Super Cyber Fridays!
Join us TOMORROW, Friday [05-09-25], for "Hacking the Validity of GenAI"

Join us Friday, May 9, 2025, for “Hacking the Validity of GenAI: An hour of critical thinking about embracing these new tools while still meeting your compliance requirements.”

It all begins at 1 PM ET/10 AM PT on Friday, May 9, 2025, with guests Chris Strand, global security and compliance officer and Thoropass advisor, and Rob Gormisky, InfoSec lead and founding engineer, Forage. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Thoropass

Defense in Depth
Can You Have a Secure Software Environment Without Traditional Vulnerability Management?

Vulnerability management is mostly about catching up. You discover vulnerabilities and then rush to patch them based on priority. If we're already building out zero trust architecture to secure systems we know are vulnerable by default, why are we still messing around with vulnerability management?

Check out this post for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, producer of CISO Series, and Howard Holton, COO, Gigaom. Joining them is their sponsored guest, Rob Allen, chief product officer at ThreatLocker.

Reinforcing zero trust

Traditional vulnerability management often falls short of its promise, focusing more on mitigating exploitability than meaningfully reducing risk. “It’s inherently reactive and ineffective at eliminating risk,” said Dr. Dustin Sachs of CyberRisk Collaborative, who advocates for a more proactive strategy that “integrates zero trust principles, strong software engineering practices, and runtime security controls to assume compromise and contain threats.” Martin Rivera Neuhaus of Enstal Technologies builds on that point, arguing that zero trust should be “effectively enforced at the network layer” by allowing access only to specific applications for specific users, authenticated via Active Directory and MFA. After all, as he puts it, “It’s hard to remediate vulnerabilities, but it’s not that hard to lock down who has potential access to exploit those vulnerabilities.”

Focus on effectiveness

In large, highly regulated enterprises, vulnerability management isn’t optional—it’s audit fuel. “You better have very well-documented compensating controls and a well-versed compliance team to deal with external auditors when they ask you, ‘Do you perform vulnerability scans on your code?’” warned Arnel Manalo of ConvergentDS. But effectiveness goes beyond checking boxes. Duane Gran of Converge Technology Solutions believes vulnerability management “is a winning move when it does two things well: a) prioritizes the stuff that matters; and b) includes configuration management,” noting that focusing on “the 5 percent that matters” can eliminate a lot of risk. Steve Wingate of CyberGuard Advisors adds that skipping traditional vulnerability management forces organizations to “rely more on threat intelligence, behavioral analysis, and incident response,” a path that can be significantly more complex and resource-intensive.

Understanding zero trust limitations

Zero trust is often seen as a safeguard against the unknown, but its ability to prevent threats isn’t without limits. “Prevention implies either knowledge of the exploit or a comprehensive understanding of the software's normal behavior,” noted Nikolay Chernavsky, CISO, ISSQUARED. “But can we credibly claim prevention when the very nature of the threat is unknown, as zero trust suggests?” The operational challenge of staying current compounds that uncertainty. “Any software will never be 100 percent secure and would constantly need to be patched or upgraded to the latest version,” Mauricio Ortiz of Merck added. “Most organizations cannot keep up with that,” and when vulnerabilities linger, they “could weaken or break the ZT model.”

What's next

The next evolution in security isn’t just about closing known gaps—it’s about seeing the full exposure landscape in context. “I feel the real evolution we’ll see is the shift towards exposure management and a more proactive, continuous approach beyond traditional vulnerability management,” said Mike Gibson of Rapid7. While zero trust focuses on strict access controls, he points out it “doesn’t address the full spectrum of exposures that attackers exploit, such as misconfigurations, identity risks, attack paths, and shadow IT.” Exposure management, by contrast, “brings context-driven risk prioritization, aligning security efforts with real-world attack scenarios rather than just patching vulnerabilities.”

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the full episode here.

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Security You Should Know
Solving Patch Management with ThreatLocker

For years, patch management has been treated as a solved problem—until reality strikes. Outdated applications, portable executables, patch conflicts, and shadow software leave organizations unknowingly exposed. The tools may exist, but the process often breaks down.

In this episode, Rob Allen, chief product officer at ThreatLocker, discusses why their new patch management solution goes beyond legacy approaches. With built-in patch packaging, pre-deployment testing, and granular control, the platform helps teams navigate complex environments while keeping rollback, risk tolerance, and deny-by-default strategies in play. Joining him are Mike Woods, vp of cybersecurity at GE Vernova, and Steve Zalewski, co-host of Defense in Depth.

Listen to the full episode here.

Thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

LIVE!
PREVIEW: CISO Series Podcast LIVE in Boston 5-15-25

After a five-year hiatus, the CISO Series Podcast returns once again to Boston. It’ll be a homecoming for David Spark, and we hope you all can be there! Joining David on stage will be Andy Ellis, partner, YL Ventures, and Sam Curry, global vice president and CISO at Zscaler.

REGISTER on LinkedIn and/or with the official event registration.

HUGE thanks to our sponsor, Zscaler

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Dan Holden, CISO, BigCommerce.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

“What jobs in this field have the highest job security?” (More here)

“Most useless GRC busywork?” (More here)

“so… the cve program is in trouble. what now?” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [05-09-25] [Hacking the Validity of GenAI]

• [05-30-25] [Hacking Provable Security]

Register

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.