By Sylvain Cortes
Cybersecurity is often seen as a race against the latest threats, but Sylvain Cortes, VP of Strategy at Hackuity, believes the future lies in mastering the basics. In this interview, he shares how vulnerability management is evolving into a strategic enabler, reshaping resilience, collaboration, and innovation across security and IT operations.
You’ve spent years at the intersection of cybersecurity and strategic innovation. What drew you personally to this space and what continues to drive your passion for solving some of the industry’s toughest challenges?
There are three things that have really driven my career in technology. First, I’ve always been a technical guy. I love discovering new things and seeing how tech has developed.
My mission with Hackuity is really to help get those basics right instead of getting caught up with the next big thing.
The second thing is the way the market has developed. When I started in IT, the Internet was just beginning, and it all looks very quaint compared to today. But people are still struggling with the same basic things they did then: back-ups, getting printers to work properly, and of course, managing vulnerabilities. So, my mission with Hackuity is really to help get those basics right instead of getting caught up with the next big thing.
And finally, I really love being in the tech community, meeting people, and creating relationships. I especially get a lot of joy helping younger people get into the industry. I spent decades trying to work out how to do it, so I like to pass that on to the next generation.
How do you foster alignment and collaboration across traditionally siloed teams like security and IT operations?
One of the biggest issues you see in heavily siloed departments is an ‘us and them’ mentality. They have different priorities and practices, so they can start seeing each other as obstacles, which ultimately makes it harder for everyone to do their jobs.
A good starting point to overcome this is to map out their shared goals. Rather than putting system uptime against risk reduction, find common ground that makes them the same objective. For example, you could agree on joint SLAs patch rollouts that tie vulnerability reduction to system availability.
It also helps to enable everyone to collaborate and see priorities together. A single vulnerability management dashboard pulls all alerts, asset context, and remediation tickets into our existing ITSM, so nobody misses the critical details.
What organisational shifts are necessary for companies to successfully adopt a Vulnerability Operations Centre (VOC) model?
The Vulnerability Operations Centre is ultimately a way of elevating vulnerability management into its own mission-control function. Rather than being a scattered activity spread across different departments, it becomes a singular process with clear ownership.
I recommend setting up a dedicated VOC team, separate from your SOC’s incident-response duties, with a clear charter to own end-to-end oversight. We then funnel every intelligence feed (NVD, EUVD, commercial, and so on) and internal scan into a unified platform, de-duplicating and normalising risk scores across cloud, network, and applications.
All this means there is a single point of visibility and control for all things vulnerability management. From this baseline, you can start to see more efficient practices that free analysts from time-consuming ‘drudge work’. For example, triage can become a largely automated process, grouping and ticket creation through ITSM.
What are the most significant changes currently reshaping the field of Risk-Based Vulnerability Management?
For a long time, vulnerability management has been a very checkbox-type of activity. Teams tended to rely on CVSS scores and simply work their way through the list of incoming vulnerabilities as best they could – but not necessarily in the way that delivered the best security for their company.
Now we’re seeing a move to a more context-based approach, acknowledging that, say, a mid-severity flaw on an internet-facing server often outranks a critical bug buried in an isolated system. AI and machine learning now enrich CVEs with exploitability and threat-actor tags, plugging the gaps left by NVD or NIST backlogs.
Added to this, teams can now re-prioritise on the fly as they receive new information from continuous data feeds. Overall, vulnerability management is becoming much better equipped to find and address the risks that really matter.
How does a unified, risk-focused platform transform the way teams identify, prioritise, and remediate vulnerabilities?
A single pane of glass changes everything. Aggregating CVE databases, internal scans and asset inventories into a single point means teams can finally gain a real-time view of their risk landscape.
You can also integrate ITSM orchestration to auto-raise tickets, complete with business context, priority scoring and deadlines, so teams receive actionable tasks, not just raw alerts.
It also opens the door to a more efficient and automated way of doing things. Automated filters can be set to spotlight only the vulnerabilities that threaten key systems, while AI-aided analytics groups related issues for bulk remediation. This means vulnerability management teams can quickly assemble a clear priority list and get to work, rather than wasting time and energy rummaging through piles of unsorted data.
As mentioned, you can also integrate ITSM orchestration to auto-raise tickets, complete with business context, priority scoring and deadlines, so teams receive actionable tasks, not just raw alerts. Live SLA and remediation dashboards also flag blockers before they stall progress.
What are the root causes of communication breakdowns between security and operations teams, and how can organisations overcome them?
I see two main culprits: language and tools. Security speaks “risk,” operations speak “availability” – and each team’s KPIs rarely overlap. Layer on a tangle of dashboards, spreadsheets and alerts, and nobody shares a single source of truth or understands each other’s work.
There’s an important cultural aspect to fixing this. Leaders need to foster a more collaborative, blameless culture around security. If a security issue arises for example, you want the post-mortem to focus on finding and fixing process gaps, not finger-pointing. Holding regular review boards with both teams can also help to catch issues early.
What role will vulnerability management play in the future of cyber resilience and business continuity?
I think vulnerability management is evolving into a linchpin of resilience planning. It’s always been seen as a bit of a tedious task in the past, and one that is often underestimated until a vulnerability is exploited in an attack
More companies are realising that integrating VM into business-continuity and incident-response playbooks means they reduce the likelihood of having to scramble during crises.
Over time, VM metrics will feed into broader continuity KPIs, ensuring our remediation targets align with tolerance thresholds. In this way, vulnerability management will shift from a defensive chore into a strategic enabler that keeps the business running.
In five years, what would you like to see as the “new normal” in how organisations manage and act on vulnerabilities?
I’d hope to see a centralised approach like VOC be the new normal within the next few years. All organisations are facing the same challenges around dealing with information scattered everywhere, so it’s a common challenge everyone needs to solve soon. It needs to be the new normal soon or a lot of companies are going to have huge security problems.
We’re also certainly seeing more automation everywhere, supported by a lot of new AI use-cases. Those are both important factors in establishing a manageable VOC setup, so I think it should be the logical progression.
I think within the next few years we’ll see most, perhaps 70-80% of vulnerability tasks heavily automated, with the team focusing on the most important and challenging tasks that need human expertise.
