Sign up to save your podcasts
Or
Share The Vulnerability Playbook
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Vulnerability Playbook
Send us Fan Mail
A vulnerability backlog can look like a crisis, but sometimes the real crisis is that you’re staring at the wrong picture. We’re joined by Dave Sims, most recently Staff VP at Elevance Health and a longtime technology leader, to talk through vulnerability risk management in plain terms and why “more findings” doesn’t automatically mean “more security.” We get specific about the difference between vulnerability management and patch management, and how confusion between the two creates low-trust handoffs, endless ticket churn, and slow remediation.
We also dig into the messy reality of asset inventory. CMDB data goes stale, cloud resources appear and disappear, and scanners can produce a better “what’s out there” view without telling you why it matters. Dave explains how metadata tagging and business context turn raw vulnerability data into risk-based prioritization: knowing who owns a system, what it does, why the business depends on it, and which weaknesses truly expose critical services. Along the way, he shares a story of cutting through years of miscommunication with a single no-blame conversation that unlocked progress fast.
If you’re a CISO, security leader, architect, or practitioner trying to make VRM work at enterprise scale, this is a practical framework: outside-in black box assessment, inside-out discipline, and a people-first approach that values training, process, and continuous improvement over shiny tools. Subscribe, share this with a teammate who owns patching or VRM, and leave a review if it helps. What’s the biggest thing keeping your vulnerability program from being truly risk-based?
🔗 Connect with Us & Get in Touch
Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.
No gatekeeping and no BS. We’re here to simplify.
Official Website: www.revealrisk.com
LinkedIn: https://www.linkedin.com/company/reveal-risk
🤘 Stay Secure with Us
If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.
Reveal Risk delivers cybersecurity results, not just reports.
View all episodes
By Aaron Pritz, Cody Rivers
5
1717 ratings
Send us Fan Mail
A vulnerability backlog can look like a crisis, but sometimes the real crisis is that you’re staring at the wrong picture. We’re joined by Dave Sims, most recently Staff VP at Elevance Health and a longtime technology leader, to talk through vulnerability risk management in plain terms and why “more findings” doesn’t automatically mean “more security.” We get specific about the difference between vulnerability management and patch management, and how confusion between the two creates low-trust handoffs, endless ticket churn, and slow remediation.
We also dig into the messy reality of asset inventory. CMDB data goes stale, cloud resources appear and disappear, and scanners can produce a better “what’s out there” view without telling you why it matters. Dave explains how metadata tagging and business context turn raw vulnerability data into risk-based prioritization: knowing who owns a system, what it does, why the business depends on it, and which weaknesses truly expose critical services. Along the way, he shares a story of cutting through years of miscommunication with a single no-blame conversation that unlocked progress fast.
If you’re a CISO, security leader, architect, or practitioner trying to make VRM work at enterprise scale, this is a practical framework: outside-in black box assessment, inside-out discipline, and a people-first approach that values training, process, and continuous improvement over shiny tools. Subscribe, share this with a teammate who owns patching or VRM, and leave a review if it helps. What’s the biggest thing keeping your vulnerability program from being truly risk-based?
🔗 Connect with Us & Get in Touch
Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.
No gatekeeping and no BS. We’re here to simplify.
Official Website: www.revealrisk.com
LinkedIn: https://www.linkedin.com/company/reveal-risk
🤘 Stay Secure with Us
If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.
Reveal Risk delivers cybersecurity results, not just reports.
More shows like Simplifying Cyber
View all
Darknet Diaries
8,052 Listeners
All-In with Chamath, Jason, Sacks & Friedberg
10,187 Listeners