The Cassandra CISO - Why is remediation still manual?

Jacob Henricson
Co-founder and CEO

In my years as a CISO, I have met many, many security software vendors, and even worked on a few myself (including what I do now). I have heard all the pitches and tried many different good (and bad) security tools in my career, but have never - until now - reflected on the fact that almost none of them target remediation.

Cybersecurity is one of the few sectors in the world where spending has grown by more than 15 % for the last 20 years. And for good reason. As more and more of our world becomes digital, attacks have larger and larger consequences. Because of this, saving money on security is not an option for the world.

But where does the money go?

The cybersecurity spending split

If we un-delicately, with blacksmiths hands, tried to split cybersecurity spending into three sectors we roughly get: detect, prioritize and remediate. 

  • Detect is where we find our weak spots, our vulnerabilities, our credential leaks, our code… mistakes, our darknet secrets. It is a software market valued at around 50 BUSD. It includes vulnerability scanners, code security software, static and dynamic application security testing (SAST/DAST) tools, external attack surface management (EASM) platforms, and continuous network monitoring systems and Cloud Native Application Protection Platform (CNAPP).

  • Prioritize is where we attempt to make signal out of noise. What do we prioritize out of all those alarm bells going off? This market is nascent and much smaller. Valued at around $2.5 to $3.5 billion, it is growing rapidly by 20+% each year. It includes software like breach and attack simulation (BAS), risk-based vulnerability management (RBVM) and continuous threat exposure management (CTEM) platforms.

  • But Remediate is very low on software and automation support.


Why is that? Remediation should be the most important area of all, and it is!

If you know what will happen, but you are unable to do anything about it, then you become a Cassandra* version of a CISO - you can predict the future but you don’t have the ability to change it. 

And this is indeed what happens. From Maersk to Solarwinds, the verdict after the incident is often: the risk was known, why didn’t you do anything about it? CISO burnout is a “thing” and a lot of that probably comes from the fact that you are aware of major risks, but as the days go by, you become increasingly stressed from not being able to close them.

Why remediation software has failed (until now)

So a software vendor that offers redemption remediation should be welcomed with fanfare and open arms. But looking at that market, almost no software exists! Sure, we have smart firewalls blocking IOCs and EDRs isolating servers and laptops, but they are obviously not enough.

Although many have pitched remediation software during the years, I have never (before now) been a believer in software of this kind. Why?

It boils down to three main problems:

  1. Remediation is hard!

To start with, it is hard to remediate without context. What happens if we patch server X, will something break? Sometimes our customers’ platforms are on an old version of Windows = we can’t patch until they upgrade. And oftentimes the context is simply unknown, prompting weeks of investigation before anything can (or is) done. Which leads us to the second problem:

  1. The one who owns the problem is rarely the one who owns the solution.

Every time a CISO receives a pentest report, the clock starts ticking. After six months without closing the findings, the heat in the oven is getting hot. But on the receiver side, there are all kinds of delaying tactics: “is it really a problem?”. “Can’t we find another solution?”. “Problem Y in my sister unit is waay worse than this one, you should go after them instead”. And a lot of the time they are right: finding a vulnerability is easy, but proving that it can actually do harm has been very difficult.

  1. The third problem is that not all things can be patched.

OT-environments, or COBOL infrastructure is often so fragile and outdated that even a scan runs the risk of taking out the water supply of a major city, or disrupt international payment flows. Throwing up an SDWAN and hoping for the best is often the only option, but even that requires context and diligence. So it takes time.

All these things make remediation political and complex. Which means it has to be handled between humans. And sure enough, where automation is lacking, the consultants take over. 

The Turning Point: Enter LLMs

A few years ago I met with one of the largest IT Managed Services suppliers in the world and asked them what the typical security problems they saw with their customers were: “Lots and lots of unpatched, critical vulnerabilities”. I believe that we are generally better now, after years of relentless attacks from ransomware gangs, but LLMs are changing the playing field again. Mythos and other models are renowned for finding vulnerabilities at an alarming rate.

But the LLMs don’t just create risks, they help address them.

  • LLMs are really good at context (as long as you help them navigate large environments).

  • LLMs are good at taking advanced problems and explaining them to someone based on their knowledge level.

  • They know almost everything about every IT product and piece of software and can guide a user in advanced settings and configurations, even though the user is not an expert.

  • It learns (with some guidance) what the most critical features of any context is, and can remember that going forward.

Moving Beyond the Cassandra Trap

After years of sitting on the buying side and hearing every pitch imaginable, I have come to believe that the vendors who will matter most in the next decade are not the ones who find more vulnerabilities faster, but the ones who help organizations actually close them. That is a harder problem than detection, it requires deeper context than any scanner can provide, and it has resisted software solutions for thirty years.

At NRDSNIPE we built Hedgehog because we think the conditions have finally changed. The LLMs that are accelerating the attacker side are the same ones that can, for the first time, hold enough context to make automated remediation guidance credible.

We want to take CISOs out of the Cassandra trap. Come see if we managed it.

*The Cassandra Complex is a psychological and sociological phenomenon where an individual accurately predicts a crisis or negative future event, but is entirely disbelieved, dismissed or ridiculed by others.