.svg){kind=icon}
We recently had a conversation with Matthew Hurewitz, Director of Platforms and Application Security at Best Buy, on remediating cloud vulnerabilities and misconfigurations. Here are the 5 key takeaways from our chat:
1. Teams experience ‘5 Stages of Grief’ in Risk Remediation
When remediating cloud vulnerabilities and misconfigurations, teams often experience a process akin to the five stages of grief. This analogy, as discussed in the webinar, reflects the emotional journey security and DevOps teams undergo when addressing risks on a daily basis, particularly in large enterprises with complex environments, a high volume of incoming risks and frequent organizational changes.
While today’s tools have gotten really good at identifying cloud risks, there are still a lot of manual steps that need to happen in order to actually do something about them. First, analysts need to understand the nature, severity, and potential business impact of the identified risk or vulnerability. This requires a lot of organizational context, that in many cases, is not readily available. From there, there is a lot of coordination that needs to happen with other internal teams – such as DevOps and engineering (the teams that can actually apply the fix). Further, depending on the finding’s potential impact, it also needs to be escalated up the chain to ensure it gets prioritized. Sometimes, if relationships are well-established, the fix might be implemented quickly, but the process varies widely depending on the context and complexity of the situation and is generally time consuming and difficult to navigate.
2. Achieving a Meeting of the Minds is a top Remediation Challenge
When discussing the major blockers when it comes to remediating risks efficiently, Matt highlighted the biggest challenge as achieving a “meeting of the minds,” closely followed by the difficulty of finding the best path to resolution.
- A meeting of the minds: One of the biggest challenges in getting risks prioritized for resolution within an organization is the complex communication chain. It often requires extensive teaching, listening, and navigating through different levels of authority. A senior engineer may direct you to their manager, but even after gaining their support, you may need to escalate to higher levels of leadership. This can make it difficult to find the right decision maker, especially in large organizations. Ensuring alignment, or a “meeting of the minds,” is crucial but is often a very time-consuming and challenging task.
- Finding the best path to resolution: Finding the right solution for a vulnerability can be tricky, especially when the recommended fix isn’t always feasible in your specific environment. For example, while vendors may provide straightforward guidance, implementing it might not always be possible due to unique system constraints. The challenge then shifts to identifying whether to apply a mitigating control or a permanent fix that suits your environment. This requires collaboration with different teams and stakeholders, each responsible for implementing different solutions to either fix or mitigate the problem.
3. The Cost of Remediation = Time, Resources and Missed Opportunities
Quantifying the cost of remediation and tracking it over time can be incredibly complex due to the many variables involved. However, doing so presents a compelling business case for implementing changes that drive efficiency. When breaking down the cost of remediation, we discussed both the direct and opportunity costs associated:
- Direct costs: This includes budget and resources allocated to addressing vulnerabilities. These costs grow when inefficiencies arise – like the need for multiple meetings to align stakeholders and research solutions. Matt gave an example in the webinar of what this might look like. If it takes 3-4 meetings, with each meeting involving 3 to 5 attendees, just to gain alignment on a single issue, that could amount to 20 person-hours dedicated solely to this effort. If you calculate this based on an average rate of $150 per hour, that results in approximately $3,000 for just one vulnerability. Considering organizations often face hundreds or even thousands of vulnerabilities, the cumulative costs can be a lot. While not every vulnerability requires such a time-intensive and expensive approach, many do.
- Opportunity costs: When understanding the cost of remediation, you also have to think about opportunity costs. The question becomes: What opportunities are being missed while teams are focused on resolving vulnerabilities? When teams are forced to prioritize remediation efforts over other strategic or revenue-generating initiatives, it can become a problem for the business, especially as organizations face tighter budgets and workforce reductions.
4. Threats, Market Pressures, and Cost Savings Drive Change
When it comes to driving change and making various investments that drive more efficient risk remediation programs (e.g. implementing new processes or technologies), news-worthy threats, market pressures and cost reduction were discussed as key driving factors.
