Simplifying Cyber

The Vulnerability Playbook

Aaron Pritz, Cody Rivers Season 2 Episode 18

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 22:23

Send us Fan Mail

A vulnerability backlog can look like a crisis, but sometimes the real crisis is that you’re staring at the wrong picture. We’re joined by Dave Sims, most recently Staff VP at Elevance Health and a longtime technology leader, to talk through vulnerability risk management in plain terms and why “more findings” doesn’t automatically mean “more security.” We get specific about the difference between vulnerability management and patch management, and how confusion between the two creates low-trust handoffs, endless ticket churn, and slow remediation.

We also dig into the messy reality of asset inventory. CMDB data goes stale, cloud resources appear and disappear, and scanners can produce a better “what’s out there” view without telling you why it matters. Dave explains how metadata tagging and business context turn raw vulnerability data into risk-based prioritization: knowing who owns a system, what it does, why the business depends on it, and which weaknesses truly expose critical services. Along the way, he shares a story of cutting through years of miscommunication with a single no-blame conversation that unlocked progress fast.

If you’re a CISO, security leader, architect, or practitioner trying to make VRM work at enterprise scale, this is a practical framework: outside-in black box assessment, inside-out discipline, and a people-first approach that values training, process, and continuous improvement over shiny tools. Subscribe, share this with a teammate who owns patching or VRM, and leave a review if it helps. What’s the biggest thing keeping your vulnerability program from being truly risk-based?

🔗 Connect with Us & Get in Touch  

Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics. 

No gatekeeping and no BS. We’re here to simplify.  

Official Website: www.revealrisk.com  

LinkedIn: https://www.linkedin.com/company/reveal-risk  

🤘 Stay Secure with Us 

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates. 

Reveal Risk delivers cybersecurity results, not just reports. 

Welcome And Guest Introduction

SPEAKER_01

Thanks for tuning in to Simplifying Cyber. I'm Aaron Pritz and I'm Cody Rivers. And today we're here with Dave Sims, uh most recently staff VP at Elevance Health, which is formerly Anthem here in town. Right, I was at a long time at Eli Lilly, so right across the street for many years. Um, welcome to the show.

SPEAKER_00

Well, thank you, Aaron. I uh I've enjoyed the Eli Lily walking park many times on uh walking one once there from El Avance.

SPEAKER_01

So thanks for the welcome. Yeah, awesome. So we wanted to what we're trying to do on this show is focus on some deep dive topics where our audience can learn from longtime practitioners and leaders that have solved problems in the industry. And I think the as we were chatting with you, um, one of the ones that we wanted to talk about, we'll start with an overview of your background and kind of how you got into cyber. But we really want to focus in this episode on vulnerability risk management, risk base, and how you made that effective for both the business and the customers.

Dave’s Path Into Cyber

SPEAKER_01

But before we dive into that specific technical challenge, give us the Dave Sense story, uh Dave Sense story in brief.

SPEAKER_00

Well, thank you. Would you believe that my career uh found me instead of me finding my career? I uh I was uh a package handler at UPS when I was uh approached to join the information services group. I was I was approached because I was hassling my manager to buy a computer from me. I was uh building and selling computers in college to pay for tuition at the time. Uh I joined the information services group. I I kind of found that uh my gaming habit was also a passion for just making things work. And it uh it kind of leapfrogged from there. Um I uh I at one point in my career I got the the nickname of Mr. 10 and 0 for uh getting 10 information security reversals for my IT group from being able to go and explain to them how the technology worked uh to get them to allow us to go forward. That that 10 and 0 experience actually led me to information security where I thought if I just knew how to talk to them better, I could explain it better the first time. It didn't really work out that way, but I I did find a new career and another way to

Army Lessons On Reading People

SPEAKER_00

engage. So were you Army background? I was. I was in the army for six years total. Well, really eight years, and then you know, six years as active duty, nice, uh, both as uh active duty serviceman and a reservist.

SPEAKER_01

And we have a number of military veterans that reveal risk, but what did the military back background and training equip you with that you've leveraged to this day in cyber?

