Here’s a six minute highlights reel of the best moments from last week’s CISO Series Video Chat “Hacking Vulnerability Management: An hour of critical thinking about a risk-based approach to dealing with vulnerabilities”.

See the full video here

Featured in this discussion are Ram Hegde, CISO, Genpact and Ed Bellis (@ebellis), CTO and co-founder, Kenna Security.

Got feedback? Join the conversation on LinkedIn.

HUGE thanks to our sponsor, Kenna Security

With Kenna Security, companies efficiently manage the right level of risk for their business. Our Modern Vulnerability Management model eliminates the friction between Security and IT teams about what to patch, providing clear prioritization based on real-time threat intelligence and guidance applied to each customer’s unique environment across infrastructure, applications and IoT.

Best Bad Ideas

What I love about this week’s bad idea from Matthew Thomson, vp, IT security at Community First Credit Union – Appleton Wisconsin is the visual it creates. I picture putting your company into virtual demolition derby fully prepared to get it totaled all in the hopes of coming out with a brand new shiny company.

We had a whopping 35 bad ideas, with a few notable honorable mentions:

“Annual patch week. Do all IT patches the last week of the year for every system in the inventory” – Shawn Bowen, CISO, Restaurant Brands International

“Make a word cloud out of all open vulnerabilities and prioritize addressing them by their display size.” – Carlota Sage, CEO, Tulle Software & Services

“Play musical chairs to decide what vulnerability to assess first.” – Tricia Howard, marketing manager, HolistiCyber

Best quotes from the chat room

“I feel like we never get to do patch management right 100% in any minute organization. We all have those skeletons – those critical vulnerabilities we never patch or delay the patches for. So @Thomas yes, compensating controls.” – Nurudeen Odeshina, co-chair, International Association of Privacy Professionals – Nigeria Chapter

“Its really painful for me to see the ‘likelihood’ element still being used, when you use likelihood and something happens, you are ‘to blame’ by your management, you can’t own a risk when you assume ‘likelihood.'” – Eli Migdal, CEO, Boardish

“Most technical folks I come in contact with at customer sites have little to no idea of what the impact is on the business if a system/application is compromised… so I would never want them making the decision in a box on what get’s corrected.” – Thomas Torgerson, sr. remediation manager, Cyturus Technologies