The Conversation

The Cybersecurity team has recently completed a vulnerability scan on one of the business applications and has identified a ‘critical severity’ vulnerability.

The team reports the finding to the business, and this is how the conversation goes.

Cyber: We have found a ‘critical severity’ vulnerability in your application. You need to fix this within ’n’ number of days. (Replace ’n’ with any number as defined by your SLA.)

Business: What does this ‘critical severity’ vulnerability mean?

Cyber: The security scanning tool has identified a blind SQL injection vulnerability in your application that an attacker could exploit to compromise the backend database. The scanning tool has rated the vulnerability as ‘critical severity’, which means you need to fix it within ’n’ number of days as per the SLA.

Business: I understand, if the database can be compromised by exploiting a SQL injection vulnerability, it appears pretty bad. But we don’t have any sensitive data in our database, and the application is accessible only to a few internal company employees.

Business asks to Cyber:

So, Mr. Cyber, please explain what is the actual business risk posed by this vulnerability in the context of my application?

Cyber: We do not work in this way. Since we scan a large number of applications and do not have the data to understand the context, we require all ‘critical severity’ vulnerabilities highlighted by our tools to be resolved before you can go live or within ’n’ number of days.

Business: We have committed a target release date to our customers. Since we’re already behind on this delivery, I cannot allow any further delays because of this vulnerability in our application.

Business: I do not see a material risk to the business here, so I will accept the risk for nowand deal with it later when we have more time (which effectively never happens).

(The discussion ends there.)

The Disconnect: Cyber Risk vs. Business Risk

The discussion above is not an isolated instance but a recurring theme that I have encountered many times in my career, and I’m sure you would have too.

The issue here is that both Cyber and Business are looking at the same issue, but they evaluate it through entirely different lenses.

Let’s find out what exactly does that mean!

Cyber’s Focus: Technical Risk

Cyber teams rely heavily on technical risk ratings following methodologies such as CVSS (Common Vulnerability Scoring System). These ratings are derived from likelihood, impact, and other technical factors. A ‘critical severity’ rating automatically triggers stringent SLAs for remediation.

Business’s Focus: Operational Risk

Business teams assess risk through the lens of operational risk which generally involves operational impact, customer commitments, revenue, and regulatory compliance. A vulnerability may be rated ‘critical severity’ technically, but if the application is non-sensitive, limited in exposure, or non-core to operations, the business may consider the risk negligible and hence decide to lower the severity rating and accept the residual risk.

This disconnect often results in frustration on both sides —

The Cyber team feels the Business is not taking security seriously, while the Business views Cyber as creating unnecessary roadblocks.

Example Scenarios

Consider these two scenarios that bring this to life —

Scenario 1: High Technical Risk, Low Business Impact

• Scenario: A vulnerability is discovered in a reporting application used exclusively by the finance team. The application is hosted on an internal network with limited access.

• Cyber’s View: The vulnerability is technically ‘critical’ because it allows privilege escalation, and the CVSS score is 9.8.

• Business’s View: The database behind the application only contains non-sensitive financial summaries that are of little value to attackers. Since the application is restricted to internal users and has additional network segmentation, the business deems the risk acceptable.

Scenario 2: Overlooked Technical Risk, High Business Impact

• Scenario: A medium-severity vulnerability (CVSS 5.4) is found in a customer-facing e-commerce platform. Exploiting the vulnerability could allow attackers to scrape customer emails.

• Cyber’s View: Since the vulnerability is rated as ‘medium’ by the scanning tool, it doesn’t meet the SLA threshold for immediate remediation.

• Business’s View: Exposing customer data — even emails — could result in reputational damage and regulatory fines under GDPR. The business considers this a critical issue and expects immediate action.

Why this Disconnect happens?

From the discussion above, it is evident that both Cyber and Business operate in silos, leading to a significant disconnect. Not only that, there could also be cultural, organisational, and leadership factors contributing to this disconnect.

Some of the potential causes for disconnect could include:

1. Differing Objectives and Priorities

• Cyber’s Objective: Cyber is working to protect the organisation by mitigating security risks. Cyber teams are often measured on metrics like the number of vulnerabilities remediated, adherence to SLAs, and incident prevention.

• Business’s Objective: Business delivers products and services to customers on time, maintaining profitability, and achieving operational goals. Business teams are focused on metrics like revenue, customer satisfaction, and operational efficiency.

The fundamental difference in objectives result in misaligned or even competing priorities. Cyber sees vulnerabilities as threats to organisational security, while Business sees them as potential delays to key deliverables.

2. Misaligned Risk Definitions

Cyber often uses metrics like CVSS scores, CWE classifications, and SLA adherence to assess risk. Business relies on operational risk frameworks that account for financial loss, reputational impact, and regulatory compliance, which may not directly correlate with CVSS scores.

The absence of shared, agreed-upon metrics for assessing risk means that both sides are speaking different languages.

For example, Cyber might insist on remediating a vulnerability because it’s ‘critical’ by CVSS standards, but Business might ignore it because it doesn’t align with their financial risk threshold.

3. Tool-Centric Approach

Security scanning tools are designed to highlight technical risks but lack context of the application environment, data sensitivity, or exposure. Without this context, vulnerabilities may be incorrectly prioritised.

Also, a number of scanning tools, such as SAST, DAST, SCA, container scanning, secrets scanning, infrastructure scanning etc. may generate a lot of noise due to the presence of false positives and duplicate findings.

Not having a streamlined process to triage vulnerabilities and to remove duplicates may result in toil for Business and development teams.