SPEAKER_00

Um it so funny story, I was an infantryman in the army and later a drill sergeant. Uh people hear that and they they kind of recoil and then they're shocked. Dave, you couldn't have been a drill sergeant. I I was, and I was really pretty good at it. One of the things that I learned from my time as a drill sergeant is how to relate with human beings. And it's odd, you would think, that the guy in your face yelling all the time is understanding how to relate, but that's that's what the movies show you. It's not what's real. Uh a drill sergeant needs to be able to see small tells. They need to be able to understand details in the environment, and they need to be able to respond to them very quickly to maintain the health and safety of the people in their charge, sometimes over 60 people. And so you've got to become very tuned in and pay very close attention to people.

SPEAKER_02

I think of drill sergeant, where you like the real tight brim and the little little buckle here. Like I think of the foot metal jacket, is what I think about drill sergeant.

SPEAKER_01

See, you said the movies shapes your perception.

SPEAKER_00

Yeah, yeah, it does. Yeah, it absolutely does. And and uh there is a version of Dave that that can do that. I still have the hat.

SPEAKER_01

Okay, that's great. That's great. I I thought you were going to major pain there, but major pain's another option.

SPEAKER_02

You gotta get along, you know.

SPEAKER_01

Awesome.

Vulnerability Management Is Not Patching

SPEAKER_01

All right, well, let's get into vulnerability risk management. So maybe for our non-technical um users, define vulnerability risk management and kind of its intersection with IT and patching and the whole world that is fixing things.

SPEAKER_00

So it's kind of funny. There's uh there's a way to define this, and we maybe start with what it's not. Um many people, when they come to vulnerability management, they think of it as patch management. You'll see that a lot of vulnerability management professionals also have patch management in their purview. You'll also hear people talking a lot about patch management, vulnerability management interchangeably. It's not. Vulnerability management is really the art of finding issues on the enterprise via configuration, via system weakness, via applications and software, and finding ways to remediate them. So it's really about having intelligence about what the business does to make money and the systems used to do it.

SPEAKER_01

What why do you think you mentioned as you were framing that a lot of VRM people have patching in their title to why is that phenomenon because leadership has looked down and said, why are they just finding the issues? They should be accountable for finding and fixing versus just giving us lists. How would you counter that, or is that a fair read to some of the reason why it's maybe mushed together?

SPEAKER_00

So I I think there's a there's a big gray mushy pool there. Yeah. And there's there's some things. There's there's some leadership misunderstanding, perhaps, but I think there's also practitioner misunderstanding because way back in the day, vulnerability management really was very close to patch management. And it still has patch management still has a great impact on the vulnerability management picture, but it's not all there is. And it isn't uh it isn't enough to patch always, right? You really need more intelligence about the enterprise. You need to know you need to know how the business makes money.

SPEAKER_02

I think too, and to your point, as we become more of a like connected environment, it was just PC, it was mainframe than just PC. And now there's there's watches, there's phones, there's IoT, there's sensors. I mean, you've got just a rocket ship of things that they keep adding to the network. And so how do you kind of, to Aaron's point, how do you kind of keep all that in control and identify owners and look at prioritize? I mean, sure, it's just a wild west of things that that pop up and that's the thing.

SPEAKER_00

Yeah, the funnel got a lot wider very quickly. Yes, indeed. I I think what we what we see here really, though, is an exacerbation of an issue that was really there all along. Um, vulnerability management in the in the old days, and many practitioners maybe still have a practice. If we do the scan, we find the issues, we throw them over the wall. If we find more issues, that's better. So we have a million issues, we toss them over the wall and we yell at people until they get fixed. That that was a bad practice at the very beginning. It's it's low trust, it's uh it's also low value. Yeah. And so a dialed-in approach where you understand where things are, what they do, and why they matter, dialing in to find those most critical issues, the things that matter to the organization the most, and getting those fixed first, actually acting as an advocate for the business and an advocate for the technology groups to make sure that that these things are happening together and coordinating all that, that's an art. Right. There's a there's an art to that scientific approach. And rather than doing the peanut butter spread across, you've actually dialed in, you've understood the organization at a molecular level, and you're helping to move it faster.

SPEAKER_02

You sound like the world versus translator. Who's as your point in like cyber is that kind of that me in between between the business and the IT. Who's harder? What's the more difficult one to work with? Is it the executive business executive or is it the IT engineer?

