Loading…
← Back to schedule
Vulnerability Management: The Leadership Playbook
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most vulnerability programs keep teams busy without reducing risk. Mean-time-to-remediate improves quarter over quarter while the total count of unpatched vulnerabilities climbs. The program optimizes a local maximum: patching speed. This talk presents four strategies for escaping the cycle, and the leadership behaviors each strategy requires.
Strategy 1: Shrink what needs protecting. Every decommissioned environment, consolidated tool, and disabled stale account is one less thing to scan, patch, monitor, or defend. Specific targets exist in every organization: SaaS products nobody canceled after a pilot, test environments that outlived their projects, overlapping tools acquired through inertia. Zero-based security budgeting surfaces surprising candidates for elimination and reframes security from cost center to cost-reduction partner. But decommissioning requires a shared source of truth. When security counts 200 SaaS applications, finance tracks 100 with purchase orders, and IT lists 50 in systems management tools, conversations stall. Building that shared reality across departments is the prerequisite for any attack surface reduction initiative.
Strategy 2: Look beyond scanning. Scanners miss configuration drift, exposed APIs, shadow infrastructure, and short-lived cloud resources that disappear between scan cycles. Pairing vulnerability scanners with endpoint agents, cloud security posture tools, systems management software, and identity providers gives a more accurate picture of what needs attention. This section also challenges the attackers only need to be right once myth. Map it against MITRE ATT&CK: attackers must succeed at reconnaissance, initial access, persistence, lateral movement, and exfiltration. Every stage, sequentially. Defenders disrupt one step. Architectural choke points like SSO create disproportionate defensive returns. Terrain knowledge compounds over time and is impossible for an external attacker to replicate.
Strategy 3: Prioritize with context. Base CVSS scores assume worst-case conditions and mislead patching teams. Combining exploitability data such as EPSS scores and CISA's KEV catalog with environment specifics, including network exposure, compensating controls, and data sensitivity, produces rankings that reflect actual risk. A CVSS 6.5 on an internet-facing authentication server often deserves faster action than a CVSS 9.0 on an isolated test box. When patching teams see priorities grounded in their reality, they trust the process and act on it. The job of a security leader is not to maximize security but to calibrate acceptable insecurity through criteria a business colleague would understand.
Strategy 4: Apply pressure without alienating the teams who do the work. Patching teams are measured on delivery velocity, not vulnerability metrics. Earning a seat in their planning sessions starts with understanding their constraints and what they are trying to ship this quarter. Allies often sit outside security and IT: General Counsel cares about legal exposure, product management about customer trust, finance about cost reduction. Frame requests in terms of their objectives, not your risk scores. If your assessment doesn't change the state of the organization, it hasn't reduced risk.
The talk closes with metrics that measure program health rather than activity, guidance on communicating vulnerability management to boards and executives, and five diagnostic questions attendees take home to assess whether their program is reducing risk or producing reports.
Speakers
avatar for Lenny Zeltser

Lenny Zeltser

Faculty Fellow, SANS Institute
Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link