Podcast: The Security Strategist Host: Richard Stiennon, Chief Research Analyst at IT-Harvest Guest: Nathan Rollings, CISO at Zafran The cybersecurity enterprise space has been transforming for years, going beyond traditional vulnerability management. According to Nathan Rollings, CISO at Zafran, the next shift is already underway in the B2B Enterprise technology space. It is being driven by automation, AI, and a deeper understanding of context within enterprise environments. Rollings sat down with host Richard Stiennon, also the Chief Research Analyst at IT-Harvest, on The Security Strategist podcast to talk about the need for security teams to move beyond dashboards and risk scores to something more operational–agentic exposure management. “Attackers are already using automation and AI,” Stiennon says to Rollings during the podcast. “Meanwhile, most defenders are still focused on risk scores, dashboards, and ticket backlogs.” Rollings believes the real opportunity lies in allowing intelligent systems to analyse exposure continuously and act on it. Why context matters more than another risk score For many security teams, vulnerability prioritisation still relies heavily on numerical risk scoring. Rollings argues that this approach often misses the bigger picture. “You’re spending so much money on these security tools,” he said. “The real question is, what is the return? What is the business value?” Understanding the effectiveness of existing controls, such as intrusion prevention systems, endpoint detection, or micro-segmentation, can dramatically change how vulnerabilities are prioritised. Research cited by Rollings suggests that only around one in 50k vulnerabilities is truly exploitable in a given environment once contextual factors are taken into account. “That means organisations spend enormous effort remediating vulnerabilities that may never actually be reachable,” he added. Agentic systems that correlate telemetry across security tools could narrow that focus significantly. This would allow teams to prioritise the small subset of exposures that really matter. “Security teams were so focused on detection, assessment, and ticketing that they didn’t have time to dig deeper,” Rollings tells Stiennon. “Agentic capabilities free them to concentrate on the things that truly make a difference.” Key Takeaways Exposure management prioritises vulnerabilities using real-world context, not just CVSS scores. Agentic AI can analyse exposures and automate remediation workflows. Security context—controls, network paths, and runtime data—determines real exploitability. Only about 1 in 50,000 vulnerabilities are truly exploitable in most environments. AI-secured code won’t remove runtime risk in live infrastructure. Chapters 00:00 Introduction to Cybersecurity Challenges 03:19 The Evolution of Exposure Management 07:31 Impact of AI on Vulnerability Management 11:34 Contextual Understanding in Exposure Management 15:37 Efficiency and Cost-Effectiveness in Security Teams 18:08 Key Takeaways for Security Practitioners For more information, please visit em360tech.com and www.zafran.io. Follow: EM360Tech YouTube: @enterprisemanagement360 EM360Tech LinkedIn: @EM360Tech https://www.linkedin.com/company/em360/?originalSubdomain=uk EM360Tech X: @EM360Tech https://x.com/EM360Tech Zafran LinkedIn: @Zafran Security https://www.linkedin.com/company/zafran-security/ Zafran X: @Zafran_io https://x.com/Zafran_io #AgenticAI #ExposureManagement #VulnerabilityManagement #CTEM #Cybersecurity #CISO #SecurityStrategist #RichardStiennon #NathanRollings #Zafran

Can Your Observability Stack Handle 24/7 Agentic Query Volume?
21 views

Agentic AI is changing Cybersecurity in 2026
22 views

Coding Agents are an identity problem in 2026
20 views

Claude Mythos and the future of cybersecurity
29 views

AI Hype vs Reality: What Security Leaders Are Getting Wrong
23 views

Why Most Enterprise AI Investments Fail to Deliver ROI
25 views