Reducing cyber risk is still hard: Why CTEM stalls at action

Companies are continuing to struggle with reducing cyber risk, despite years of investment in vulnerability management and exposure assessment tools.

One of the industry's biggest challenges remains translating risk identification into effective remediation.

While many security teams have become increasingly effective at identifying and prioritising vulnerabilities, the process of fixing those vulnerabilities often remains dependent on separate IT and infrastructure teams, creating delays that can leave companies exposed for extended periods.

The cybersecurity team identifies and prioritises risk, but patching is frequently outside their direct control, according to Himanshu Kathpal, VP of Product Management, Platform and Technologies at Qualys.

"There is still a significant amount of communication required between security teams and IT operations teams to map vulnerabilities to the correct patches, operating systems, and configurations," Kathpal said.

This challenge is particularly stark in environments that include legacy systems like industrial infrastructure, or mission-critical applications that organisations are reluctant to modify. 

Vulnerabilities may remain unresolved for months because operational teams lack confidence that patching will not disrupt business processes.

Rather than focusing solely on vulnerability identification, companies need platforms capable of automating remediation actions and providing alternative risk-reduction measures when patching is not possible. 

Those measures can include configuration changes, compensating controls, or containment strategies designed to isolate vulnerable systems.

Risk can never be fully eliminated, unfortunately, as teams cannot, and should not, try to patch everything. If everything is critical, nothing is. And risk that hasn't been mitigated or transferred must be accepted.

Another complicating factor is that remediation responsibilities are often distributed across multiple teams with different priorities. 

Security teams may rank vulnerabilities based on exploitability and exposure, while IT teams prioritise patch deployment according to operational requirements and maintenance schedules.

This disconnect can lead to vulnerabilities remaining open even after patches have been deployed, for example, where a vulnerability requires both a software update and a subsequent configuration change.

Patch management teams may consider the task complete while security teams continue to identify the vulnerability as unresolved.

This process inevitably results in significantly extended remediation timelines, as security teams must verify fixes through additional scans and validation processes, creating further delays before vulnerabilities can be formally closed.

Closing that loop, consolidating vulnerability discovery, validation, remediation, and verification within a single platform can reduce these inefficiencies by eliminating handoffs between tools and teams - is what CTEM promises, but many organisations still struggle to operationalise this process.

In other words, reducing cyber risk is still hard because identifying and 'knowing' risk doesn't automatically translate to reducing it.

According to Kathpal, many CTEM initiatives stall because they stop at visibility rather than action. In fact here are three major roadblocks that repeatedly stall progress.

First is exploitability. While CTEM programs often provide dashboards and exposure assessments, businesses still need to determine whether vulnerabilities are genuinely exploitable in production environments. 

Traditional testing tools are not always designed to operate continuously across enterprise infrastructure at scale.

Second is remediation. Even when CTEM platforms correctly identify and prioritise risks, organisations frequently must export data into separate security and IT systems to initiate corrective actions, introducing additional operational complexity.

Third is communicating cyber risk to business leaders in an easily digestible way. 

Many CTEM platforms remain heavily technical, making it difficult for CISOs to translate security findings into financial terms that executives and board members can understand. Qualys is developing tools that will enable security teams to prioritise remediation based not only on technical severity, but also on revenue impact.

"In fact, we now also have AI models, which will go through your public filings," Kathpal said.

"So that if you do not have your business entities' information, and the dollar value association with each one of them, Qualys will help you with it. Then based on those dollar values, you can prioritise the risk.

"It is not just based on asset criticality alone, but also on how you are earning the dollar value as a company. For example, with Qualys, from our US platform, we earned around $200 million. From our other platform, we earned only $1 million, because the platform has just started."

Those business-context signals are designed to feed directly into what Qualys calls a Risk Operations Centre (ROC) - a framework for continuous detection and remediation, designed to turn CTEM insights into action, so prioritisation leads to measurable action and proves risk reduction over time.

This approach starts with creating a unified asset inventory and consolidating exposure data from across a company, with risks then prioritised according to both technical and business impact.

The final stage centres on audit and compliance reporting, enabling organisations to demonstrate remediation activities and risk management practices to regulators and auditors under frameworks such as ISO standards and other regional cybersecurity requirements.

Kathpal said Qualys has noticed the ROC terminology being used by Microsoft and other companies in their own security messaging, but the company intentionally chose not to trademark the term, in hopes of encouraging broader use within the industry.

He views this increased adoption across cybersecurity as validation of a broader industry shift toward operationalising cyber risk management, rather than focusing solely on vulnerability discovery.

As companies continue to grapple with expanding attack surfaces, increasing regulatory pressure, and growing complexity in IT environments, Kathpal is adamant that reducing cyber risk will depend less on finding vulnerabilities - and more on operationalising and automating the actions required to address them.