
Vulnerability Overload: Making Prioritization Work in the Real World
From Critical Assets Podcast by Patrick Miller
July 20, 2025 · 36 min · Season 3 · Episode 3
About this episode
Patrick Miller interviews Kylie McClanahan about the complexities of vulnerability management in operational technology environments.
In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS. The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness. This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments. Links: CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities CISA vulnrichment: https://github.com/cisagov/vulnrichment Vulnrichment, Year…
People in this episode
Host: Patrick Miller
Guest: Kylie McClanahan
Topics covered
- vulnerability management
- patching challenges
- operational technology
- IT and OT remediation
- CISA KEV catalog
- vendor responsiveness
- security outcomes
Keywords
- vulnerability management
- patching
- CISA
- operational technology
- CVSS
- vendor responsiveness
- security outcomes
- exploitation
- remediation cycles
Mentioned in this episode
Organizations: Bastazo, CISA, Carnegie Mellon
Products: CVSS, CSAF, VulnCheck KEV
More episodes of Critical Assets Podcast
- Policy Pulse: Regulatory Roundtable - Cyber Strategy, Large Loads, AI & CISA in Flux · May 11, 2026 · 1h 0m
- Policy Pulse: Regulatory Roundtable - NERC CIP, Cybersecurity Strategy, AI & Electric Sector · February 1, 2026 · 1h 2m
- From CISO to Startup: OT Security, Leadership, and Lessons from the Field · April 13, 2025 · 44 min
- Critical Conversations: IR, Forensics, and Regulation in OT · January 4, 2025 · 45 min
- Energizing Cybersecurity Careers: Workforce Development in OT/ICS · March 3, 2024 · 1h 8m
- CIE: Architecting Infrastructure Immunity · November 9, 2023 · 54 min
Explore listener stats, chart rankings, contacts and more on the Critical Assets Podcast podcast page.