SPEAKER_00

I'm I'm gonna have to say both. Really, if if you're successful in information security, you're that white stripe between the Oreo, right? You're trying to hold those guys together. And be me too, as we can see. But uh you're trying to hold those organizations together and translate them to each other. You can become the voice of IT and the voice of the business, and and really that conscience in between. If you're trustworthy, you have to act in a trustworthy manner. You have to hold yourself accountable to them, and you have to be their good partner in times when it's hard.

SPEAKER_01

You mentioned understanding the business. And we hear across almost all sectors and industries, uh, I can't think of a single company that has reported, we love our CMDB, we got it right, it's awesome. But you mentioned understanding the business, and then I also hear a lot of times it's like, we kind of go to our VRM team for an inventory because their scans are better than the CMDB itself. But my thing is like it doesn't give you any business context, it just gives you an IP address and an asset type. So how are you, how have you pushed your teams to truly understand, document, and have a have a way to perpetually understand what's on those assets to help you get to that risk-based vulnerability.

SPEAKER_00

So, first,

CMDB Gaps And Metadata Context

SPEAKER_00

I'm I'm gonna give you a ringing endorsement for that statement about the vulnerability management database being better than CMDB. It absolutely is. The CMDBs are typically very static and they're outdated before you even look at them. The vulnerability management database will be very dynamic. It's gonna, if if you're doing it well, you're doing it right, it's gonna capture all of the things that do business on your network, and it's going to have context around it, where those things are located and how they're used. Now, there's there's uh there's this thing called metadata that associates or that you could associate with uh with different objects, especially dynamic objects that come from cloud. As you generate those objects, you can tag metadata with them, and that gives you the context so that you can read, so that you have really a more dynamic inventory, something that you can use to solve problems faster.

SPEAKER_02

Oh, that makes sense. Excellent, excellent. So talk about, you know, again, I like the go-between how do you really bring the business along to help with like prioritization? Because to your point earlier, there's no shortage of things, and you've got the VRM database, the CMDB. What are some challenges and how'd you kind of overcome the prioritization, you know, uh conversation and challenge?

Trust Building That Unblocks Risk

SPEAKER_00

It's uh it's funny. The more technical you become, the more human characteristics matter, matter, excuse me. Um we we really need to go face to face with our business partners. We need to talk to them and gain their trust. We need to understand their pain points, and when we can, we need to help to remove them, right? There are going to be times where we're held up. Uh I'm thinking of an example. One time, we were held up for years with one of our largest customers because they insisted on an inferior uh cryptographic method for file transfer. Um that was the that was always the message back from the business. They insist, they insist, they insist. How about we get together with them? I'll go with you and we'll talk. And what we found was that their information security group was frustrated with us because we insisted on using that uh that inferior method. There was some miscommunication there between all of us, this big telephone game. But I sat in that meeting with that vice president and we worked through with the information security group, no blame, no shame, right? We just worked through how to get this done, and we had done uh we we fixed a three-year problem in a 30-minute call. That that gained me so much credible credibility with that vice president and her staff that when I went to them for other things, I could get I could get the meeting, I could get the call, right? And you know, tell me what you need fixed most or what you need to have available most. I could get those things answered quickly because they trusted me.

SPEAKER_01

Yeah.

New CISO Triage For Vulnerability Overload

SPEAKER_01

So let's assume, let's let's let's do a hypothetical scenario. You're a new CISO in an organization, you're 22 days in, you've done one-on-ones with all your staff, you've addressed the full team, now you're starting to look at your roadmap, potential priorities, things like that. Executive comes to you, maybe your boss, maybe one of their executives on the governance team, and they say, Dave, VRM has been a problem for us. We have thousands, hundreds of thousands of vulnerabilities. Um, I saw in your resume that you've dealt with this at a another big company at uh Elevance. Where where do you start? How do you unpack it? How you know, there's a lot of people in this situation. So I think how how would you process going from giant disaster, we don't know what we're doing, we've got unmanaged vulnerabilities, a lot of data, a lot of scans. Where do you start?

SPEAKER_00

That's happened to me uh in on multiple occasions, as a matter of fact. And and really the first thing you have to do with for that executive is you have to help them to understand that it may not be as bad as it looks. And that that that sounds a little counterintuitive, but as we look at that giant stack of multiple millions of vulnerabilities, we may find that if we we put this lens of who, what, when, and why on that stack, who uses the system, what does it do, why do we need it, what does it serve? Right. When we understand those things about that giant stack of data and we start discarding the things or pushing to the side the things that matter less, we come down to a kernel of a very significantly lower percentage of issues that need to be solved right now. We have really deadly issues that are being masked by this big peanut butter spread that I was talking about before. And so really it's about helping that executive to understand that the mass isn't the problem. It's hiding the problem, and we need to find that.

