What “Due Care” Actually Means in Vulnerability Management

‍

The business, the group paying the cybersecurity bills, wants to prevent breaches. More precisely, it aims to prevent breaches that result in material financial loss.

‍

One of the most common ways an organization gets breached is through the remote exploitation of a vulnerability on its external attack surface. The challenge is that most organizations carry a vulnerability backlog far larger than they can realistically fix, now or ever.

‍

So when a breach inevitably happens, the board of directors, on behalf of the business, will expect an explanation from the security team for how and why it occurred.

‍

The honest answer usually sounds like this: the vulnerability management team has a process to consistently patch issues based on risk, but hadn’t yet reached the one that led to the breach. It was in the backlog, likely at a lower priority. 

‍

From the board’s perspective, that translates to something much simpler: the team knew about it, and it didn’t get fixed in time. No one is satisfied with that answer, but it’s often the best any organization can offer. And that’s a big problem that needs solving.

‍

There’s a tendency in cybersecurity to assume the board’s first instinct is to fire the CISO as a scapegoat. In practice, that’s not what most boards want or are incentivized to do. They don’t want to admit they hired the wrong person for the job if they can avoid it. Firing the CISO signals that the company failed and is now trying to course-correct.

‍

What the board prefers is a defensible position they can rely on with shareholders, customers, and the media. A way to express and demonstrate “due care.” A clear, credible explanation that the organization was doing everything that could reasonably be expected, and that sometimes, despite that, bad things still happen.

‍

That’s far more valuable for protecting shareholder value, maintaining customer trust, and preserving insurance coverage.

‍

Which leads to the real question: what does “due care” look like in vulnerability management?

‍

It can’t mean fixing every vulnerability immediately across all systems at all times. The cost of doing so would far exceed the value of the process. That’s not just unrealistic, it’s impossible for most environments and prohibitively expensive at scale. Even narrowing the scope to just critical and high CVEs quickly becomes impractical for larger organizations. Smaller environments can sometimes keep up because the attack surface is limited and manageable. But as the organization grows, complexity compounds, the surface expands, and the model breaks down quickly.

‍

A more defensible answer is this: “The vulnerability management team continuously monitors all Internet-facing assets for the subset of vulnerabilities known to be exploited in real-world breaches and tied to financial loss, and we remediate those immediately. And we did. However, we were among the first to be impacted by this vulnerability, and going forward, this is added to our defenses.”

‍

Then, if a breach still occurs, the explanation changes. It becomes: “We were among the first to be impacted by this vulnerability.”

‍

Bonus points if the incident was detected quickly, contained just as fast, and the impact was minimized.

‍

This positioning is far more preferable to a board because it shows discipline, prioritization, and alignment with real risk. Instead of looking negligent or overwhelmed by a backlog, the organization can demonstrate that it focused on what actually matters and acted decisively. It turns the narrative from “we missed something obvious” into “we did the right things, were caught up early in a never seen before attack, and got unlucky.” 

‍

That’s defensible to shareholders, customers, regulators, and insurers. It preserves credibility, reduces perceived negligence, and keeps the focus on response quality rather than blame, which is exactly how teams stay trusted and employed.