Hello Cyber Builders 🖖
The security industry is obsessed with prioritization. I used to push for it myself, and I still see its value.
As findings pile up, we keep layering on context. More scores, more dashboards, more risk ratings, more enrichment. EPSS, KEV, asset criticality, exploitability, business impact. The tools get smarter, but the queues only get longer. The remediation backlog keeps growing.
Prioritization matters. We still need it. But deciding what matters is not the same as actually doing something about it.
A better-ranked backlog is still a backlog.
In 2025, Akira ransomware hit hundreds of organizations through a known SonicWall vulnerability. The CVE was there. The patch was there. Teams knew. The real gap was between knowing and acting.
Most security programs run on what I call the ticket factory model.
Tools generate findings. Security enriches and prioritizes them. Tickets go to IT, cloud, infrastructure, or application teams. Security follows up. Everyone complains about the backlog. Repeat.
This model can get more complex, but it never really changes. Security still acts as the central brain—collecting, classifying, escalating, chasing. Better triage just makes the queue look smarter. The problem stays the same.
The problem is not ranking. The problem is how much we can actually absorb.
CISO A: Bob, I am fighting to get IT teams attention to apply the patches. Not to mention OT engineers in factories…
CISO B: Alice, I have the same experience with our software engineers! Any new idea to help us?A CISO coffee machine conversation in 2026!
AI will find vulnerabilities faster. Sorting them faster will not save security teams. The whole system needs to change.
This calls for four big shifts. None of them requires buying new tools. All of them are harder than just adding software.
Most security teams use AI as an assistant. It summarizes findings, drafts reports, and enriches alerts. That helps, but it is not enough.
The real step is using AI to actually execute tasks, not just help with research. I covered this before:
Some actions do not need human approval every time. Disabling stale accounts, revoking exposed credentials, and routing tickets with context. For these narrow, reversible actions, waiting for approval is often slower than the attacker.
Letting systems make decisions without limits is frightening. The answer is bounded autonomy: set permissions, clear action boundaries, full audit logs, reversibility if possible, and clear ownership. The safety controls stay, but the bottleneck moves.
For example, use an AI agent to automatically suspend dormant accounts. Unsuspend if someone is affected. Delete after 60 days of suspension.
Delegating is not giving up responsibility. Refusing to delegate no longer works. AI can act safely, under constraints, and with clear accountability.
Most security teams still act as auditors.
Assess the system. Produce findings. Rank the risks. Hand tickets to the teams that execute. Verify later. Report progress.
That model worked when things changed slowly. It falls apart when infrastructure is rebuilt every sprint, cloud configs drift daily, and new services appear without a change request.
Software engineering faced this problem 15 years ago. Teams stopped testing everything at the end. They moved to continuous integration, automated pipelines, policy-as-code, and platform engineering. Quality became part of the workflow, not something added at the end.
Security needs to make the same move.
Building systems where deploying a vulnerable configuration is hard from the start. Use secure-by-design templates, cloud landing zones with built-in controls, automated identity hygiene, and vulnerability routing in CI/CD.
Engineering closes the loop. The best security program does the right thing at the right time.
This is the most uncomfortable idea here.
Security teams are always pushed to cover everything. Protect everything. Monitor everything. Patch everything. That ambition makes sense, but it is a trap.
Broad coverage often leads to shallow protection. When everything feels urgent, nothing gets the focus it needs.
Not all systems need the same attention, SLA, or architecture. Critical assets such as identity providers, cloud control planes, CI/CD pipelines, databases, and SaaS consoles require dedicated architecture, faster patch cycles, monitoring, and playbooks. Treat them as a separate category. Other systems can accept documented risk. That choice frees up resources for what matters most.
This is not just prioritization. Prioritization ranks work.
Deliberate defense means using different operating models for different parts of your environment. It is about using the risk analysis you have on your desk for compliance as your patching strategy.
We cannot secure everything equally. Pretending we can only makes us weaker everywhere.
Here is the question nobody seems to want to ask out loud.
Why is vulnerability management still primarily a security function?
Security detects, enriches, prioritizes, and opens tickets. IT receives those tickets while managing availability, production stability, user requests, cloud operations, technical debt, and transformation programs. When security brings another urgent list, IT sees it as an external burden from a team that is not accountable for production.
That friction is structural. Better relationships do not fix it.
IT owns production. IT should also own a large part of production security. Endpoint hygiene, patching cadence, VPN appliance lifecycle, configuration baselines, identity hygiene. These belong as operational KPIs owned by IT, defined by security, validated by security, and escalated by security when they drift.
This is not a smaller role for security. It is a more strategic one. Define the risk model. Set the standards. Provide the threat context. Monitor the drift. Escalate unacceptable exposure. Stop being the team that generates tickets for everyone else. Start being the team that designs how the whole system operates.
Remediation cannot stay an external request forever. It has to become part of how operations run.
If you read this far, I hope you start thinking about the 4 shifts. You may agree with some parts and disagree with others. That’s great. It was my intent to start a conversation.
Each of these moves has something in common.
They ask security to give something up: direct control, central arbitration, the feeling of owning the queue. That is uncomfortable. The instinct is to hold on, to add more visibility, more process, more approval gates.
But the volume is only going up. AI will find more vulnerabilities, faster. Offensive tools will compress the time between discovery and exploitation. Teams that hold everything tightly will drown.
The AI era will not reward the teams that find the most issues. It will reward the teams that can absorb, decide, and act faster than the attacker.
Let’s start the conversation. Where is the real bottleneck in your organization? Is it prioritization? Ownership clarity? Fear of delegation? The IT-security divide?
I’d especially like to hear from the people who live in the remediation queue every day.
Laurent 💚
