It's pretty obvious to see that the cyber security industry has some sort of fetish for acronyms when you look at different security product categories such as CNAP, CSPM, SAST, SCA whatever. For some reason we love to make things sound more complex than they are, but why? Why are 99% of these products "visibility" products with no capability to remediate or prioritize any of the findings beyond artificial scores? Why is nobody performing any sort of validation? Every security leader I talk to, even myself, would tell you there's no shortage of issues, there's a lack of fact-based pragmatic prioritization and remediation.

Scalable prioritization based on technical reasoning and prevention/remediation capabilities are the next big trend and no I don't want to see more colorful pie charts, trend lines and "exec reports", I need solutions, not more problems. I'm puzzled how this industry justifies spending Millions on remediating vulnerabilities just because of a random CVSS score, it already felt like decadency during the ZIRP (zero interest rate policy) times. Now it's just reckless, you are wasting engineering resources at scale if you don't know how to prioritize.

Part of the problem might be the lack of engineers in security teams, too many security as well as security leadership teams contain 0 people with engineering background. That's why I strongly believe the future of security & compliance teams is to adopt engineering culture and focus on establishing strong internal engineering talent. Security isn't about delegating anymore, it's about building a company together.

There's hope though! I see more and more technical security leadership, and I personally enjoy building a rock star security engineering team. These teams need different products though, these teams need products like Oligo Security, products for a technical audience that allow scalable prioritization and remediation.