Source: securityboulevard.com – Author: Alan Shimel
Steve Carter discusses the evolution of the vulnerability management market, as well as where vulnerability management has failed and why the next phase has to center around automation and scale.
The problem, as Carter sees it, is deceptively simple: Organizations are drowning in vulnerabilities but still can’t prioritize or fix them quickly. Scanners can identify thousands of issues, but the process of getting those vulnerabilities to the right people, assigning ownership, and remediating the risk is almost always manual and inconsistent. The real bottleneck isn’t in detection—it’s in what happens after.
Alan and Carter discuss how automation may be the missing piece. Not just automating patching, but automating the full lifecycle—from data collection across a range of tools (CSPMs, endpoint agents, bug bounty platforms, etc.) to enrichment with business context, to orchestration of workflows. In that sense, the challenge isn’t just a security problem. It’s a data problem. Modern orgs are pulling in vulnerability signals from 20 or more tools, and without a way to normalize, prioritize and act on them, teams fall behind fast.
Furthermore, the rise of cloud-native infrastructure only makes things harder. Containers, ephemeral assets, and serverless components don’t play nicely with legacy tooling built for static environments. Carter notes that any modern approach to vulnerability and exposure management has to handle this dynamic complexity or risk becoming irrelevant.
There’s no silver bullet—but there is progress. Automation, better data handling, and continuous visibility are turning a slow, error-prone process into something manageable. It’s taken more than 20 years, but the industry might finally be closing in on a real solution.
Alan Shimel
Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.
Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.
Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.
Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.
Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.
alan has 89 posts and counting.See all posts by alan
Original Post URL: https://securityboulevard.com/2025/04/the-evolution-of-vulnerability-management-with-steve-carter/?utm_source=rss&utm_medium=rss&utm_campaign=the-evolution-of-vulnerability-management-with-steve-carter
Category & Tags: Video Interviews,Vulnerabilities,Automation,CSPMs,endpoint agents,Vulnerability Management – Video Interviews,Vulnerabilities,Automation,CSPMs,endpoint agents,Vulnerability Management
Views: 2
