CISOs should expand the scope of vulnerability management programs to better prioritize vulnerabilities in real-time, taking into account multiple criteria such as potential impact and likelihood of exploitation. This can create a more balanced order of urgency for an organization.
Software companies should provide more context for the CVEs they are warning us about, beyond just a severity score. This can include whether a CVE has already been exploited in the wild, how much chatter there is about it in cybercrime forums, and whether exploit codes are shared on the dark web.
Media outlets should also examine their role in creating a fire-drill mentality by encouraging more attention given to risk-based parameters, not just severity. The culture shift away from this mentality has to come from strong CISOs who understand that a high severity score without any context is not enough to set the alarm bells ringing.
In conclusion, while vulnerability disclosures will continue to dominate headlines and attention, the cybersecurity community needs to move away from a severity-driven approach to patching and instead focus on a risk-based approach that prioritizes vulnerabilities that are likely to be exploited. This will help to better allocate resources and ultimately improve the overall security posture of organizations.