SPEAKER_01

So what if the organization says, yeah, our CMDB sucks like we talked before? Um, our tools aren't necessarily giving us that context or that metadata. How have you helped organizations get that business context so they can do the slicers to be able to narrow that down?

SPEAKER_00

You know, we talked about military experience earlier. This is a place where military experience really serves me. I uh I look at organizations as total, and then I like to look from the outside in. And so black box assessment, like continuous black box assessment, walking the wire of the organization, making sure you understand where it does business, how it makes money, what's critical, and protecting those things first. So you walk the wire, make sure that those things are happening. You do continuous black box assessment. So from the outside in, you're looking at the enterprise to find everything you can and you protect those things first. While you're doing that, you're also building from the inside out to meet in the middle.

SPEAKER_01

So how do you coach a team that maybe hasn't done that yet? Maybe they're not as business savvy. Obviously, you can do what you can do, but you've got a thousand other priorities as well. How do you coach them to shift their mantra from being focused on throwing technical switches and doing follow-ups and tickets to walk in the what is walking the wire?

Coaching Teams Beyond Tools And Tickets

SPEAKER_00

That's a great question. And and I think it's about story, right? We have to change the story for the team. We need, we need the vulnerability management team or the information security team, or whatever team that is, we need them to understand that they're part of the greater whole. Many times we we say this, we get a lip service, we care about what's going on, but really we care about the vulnerability or the checkbox or whatever that is. That's that's not serving the business. We need to be part of the greater whole, and so we need to change the story. One of the ways I like to do that is by comparing a business to a race team. So we're all part of the same team, right? We want to win races, don't we? We want to have the best business, don't we?

SPEAKER_01

I like to be fourth place. No, I'm just kidding.

SPEAKER_00

I was saying, and you still have to race hard to be fourth place, though. The thing about it, though, is we're all part of that team. And the interesting thing about the most close uh analog to us in racing is probably the safety team, right? The safety team does fire suits, helmets, brakes, right? All of those safety devices that you put in the car, not one of those devices is put there to slow the car down. Everything is put there so that the team can find the edge, the absolute edge of performance, so that they can do their best every day and go win, right? If information security were tuned like that, if there was no stop sign in front of the business, how fast could we go?

SPEAKER_01

Yeah. So so how do you tune up a team that you're walking into cold that maybe hasn't gone through that revolution yet? What's the is it is it um months of of coaching and coach up? Uh is it experiential learning? How do you how do you how do you get a team there?

SPEAKER_02

It's it's the hat first. He comes in with the television hat.

SPEAKER_00

So the the funny story there is that doesn't work. Um I uh I I know from that that understanding people thing and understanding how to tune that you you can't go and be an authoritarian leader in an information security group in a in a group of highly intelligent professionals that know more about things than you do. And they do, right? And so really it's about that story. It's about getting buy-in, it's about continuous improvement and innovation. There's there's small eye and little eye innovation, small eye and big eye innovation. Big eye is that big world-changing thing like iPhone, right? Small I is all the things that you do to make the organization run faster. It's it's moving this process forward. It's it's hearing those small voices down the assembly line or off in the information security team and the configuration management team, hearing them tell you how they could do their job better, and then helping them to do it, right?

SPEAKER_02

So you've talked about two things here I want to kind of bring together. You mentioned the kind of tools and technical switches earlier, and you just hit a big thing on like processing people and kind of that um adoption area. And you you were elevated for 15 years, which you know, like insecurity is like doggers, right? So that's what, 105 years in security tooling world now?

SPEAKER_00

Is that way sometimes?

SPEAKER_02

You know, you know, but to your point, so you I you see a plethora of tools that come out with like it'll do this for you, it's this good, this is the new tool. Would you rather have a $1 million security VRM tool with a zero dollar budget for OCM and process improvement, or a quarter million dollar tool with a $75,000 budget to do OCM and process updates?

