will lean forward.
The first report is activity. The second report is outcome. Boards pay for outcomes.
The exposure management conversation translates cleanly to board language because it is already in business terms. We prioritize based on impact to the business. We fix based on paths to the business. We measure based on paths broken, which means attackers have fewer ways to reach the business.
A CISO who can speak that way does not have to justify their budget. Their budget justifies itself.
What I Would Tell My Former Self
Three things. Always three.
I would stop handing engineering ten-page lists. That behavior felt thorough at the time. It was not thorough. It was abdication. I was outsourcing my prioritization to people who did not have the context to prioritize.
I would invest in the Wolfpack Trinity before I invested in another tool. Every dollar spent building trust with the CIO and CTO returned more than every dollar spent on yet another scanner. The tools do not work if the relationships do not.
I would report attack paths to the board, not vulnerabilities. Once I started doing that, budget conversations got shorter, tool purchases got sharper, and the board started viewing security as a business function instead of a cost center.
The Bottom Line
Your job is not to find vulnerabilities. Your job is to break attack paths.
Every week, pick three. Explain each one in sixty seconds. Ask the engineers who own the systems to fix them in the next sprint. Report back on what broke and what did not. Thank the people who fixed things by name.
Do this for one quarter. Measure the change. You will find that three per week, reliably delivered, beats three hundred per week, reliably ignored, every single time.
The top three beats the top ten thousand. Every week. Every sprint. Every quarter. Perfection is the enemy of progress, and progress, in security, is the whole game.