Why Vulnerability Management Hasn’t Evolved and Why That’s a Problem

Get the summary of the Security Theater Podcast featuring two CISOs, Joe Silva & Kyle Bubp, discussing the limitations of current VM practices and the reasons to shift to real-time, behavioral context for true risk reduction.

Why Vulnerability Management Hasn’t Evolved and Why That’s a Problem

Team Spektion By Team Spektion Published on

For two decades, vulnerability management has been treated as one of the bedrock disciplines of cybersecurity. It’s on every framework checklist, every audit scope, every board dashboard.

But as Joe Silva, former CISO and now CEO of Spektion, and Kyle Bubp, CISO of Avid, recently discussed on the debut of The Security Theater podcast, the way organizations actually practice vulnerability management hasn’t meaningfully changed since the early 2000s—even as everything else in security has.

“Vulnerability management really hasn’t changed in those last 20 or so years,” Kyle notes. “Much of the security industry is built on this idea of vulnerability management being the foundation of your security program, where we’re looking at CVSS scores, and we’ve got red flags, orange flags, and green flags. But what we don’t capture … is the context. Tell me why this matters. Don’t just tell me it’s above a CVSS seven.”

Continue reading for a summary of the discussion, including the way forward.

Subscribe to the Security Theater podcast on Spotify to be among the first to listen to new episodes as they come out.

Security Theater Podcast, Episode 1 with Joe and Kyle

The CVE System: A Fragile Foundation

Much of today’s vulnerability management ecosystem still depends on the CVE and NVD system, a crowdsourced database populated by researchers, vendors, and opportunistic disclosures. To summarize how Joe talks about it, “it’s a crowdsourced effort with varying motivations—some altruistic, some reputational, some forced—and it’s how we understand our susceptibility to attack.”

The problem? That foundation is both incomplete and reactive.

  • Many exploitable software conditions are never assigned a CVE.
  • Vendors often fix issues quietly in the next release.
  • The database itself depends on inconsistent funding and reporting.

Meanwhile, attackers don’t wait for CVEs to be published. They exploit behaviors and misconfigurations that defenders don’t even know to look for.

Compliance Has Become the Ceiling, Not the Floor

For many organizations, vulnerability management has devolved into a compliance checkbox, a function optimized for producing reports, not reducing risk.

“Most compliance work in security is necessary but not sufficient,” Joe says. “I think that’s where it just stops. There’s a lack of imagination in terms of what’s possible (beyond that).”

That cycle wears teams down. Security teams often end up being measured on shrinking lists, or, as Joe points out, “taking a big number and turning it into a smaller number,” rather than reducing exposure. It becomes more about closing tickets instead of closing attack paths.

Context Is What’s Missing

Both CISOs agreed: context is what transforms vulnerability management from a rote exercise into a meaningful security control. Yet most tools and programs lack the data to provide it.

A CVSS score doesn’t tell you:

  • Whether the affected software runs with **elevated privileges**.
  • Whether an **exploit actually exists** in the wild.
  • How that software **behaves at runtime**.
  • Or whether compensating controls already mitigate the risk.

Without that context, teams patch blindly. And when they don’t see a direct link between patching velocity and breach outcomes, the entire model starts to lose credibility.

“If every organization were as bad as their CVE numbers and MTTR,” Joe said, “everyone would be breached all the time.”

Shifting the Focus: From Signatures to Behavior

Kyle noted that the industry’s over-reliance on the NVD and narrowing vulnerability management down to just patching is “a naive way to think about the impact of all these programs and packages and applications that are running in your environment”. The bigger question is: What is the software actually doing?

What security teams really need is to watch how the software is behaving: to see its actual privilege levels, any processes that look insecure, how it handles certificates, and its potential for lateral movement. That’s the only way to get a truly accurate picture of exploitable risk, much better than what any static CVE list can offer.

Joe added that runtime visibility changes the game: “When you can point to a piece of software running on your system and show that it’s accepting revoked certificates or accessing LSASS memory, that’s actionable. That’s not theoretical risk; that’s insecure behavior happening right now.”

The Way Forward

There’s reason for optimism. Kyle pointed out that the industry is starting to recognize that “maybe there’s more to vulnerability risk than just a CVE,” and that more context, behavioral insight, and continuous validation are essential.

“We need to complicate exploitation and lateral movement as much as we can,” he said. “A CVE is just one piece of vulnerability management.”

Until the industry fully adopts that mindset, vulnerability management will remain more security theater than a genuine security control.

---

Editor’s Note: This post is inspired by Episode 1 of The Security Theater Podcast, a conversation between Joe Silva, CEO and Co-Founder of Spektion, and Kyle Bubp, CISO of Avid. Listen to the full episode on the web or Spotify for a candid discussion on why vulnerability management must evolve from scanning and patching to runtime understanding and behavioral risk.

View all articles