Todd Conetta
Project Manager,
Harvard University
Transforming Vulnerability Management from One Size Fits All to Truly Risk-Based
Tuesday, May 20, 2025 | 4:00PM–4:45PM ET | Harborside Ballroom E, 4th Floor
Session Type:
Breakout Session
Delivery Format:
Demonstrations
In 2023, Harvard embarked on a three-year initiative to modernize its vulnerability management approach. The effort centered on shifting from a high-volume, resource-intensive model to a risk-based strategy. The program positions the university to prioritize vulnerabilities based on standard risk factors, ensuring more efficient resource allocation. The transformation represented a cultural change as much as it did a technology challenge. A dedicated, university-wide program team has carefully aligned key stakeholders and leadership behind new approach and now midway through the program’s implementation, the first set of schools and units are adopting this new way of life. The team will first present our problem, balancing increasing demands of vulnerability and exposure management amid a constantly evolving threat landscape with the pressures of today’s funding environment and the scarcity of resources. Next, the team will present a brief history of the solution’s design, build, and implementation before opening a live demonstration of the technology. The demonstration will simultaneously communicate how the solution works and the solution’s scaled impact across the university. This portion of the presentation will underscore the importance of managing risks over lists and clearly communicate a path to building that capability. Finally, we will conclude the session with a focus on lessons learned and a summary of key organizational change management activities.
