Why patching SLAs should be the floor, not the strategy

Source: CISOs step into the AI spotlight | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4169623/why-patching-slas-should-be-the-floor-not-the-strategy.html

ONE SENTENCE SUMMARY:

Patching SLAs create compliance theater by rewarding easy fixes, while true cyber risk persists in hard-to-remediate legacy, architecture, and control gaps.

MAIN POINTS:

1. CISOs often recite green SLA metrics while significant unresolved vulnerabilities remain.
2. Quickly closed criticals are typically inexpensive, low-friction remediation tasks.
3. Difficult issues linger: legacy systems, architectural flaws, identity misconfigurations, and unsupported platforms.
4. Governance and reporting overemphasize SLA compliance, masking concentrated high-impact exposures.
5. SLA performance indicates ticketing discipline, not actual security risk reduction.
6. Fire-drill analogy: repeated success doesn’t prove resilience against unscripted incidents.
7. Boards can be misled when the riskiest failures live inside the “small” noncompliant percentage.
8. Expressing cyber risk in dollar terms changes executive prioritization and funding discussions.
9. Exception processes often become paperwork, letting exposure disappear from dashboards without mitigation.
10. Meaningful remediation needs capital/opex investment justified by quantified risk reduction.

TAKEAWAYS:

1. Reframe SLAs as minimum hygiene requirements, not primary vulnerability program success metrics.
2. Prioritize trending quantified residual risk by business service over raw closure percentages.
3. Require risk acceptances to include loss exposure, review cadence, and funded remediation plans.
4. Use attacker-speed evidence (e.g., DBIR, KEV) to challenge long patch timelines for hard changes.
5. Accept imprecision in CRQ estimates because actionable dollars beat misleading green scorecards.