COMMENTARY: Cybersecurity has been working for 20 years to increase its ability to find
risk. We have tried scanners, monitoring systems, cloud security platforms, threat intelligence feeds, vulnerability management tools, and detection technologies – all to help us understand where attackers can enter an environment, what assets need protection, and what vulnerabilities we need to fix right away.
For the most part, the investments have borne fruit. We know a lot more about our environments than we did 10 years ago. But finding risk doesn't necessarily make risk go away.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Every vulnerability that gets added to a backlog requires an engineer's attention. Every service we open to the public requires an owner, and every way that an attacker can get into an environment must get assessed, prioritized, and fixed.
Technology helps us find risk. Fixing risk requires people, priorities, and teamwork. Some security leaders already understand where most of their risk comes from. The big challenge now: how to reduce risk.
Security workflows were created for longer response times
Most security operations are based on processes created when organizations had more time between finding risk and fixing risk. Exploit development required special skills. Researching vulnerabilities took time. Attackers could not look at every possible target, so many weaknesses were never noticed in the first place.
Security teams could investigate findings, coordinate with engineering teams, schedule remediation work, and verify fixes before exploitation became widespread. Many security programs still operate on models built when organizations had weeks or months to move from finding risk to actual patching.
AI lowers the cost of finding risk
AI makes it easier to analyze software, understand unfamiliar code, investigate systems, and find weaknesses. In practice, this means attackers can analyze more targets and researchers can analyze more code. Security teams can also find vulnerabilities, attack paths, and exposures that would have taken much longer to uncover only a few years ago.
For example,
our research recently found that AI becomes more effective at finding vulnerabilities as it’s given more compute. Across more than 1,500 production codebases, it consistently uncovered additional validated vulnerabilities. Additionally, when compared against professional security audits, the AI was capable of identifying all of the same critical and high-severity vulnerabilities that were identified by the human auditors. However, the AI also discovered critical findings that were not included in the audits.
As organizations have increasingly larger backlog of findings and less time to remediate them, organizations are experiencing increased pressure on their security teams who are already severely understaffed.
Attackers are increasingly operating continuously in cycles of discovery, testing, refining, and exploiting. Security technology increasingly operates the same way. Modern systems continuously correlate signals, identify relationships between assets, uncover attack paths, and generate new findings as environments evolve.
Security organizations are increasingly sitting between two systems that never stop. Attackers continuously search for weaknesses while security tools continuously create new findings.
Any improvement on either side increases the amount of work flowing into remediation pipelines that still rely on human coordination. Most organizations process that work through engineering schedules, testing requirements, deployment processes, business priorities, and limited staffing resources. Those limitations do not disappear because discovery gets faster.
Discovery improves faster than remediation
Cybersecurity has made tremendous strides in discovery because discovery scales well through software and automation. Remediation does not. Engineering teams still have to evaluate changes, test fixes, manage deployments, and balance security work against other responsibilities.
Security teams can identify critical vulnerabilities in minutes, but getting rid of them often takes days, weeks, or months depending on ownership, dependencies, release schedules, and competing priorities.
Attackers need less time to discover and exploit weaknesses than they did only a few years ago, while many organizations are struggling to reduce remediation timelines at the same rate. The gap between discovery and remediation continues to grow.
Security leaders often focus on the number of vulnerabilities in their environments. The age of those vulnerabilities are often more telling. A vulnerability that has not been fixed remains available to attackers regardless of whether an organization knows about it. Finding a weakness does not eliminate exposure. It begins the process of reducing exposure.
While vulnerabilities wait for remediation, defenders still have to monitor for attempted exploitation, investigate suspicious activity, develop compensating controls, and prepare for the possibility that attackers find the same weakness first.
A backlog is not just a list of unfinished tasks: it’s a list of known weaknesses that remain exposed while an organization works through competing priorities and limited capacity.
Many security professionals would rather spend more time improving security programs. They want to document lessons learned, strengthen remediation processes, improve detection capabilities, review architectural weaknesses, and preserve institutional knowledge.
Instead, many spend much of their time coordinating work already in progress. They follow up on remediation efforts, validate fixes, review status updates, track ownership, write reports, and move findings through organizations that often have more security work than available capacity.
Documentation falls behind because current issues take precedence. Institutional knowledge remains trapped inside individuals. Process improvement gets delayed because the next unresolved vulnerability almost always feels more urgent. As the volume of findings grows, organizations devote more effort to managing security work and less effort to improving how security work gets done.
For years, cybersecurity concentrated on visibility because organizations did not have a clear understanding of where risk existed. The industry made tremendous progress toward that goal.
Many organizations now have more visibility than they can operationalize. In many environments, the question is no longer whether we can identity risk, but how quickly an organization can respond once risk becomes evident.
AI increases pressure on that response process from multiple directions. Attackers can analyze more targets. Security tools can find more issues. Researchers can uncover vulnerabilities at greater scale. All of that activity generates more security work.
New vulnerabilities enter remediation queues. New attack paths are investigated. New exposures compete for engineering attention. Meanwhile, remediation still depends on engineering capacity, testing requirements, deployment schedules, business priorities, and human coordination across teams.
Attackers and security tools are increasingly functioning as continuous systems that never stop creating new information and new opportunities. Most organizations still respond through processes dependent on people making decisions, allocating resources, and coordinating work across multiple teams.
Today, security teams discover risk faster than they can remove it. That reality now shapes security outcomes long before an attacker ever launches an exploit. So now that everything has sped up – that’s why we need humans-in-the-loop more than ever.
Harikrishnan Mulackal, chief executive officer, CantinaSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.