SPEAKER_00

You you probably already know my answer. I uh I don't think tools matter as much. I think that the practice, the application, and the people that apply those things matter more. And so I would add a training budget to that. And I would I would make sure that I was spending that training budget helping to lift those staff up so that they understood not that they were a tool user, that they were a vulnerability specialist, that they needed to know how to find vulnerabilities and get them fixed, either native with you know, living off the land, or with this tool that makes it a little bit easier, right? I want I want my professionals to be true professionals. Network security professionals are network security professionals. They're not check marks firewall jocks, right? A network security professional should be able to parachute into any position on any network team and add value, right? That means they understand networking. That means that they understand that what this says in check marks is this in Palo Alto, right? Or whatever other tool that you might use. A real true professional understands why we fix things.

SPEAKER_01

So let's go back in time 105 dog years in cyber, and maybe we'll do the Waynes Wogue.

Career Advice Plus Mustang Fun Fact

SPEAKER_01

Let's let's call, let's let you, let's you're gonna make a call to yourself 105 dog years ago, early career Dave. What is uh adult and Dave telling pre-adult and Dave about what you're gonna, you know, how to navigate, maybe avoid some mistakes that you made, or just do things earlier that you found out later in your career.

SPEAKER_00

So first I'm gonna tell them to lay off the Oreos. All right. Poor advice, man. At least cut down, right?

SPEAKER_01

I saw that they have the new w uh Oreo fins, which must be calorie-free.

SPEAKER_02

Well, absolutely. Wait, wait, hold on. I would pause this. Are you are you an Oreo thin? I'm I'm a I'm a DS double stuff. I can't go thin, man. If you just you might as well just forget the whole thing.

SPEAKER_00

I think it's it's treating them like a treat, like they're supposed to be, and maybe not breakfast. So anyway, uh I would tell them to lay off the Oreos. The next thing I would say is that um don't be wowed by the the Nito Frido stuff. Don't don't get caught up in the glitz and glamour. Understand that practice and process and capability matter significantly more than all the shinies.

SPEAKER_01

So maybe for the architect or the technologist listening, how do you help them see the value of themselves as a technologist by getting more process-oriented if they're a little too tool heavy?

SPEAKER_00

So there's a talk from a gentleman that I I listen to frequently, Mike Bechtel. He did this in 2024, South by Southwest. It's called uh uh Width is the new depth, I think. And what it amounts to, especially for architects and technologists, is there there is uh a growing need for you to be able to understand space around you much, much further, right? You need to be a learn it all, not a know-it-all. And what I what I really want people to be in touch with is where to find accurate information and how to action it, right? And that's that's threat information, certainly, but it's also information about use of tools or new tools or new incidents or or things that happen in the environment. Um so we really want to get wider as technologists. We want to be able to use the things around us like AI or like automation or any of these wonderful tools that we have access to now. Any of those things should serve us. We should be able to be wider and understand better how the information security product fits into the overall product of the organization. Awesome.

SPEAKER_01

Yeah. Cody, why don't you bring us home with your your wild and crazy personal question? Oh, yeah. Here we go. You ready? Okay. So we have those seatbelts, right?

SPEAKER_02

Yeah. A lot of it's first time here meeting me, Dave, on the show and everything. But what's what's one fun fact that someone who even those who know you for a couple of years may not know? Would it be a fun, fun fact? Is it a hobby? Is it a talent? Uh give us a fun fact about Dave Sims.

SPEAKER_00

I I um I think I'll go with the safe one. I'm I'm a Mustang fanatic for many years. I could I can listen to a car, look at a car, tell you what it's equipped with, probably, and give you a rough estimate of the horsepower rating of that Mustang. Uh from you know, from 64 all the way up to current.

SPEAKER_01

Can you do one of the ro uh radio show gags where you hunk the horn and can tell the make bottle and color? I'm pretty sure that's fake. I heard that on a local radio station.

SPEAKER_00

I could look at a foxbody Mustang and tell you how many horsepower it has by year. Okay. I can't listen to the horn.

SPEAKER_02

Okay. That's pretty cool. Well, thanks again, sir, for joining us. We appreciate it. And uh the poorest thing around more.

SPEAKER_00

It was a great talk. I really appreciated the opportunity. Thank you.

Head Shot

Aaron Pritz

Host
Head Shot

Cody Rivers

Co-host