- External market pressures and high-profile threats: While not the most proactive, the urgency to address something is often driven by vulnerabilities in the wild, security threats that dominate the news, and emerging market trends, such as the rapid adoption of new technologies such as AI and LLMs.
- Operational cost reduction: Given that risk remediation places significant demands on teams outside of security, such as DevOps and engineering, showing concrete metrics like hours saved or cost reductions can justify and drive investments. In this case, more efficient remediation can drastically reduce operational costs and free up valuable time for engineers to concentrate on other projects.
5. Efficient Risk Remediation Programs Require Alignment and Consistent Tracking
When asked about two key changes Matt has implemented to enhance the efficiency of risk remediation programs, he highlighted the importance of ensuring alignment and clear roles and responsibilities, as well as the necessity of consistent tracking to accurately identify where improvements and investments should be made.
- Ensuring alignment and ownership: Being aligned with engineering counterparts requires mutual accountability and clear roles. A culture must be fostered where engineers understand their responsibility in securing the business (whether that’s preventing vulnerabilities from reaching production and remediating those that do). For example, by implementing release blocking practices, organizations can encourage engineers to prioritize secure coding and recognize the impact of their work on overall security.
- Consistent tracking: Consistently measuring risk remediation processes reveals surprising insights about time and resource allocation. Many organizations operate on assumptions, but quantifying efforts provides clarity on how often vulnerabilities occur and the actual costs involved. By tracking the process, even for just a week, you can start to uncover the extent of the issue and develop a compelling business case for prioritizing remediation efforts.
If achieving a new standard for cloud risk and vulnerability remediation is something you’re working towards, learn more by visiting our website or request a demo to see the ZEST platform in action.
We're excited to announce that ZEST Security has been recognized as a vendor in three Gartner Emerging Tech Impact Radar reports this year: Emerging Tech: The Future of Exposure Management is Preemptive, Global Attack Surface Grid, and Preemptive Cybersecurity.
As organizations face increasingly complex threat landscapes, the need for preemptive exposure management, dynamic attack surface reduction, and automated security assessment has never been more critical.
Understanding the Gartner Emerging Tech Impact Radar
Gartner's Emerging Tech Impact Radar helps organizations identify and evaluate emerging technologies that could significantly impact their business operations. These reports assess technologies based on their potential transformative impact and adoption timeline, providing IT and security leaders with crucial insights for strategic planning.
Being featured in three separate reports confirms that ZEST Security is positioned at the forefront of multiple emerging technologies that are fundamentally reshaping security operations, enabling organizations to move from reactive vulnerability management to proactive, automated risk prevention.
ZEST Security in Emerging Tech: The Future of Exposure Management is Preemptive
In June 2025, ZEST Security was recognized in Gartner's Emerging Tech: The Future of Exposure Management is Preemptive report, underscoring the industry's recognition of our approach to transforming how organizations manage security exposures.
The Problem with Reactive Exposure Management
Traditional exposure management creates a perpetual cycle of detection and remediation that leaves organizations constantly playing catch-up. Security teams face thousands of identified vulnerabilities with no clear prioritization, alert fatigue from tools lacking context, and resource constraints that prevent them from addressing an ever-growing backlog.
What is Preemptive Exposure Management?
Preemptive Exposure Management shifts the focus from cataloging existing vulnerabilities to preventing them. This approach enables organizations to anticipate exposures before they become exploitable, maintain continuous real-time visibility, prioritize based on actual business risk rather than theoretical scores, and receive automated remediation guidance.
The result? Teams stay ahead of threats instead of constantly responding to them.
ZEST Security in the Global Attack Surface Grid Report
Dynamic Attack Surface Reduction in Action
Building on preemptive exposure management, Dynamic Attack Surface Reduction actively and continuously minimizes the points of potential compromise across an organization's digital infrastructure. Unlike periodic assessments that quickly become outdated, this approach provides continuous visibility and enables real-time reduction of security exposures.
