But the tests have since been administered and the debate largely settled: risk-based cybersecurity produces proven results. The data shows that risk-based vulnerability management (RBVM) programs allow companies to get measurably better results with less work. Extrapolating from there, it’s possible to make a broad case that risk-based programs are a necessary component of enterprise cybersecurity.
It wasn’t always easy to make this case. To understand how risk-based security has answered its critics, we must review a bit of recent history.