The way we measure security threats is changing. As security has become a board-level priority, cybersecurity teams need to think in terms of risk.
But where does that leave vulnerability scores? Are venerable systems such as CVSS, and the CVEs that underpin them, still relevant?
Or could a focus on vulnerability scores be a distraction from the real threats?
The truth, as ever, lies somewhere in between. Vulnerability scores are still a very useful way of categorising risks within an application, and sharing that information. What they cannot do is map those exploits to an organisation’s network, or their own workflows, security measures or even, their business priorities.
That, though, is the CISO’s job. And, as our guest for this episode points out, today’s much more expansive and flexible networks really demand a cultural shift in how we think about the attack surface, and how we defend it.
Tod Beardsley is VP of security research at runZero, is on the board of the CVE Project, and is a former official at CISA. Interview by Stephen Pritchard.