The Modern Attack Surface Challenge
Cloud infrastructure, remote work, third-party integrations, shadow IT, and connected devices have expanded the enterprise attack surface exponentially. Organizations struggle with unknown assets creating blind spots, daily infrastructure changes introducing new exposures, and hybrid multi-cloud environments that are difficult to monitor comprehensively.
ZEST's Solution
ZEST Security provides continuous visibility into your attack surface with context-driven insights that help teams understand which exposures pose the greatest risk. By automating identification and assessment, we enable organizations to maintain an optimized security posture even as infrastructure evolves, aligned with our preemptive approach to identifying and addressing risks before exploitation.
ZEST Security in the Preemptive Cybersecurity Report
Automated Security Control Assessment
Automated Security Control Assessment evolves security from manual, point-in-time evaluations to continuous, automated validation of security controls. Organizations can verify their defenses are functioning as intended without the delays and resource requirements of manual testing, shifting from detecting and responding to breaches to preventing them.
The Challenge: Too Much Data, Not Enough Context
Security teams don't lack vulnerability data—they lack the ability to make sense of it. Organizations deploy numerous tools that identify thousands of potential issues, but without context, teams can't determine which vulnerabilities pose genuine risk or how to prioritize remediation.
ZEST's AI-Powered Solution
ZEST Security bridges this gap with AI-powered analysis that translates vulnerability data into actionable remediation pathways. Our platform continuously validates security control effectiveness, identifies coverage gaps before exploitation, prioritizes based on actual risk exposure rather than just scores, and automates assessment workflows that would otherwise consume significant manual effort.
A Comprehensive Preemptive Security Strategy
These three Gartner reports address complementary aspects of a unified goal: reducing organizational risk before breaches occur.
Preemptive Exposure Management establishes the foundational philosophy of staying ahead of threats. Dynamic Attack Surface Reduction minimizes exposure points across your infrastructure. Automated Security Control Assessment validates that defenses protecting those exposure points function effectively.
Together, they create a complete preemptive security lifecycle:
- Anticipate potential exposures before they become vulnerabilities
- Minimize attack surface by eliminating unnecessary exposures
- Validate that security controls function as intended
- Remediate issues that pose actual business risk
ZEST Security's recognition in all three reports reflects our holistic approach. We provide the context and guidance needed for effective action across the entire security lifecycle.
What This Means for ZEST Customers
This triple recognition validates the strategic value our platform delivers:
Preemptive operations: Move from reactive firefighting to proactive risk prevention across all security aspects.
Continuous visibility: Understand your attack surface, exposures, and security posture in real-time, not just during periodic assessments.
AI-powered intelligence: Process security data at scale and identify what matters most.
Actionable guidance: Get clear remediation pathways, not just alerts and scores.
Integrated platform: Address exposure management, attack surface reduction, and control validation in one solution.
Industry Validation
ZEST Security's inclusion in three Gartner Emerging Tech Impact Radar reports within six months signals a broader industry shift toward preemptive security. Organizations increasingly recognize that traditional reactive models can't keep pace with modern threats driven by cloud adoption, DevOps practices, remote work, and sophisticated attack techniques.
Gartner's focus on these capabilities in their emerging technology research indicates they're becoming essential requirements for effective risk management, not optional add-ons.
The Future Belongs to Preemptive Security
As threat actors grow more sophisticated and attack surfaces expand, organizations can't rely solely on detection and response. The future belongs to security teams that proactively identify and eliminate risk before breaches occur.
ZEST Security continues innovating at the forefront of this evolution, developing capabilities that help security teams work smarter, reduce risk, and protect their organizations more effectively through intelligent automation, continuous assessment, context-driven prioritization, and preemptive action.
Get Started with ZEST Security
Ready to implement preemptive exposure management, dynamic attack surface reduction, and automated security control assessment? Our free AI-based remediation risk assessment provides a practical starting point for understanding your current security posture and identifying priority improvements.
Try our free remediation risk assessment today and shift from reactive to proactive security operations.
