


























As the CEO and co-founder of Vicarius, Roi Cohen leads a cybersecurity company that provides exposure management solutions for enterprises.

getty
In every environment I’ve worked with, there are always systems you can’t patch. Sometimes it’s because a vendor hasn’t released a patch. Sometimes it’s because of legacy systems that cannot have patches applied. Sometimes it’s a dependency chain you can’t untangle without risking downtime. And sometimes the cost of touching production is simply too high.
But the risk is still there while you figure it out—or don't.
And in many cases, that “temporary” delay becomes the default. A known vulnerability sits open, not because teams don’t see it or ignore it, but because they’re out of safe options and push it into their backlog.
The problem is only compounding as modern work environments become more interconnected and more fragile. Cloud services, SaaS platforms and legacy systems now coexist in ways that increase both dependency and risk. With that complexity comes tighter change management, more approvals and a lower tolerance for disruption.
At the same time, the window for attackers keeps shrinking. What used to take days can now happen in minutes. Remediation timelines, however, haven’t kept up. They’re still governed by operational realities: testing cycles, cross-team coordination and the very real fear of breaking something critical.
This is not just a technical gap, but an operational one too. Which is why we need to rethink how remediation actually works in practice.
Remediation is no longer a single action. It’s a set of options teams choose from based on what’s possible in the moment. When a vulnerability appears, teams effectively ask:
Can we patch this without introducing risk?
If not, how do we reduce exposure in the meantime?
That second question is where most teams get stuck because they haven’t operationalized what “next best” actually looks like.
When a patch isn’t viable, teams are forced to look elsewhere: scripting temporary fixes, adjusting configurations or applying runtime protections that block exploitation without changing the underlying code.
What I see across organizations is a gradual but important shift in mindset. Teams are moving away from waiting for a clean, permanent fix before acting. Instead, they’re focusing on reducing exposure continuously, using whatever reliable controls are available to them at the time. That often means creating a culture that accepts that the first step might not be perfect, but should be effective enough to lower risk immediately.
There isn’t a single “right” way to remediate. Most teams rely on a combination of approaches, depending on the system, the risk and the constraints around it.
Patching is still the most complete and reliable fix. But in real-world environments, patching isn’t always immediate. It requires testing, coordination and often a maintenance window that’s hard to justify on short notice. That delay is where risk starts to build.
When patching isn’t practical, teams often turn to scripting or configuration changes. This might mean restricting access, disabling vulnerable components or applying temporary fixes that reduce the attack surface. It’s a fast and flexible way to respond without waiting for the ideal conditions. The trade-off is that these fixes need to be tracked and revisited or temporary workarounds can become a permanent risk.
Another approach is to prevent exploitation at runtime. Often referred to as virtual patching or patchless protection, this involves controlling how applications behave in memory, limiting API calls or blocking known exploit paths. And while it doesn’t remove the vulnerability, it mitigates the risk of exploitation, buying teams time to remediate the vulnerability. This is especially critical for legacy systems, high-risk production environments or assets that simply can’t be patched on demand.
The most effective teams don’t rely on a single remediation path. They understand all the options available to them and their trade-offs, and use them in combination to reduce risk as quickly as possible.
Patching remains essential. But treating it as the default—or only—path to remediation assumes a level of control and speed that most organizations simply don’t have. In a threat landscape where exploitation timelines are measured in minutes and remediation still takes weeks, waiting for the “right” fix can leave too much room for exposure to grow.
In practice, resilience comes down to having options and knowing how to use them when it matters.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。