Cloud Security Podcast

chevron_right

Vulnerability Management vs. Exposure Management

whatshot 10 snips

Feb 6, 2026

Guest

Brad Hibbert

Brad Hibbert, COO and Chief Strategy Officer at Brinqa with 20+ years in security, talks about the shift from traditional vulnerability approaches to exposure management. He covers cloud-driven complexity, the difference between service owners and remediation teams, how AI sharpens prioritization, and when automation is safe. Practical steps for starting small and aligning incentives are discussed.

39:38

forum

Ask episode

web_stories

AI Snips

view_agenda

Chapters

auto_awesome

Transcript

info_circle

Episode notes

insights

INSIGHT

From Scans To Decision Clarity

Vulnerability management evolved from server patching to decision clarity across services and tools.
Brad Hibbert argues exposure management focuses on outcomes, not just tools.

insights

INSIGHT

Context Beats Raw Findings

Cloud made assets dynamic and highly interconnected, increasing context needs.
Prioritization now matters more than mere discovery of findings.

volunteer_activism

ADVICE

Separate Risk Owner From Fixer

Map risk to service owners and fixes to remediation owners to solve "who fixes this".
Let service owners decide acceptable risk while mobilizing relevant fixer teams.

Get the Snipd Podcast app to discover more snips from this episode

Brad's background and shift to exposure management

02:34 • 2min

chevron_right

From patching servers to cloud complexity

04:22 • 2min

chevron_right

What is risk-based vulnerability management?

06:09 • 2min

chevron_right

Risk owners vs. remediation owners

08:38 • 3min

chevron_right

How AI helps prioritize vulnerabilities

11:29 • 3min

chevron_right

Exposure management as a program above tools

14:21 • 4min

chevron_right

Data inconsistency and shared risk models

18:40 • 4min

chevron_right

Readiness: executive buy-in and shared incentives

22:10 • 2min

chevron_right

Automated remediation: when to trust automation

24:36 • 4min

chevron_right

Compliance vs. impact-focused exposure reduction

28:17 • 3min

chevron_right

Maturity advice and starting small

30:50 • 6min

chevron_right

Adoptable workflows and accommodating teams

In this episode, Brad Hibbert (COO & Chief Strategy Officer at Brinqa) joins Ashish to explain why traditional risk-based vulnerability management (RBVM) is no longer enough in a cloud-first world .

We explore the evolution from simple patch management to Exposure Management a holistic approach that sits above your security tools to connect infrastructure, code, and cloud risks to actual business impact . Brad breaks down the critical difference between a "Risk Owner" (the service owner) and a "Remediation Owner" (the team fixing the bug) and why this distinction solves the "who fixes this?" problem .

This conversation covers practical steps to uplift your VM program, how AI is helping prioritize the noise , and why compliance often just "proves activity" rather than reducing real risk . Whether you're drowning in Jira tickets or trying to automate remediation, this episode provides a roadmap for modernizing your security posture

Guest Socials - ⁠⁠⁠⁠⁠Brad's Linkedin

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

If you are interested in AI Security

, you can check out our sister podcast -⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠ AI Security Podcast⁠

Questions asked:

(00:00) Introduction(02:50) Who is Brad Hibbert? (Brinqa)(04:55) The Evolution: From Scanning Servers to Cloud Complexity (06:50) What is Risk-Based Vulnerability Management? (08:50) Risk Owners vs. Remediation Owners: Who Fixes What? (12:00) How AI is Changing Vulnerability Management (15:20) Defining Exposure Management: Moving Beyond the Tools (18:30) The Challenge of "Data Inconsistency" Between Tools (22:30) Readiness Check: Are You Ready for Exposure Management? (25:10) Automated Remediation: Is "Zero Tickets" Possible? (28:40) Compliance vs. Risk: Why "Activity" isn't "Impact" (31:30) Maturity Milestones for Exposure Management (36:50) Fun Questions: Golf, Turkish Kebabs & Friendships

Home Top podcasts Popular guests Top books