4. Lack of Communication

In many organisations, Cyber and Business teams operate in silos with minimal interaction. This isolation leads to a lack of understanding of each other’s goals, challenges, and constraints. A Cyber team may not be aware of a looming product launch deadline, while Business might not understand the technical implications of delaying a patch for a critical vulnerability.

Also, security teams often fail to communicate the “so what?” to the business. Explaining technical vulnerabilities in terms of their potential business impact requires effort and collaboration but is often overlooked.

5. Cultural Barriers

The cultural mindset within Cyber and Business teams can also differ significantly:

• Cyber tends to have a defensive mindset, prioritising caution and mitigation of potential threats.

• Business is more risk-tolerant, focusing on achieving outcomes even if it involves taking calculated risks.

This cultural difference often leads to Cyber being seen as “the department of no”, while Business is viewed as “recklessly ignoring security”.

6. Perception of Security as a Cost Centre

Business often views Cyber as a cost centre that consumes resources without directly contributing to revenue. This perception leads to security being deprioritised, especially when budgets or timelines are tight.

As a result —

Cyber struggles to gain buy-in for remediating vulnerabilities unless they can directly tie their efforts to business value, such as avoiding regulatory fines or improving customer trust.

9. Inconsistent Leadership Alignment

Leadership plays a crucial role in bridging the gap between Cyber and Business. Inconsistent or misaligned leadership priorities can exacerbate the disconnect:

• Cyber Leadership: May focus on compliance metrics or industry benchmarks without fully considering the organisation specific business needs.

• Business Leadership: May underappreciate the importance of cybersecurity or fail to advocate for risk management at the executive level.

This lack of a unified vision at the leadership level trickles down to operational teams, perpetuating the misalignment.

Bridging the Gap

To address these challenges, it is important to shift the focus on implementing actionable strategies that results in collaboration and alignment between Cyber and Business objectives.

Let’s review what some of these strategies may involve —

1. Adopt Risk Contextualisation

Security teams must move beyond generic technical ratings like CVSS scores and incorporate environmental and business context when assessing vulnerabilities. This means considering factors such as:

• Application Criticality: Is the application central to business operations or customer interactions?

• Data Sensitivity: Does the application handle personal, financial, or regulated data?

• Exposure: Is the application externally accessible or restricted to internal users?

For example, an SQL injection vulnerability in an Internet facing application with sensitive customer data is far riskier than the same vulnerability in an internal reporting tool used by a small team.

Tools like EPSS (Exploit Prediction Scoring System) can also help by estimating the likelihood of exploitation, which adds another layer of prioritisation.

Leverage AI or automation tools to enrich vulnerability data with contextual business information.

For example, a tool that links vulnerabilities to asset importance, exposure, and data classification can provide a more accurate risk picture.

2. Risk Based Vulnerability Management (RBVM)

Transition from a “fix everything critical” approach to a more strategic “Risk Based Vulnerability Management” approach. This involves:

• Using a custom risk scoring methodology that combines both technical and business risk.

• Aligning vulnerability management with operational risk framework to ensure consistent prioritisation.

For example, an RBVM framework could consider the CVSS score, exploit likelihood, data classification, financial impact, and regulatory exposure, assigning weights to each of these factors to calculate a composite risk score.

This ensures vulnerabilities are prioritised based on their overall risk to the organisation and not just the technical risk factors.

3. Streamline Processes

The sheer volume of vulnerabilities generated by multiple scanning tools often leads to noise and duplication.

To reduce toil —

• Consolidate vulnerability data into a centralised repository to de-duplicate findings from tools like SAST, DAST, and infrastructure scans.

• Implement workflows to automatically categorise vulnerabilities based on criticality and context.

• Create a single “source of truth” dashboard where all teams can see prioritised vulnerabilities and remediation status.

4. Train Both Teams

Cross-training is essential for fostering collaboration and understanding between Cyber and Business.

• For Cyber Teams: Conduct workshops on business operations, regulatory requirements, and the company’s risk management framework. This helps them understand why Business might prioritise or deprioritise certain vulnerabilities.

• For Business Teams: Provide basic training on cybersecurity concepts, such as CVSS, attack vectors, and threat modeling, so they can appreciate the implications of vulnerabilities.

For example, Cyber could organise a “day in the life of a vulnerability” session to walk Business teams through the potential exploitation of a vulnerability, its impact, and remediation options.

5. Continuous Feedback and Improvement

Vulnerability management is an iterative process. Continuous monitoring and feedback loops ensure alignment over time.

To make improvements over time —

• Monitor key metrics, such as the number of vulnerabilities remediated within SLA, average time to remediate, and business satisfaction scores.

• Collect feedback from both Cyber and Business teams after major vulnerability management cycles to identify pain points.

• Adjust processes and tools based on lessons learned to work more collaboratively.

6. Leadership Alignment

Taking a top-down approach where leadership can develop shared vision, establish unified risk management frameworks, and drive cultural change in the organisation. This may include —

• Estabilishing unified objectives that integrate security into business goals, ensuring alignment across all teams.

• Establishing unified risk management framework where both Cyber and Business teams evaluate risks using common metrics that combine technical and business impacts.

• Developing governance model, such as a joint risk committee, can ensure continuous collaboration and alignment between Cyber and Business priorities, driving cultural change in the organisation.

Final Thoughts

The conflict between Cyber and Business on vulnerability management isn’t about one side being right and the other wrong. It’s about finding a common ground. By contextualising risk, adopting a risk-based approach, streamlining workflows, and fostering collaboration, organisations can align Cyber and Business priorities.

The ultimate goal is for Cyber to serve the Business by enabling it to operate securely without unnecessary delays or toil.

And the end result would be —

A more secure, efficient, and harmonious working environment where both sides contribute to shared business goals*.*