Step 5: Eliminate Risk – Lead with Confidence 

Anthony Williams
Anthony Williams, Subject Matter Expert, VMDR, Qualys
- 12 min read

Table of Contents

“We shall not fail or falter; we shall not weaken or tire… Give us the tools and we will finish the job.” – Winston Churchill 

Every security team knows this truth: you can’t patch everything, and you can’t necessarily protect everything. History reminds us that perfection is rare, but decisive execution can change outcomes. With the right team and tooling, risk management can shift rapidly from reporting into trackable, meaningful action. 

The mission is simple: continually de-risk the organization. The challenge? Too many teams stall after measuring and communicating cyber risk, stopping short of that final action. What comes next is where impact is made: Are teams actively reducing risk, or just tracking it?  

Well-prioritized patching delivers immediate, measurable gains. Yet not every risk can be patched. To finish the job, teams must move beyond dashboards and reports, stop chasing noise, and focus on innovative approaches to eliminating vulnerabilities that truly impact the business.

Real-World Impact: From Measurement to Action 

A global enterprise faced a familiar challenge: 

  • Security teams drowning in data 
  • Thousands of critical vulnerabilities flagged every month 
  • Patching teams unable to keep up 

Despite countless conversations and new investments, the attack surface kept expanding, and trends moved in the wrong direction. The turning point came when leadership realized that adding more people and tools wasn’t solving the problem. Critical vulnerabilities still went unaddressed for months, even on the assets that everyone knew mattered most to the business. The organization could no longer afford to measure risk without eliminating it. 

From Data to Outcome-Driven Results 

This realization triggered a rapid shift into automated remediation, implementing Qualys Patch Management, and real-time tracking aligned to business units. The focus shifted to asset inventory, patching ownership, and orchestrated workflows. For the first time, Security and IT were operating in lockstep, guided by shared risk signals and defined ownership. 

The Result: 

  • Mean time to remediate critical vulnerabilities dropped by almost 70% 
  • TruRisk™ scores visibly reduced across high-impact business units 
  • Internet-facing asset visibility increased by more than 300% 
  • For the first time: Leadership gained real-time visibility into progress and effectiveness 

Best of all, the team stopped chasing metrics and started executing, seeing the impact of rapid risk reduction-action across the entire global enterprise. This transformation not only strengthened their security posture but also contributed to significant cost savings, including reductions in cyber insurance premiums

History and cybersecurity alike are filled with examples of overwhelming challenges met through clear mission goals, innovation, collaboration, and decisive execution.  

Breaking Through: Insights from D-Day 

“A good plan executed now, is better than a perfect plan executed next week.” – US Army General George S. Patton 

Four years after Britain standing alone in the Battle of Britain, the improbable became possible. Following Axis overreach, allies from Russia, Canada, and the U.S. joined the fight.  

By May 1944, Allied forces prepared to launch Operation Overlord. With clear priorities, secure intelligence, innovative tactics, and multinational collaboration, the pieces were in place. 

Operation Overlord-Normandy Supply, Source: Wikipedia

The mission: gain a foothold in occupied Europe by dismantling defenses, seizing key territory, and driving the enemy back. 

Normandy Landings, Source: Wikipedia

With their objectives set, the Allies faced the ultimate test: breaching the Atlantic Wall; a 1,700-mile barrier of mines, bunkers, and artillery built to repel any landing. It demanded unprecedented planning, coordination, and a bit of luck… all while under constant pressure.  Months earlier, Operation Mincemeat proved the power of deception: With the right story, the enemy could be tricked into wasting resources. Building on that, leaders launched an elaborate campaign ahead of D-Day, convincing the Axis that landings were imminent at Cap d’Antifer, Pas-de-Calais, and even Normandy itself. 

Fake armies filled southern England, complete with inflatable tanks, wooden planes, and dummy craft. 

Fake Tank, Source: Imperial War Museums UK
Ghost Army, Source: West Point Association of Graduates

Radio chatter and double agents like Garbo, simultaneously spread misinformation. Chaff was dropped from planes mimicking invading airborne forces, while small boats towed radar balloons to simulate advancing fleets. 

Chaff Drop, Source: Wikipedia
Chaff Factory Worker Handling Fake Parachuters/Metal Strips, Source: Imperial War Museums UK

Operation Fortitude, Titanic, and Bodyguard were all designed to waste, confuse, and overwhelm enemy resources in various regions while the Allies prepared for the real invasion.  

The well-documented Allied Naval deceptions were designed to create “noise,” drawing enemy forces to the wrong locations, stretching defenses, and giving the actual assault a chance to succeed. More than 80 years later, these tactics are still being studied.

When to Execute: Probabilities vs. Perfection 

“You have to run risks. There are no certainties in war. There is a precipice on either side of you – a precipice of caution and a precipice of over-daring.” – Winston Churchill 

On the eve of June 6, 1944, the largest amphibious invasion in history, famously known as “D-Day”, began. Analysts had pored over weather data, geographical maps, and other trends in the region for months, searching for the right time to launch. Trying their best to find patterns, and certainty, they could only identify when conditions were most likely to be favorable. No matter how many times they reran the numbers, no one could agree on the ultimate question: When was the “perfect time to launch”?  

The only consensus was a narrow window in late May and early June. Yet even that fragile window nearly collapsed just before launch day, as dense fog and rough seas threatened to postpone the assault indefinitely. 

A Map of Weather Forecast, Source: Wikipedia

Allied Leaders understood that weather assessments, built on probabilities and fuzzy data points, would never provide 100% certainty. Most importantly, they knew waiting for perfect conditions might mean never launching at all.

They weighed their options carefully: 

Delay and Wait 

  • Clearer visibility of enemy obstacles, and positions, with safer navigation and easier coordination. 
  • But with a longer, slower advance, and a much stronger resistance. 

 Launch in Zero Visibility 

  • Maximize surprise and use the high tide for a shorter advance. 
  • But with unseen obstacles, a high chance of stranded landing craft, and almost certain disaster. 

Commanders chose to wait. With deception in full swing and the tide receding, the assault began.

U-boat View, Source: Wikipedia

Their orders: Overwhelm coastal defenses at five beaches, then fight 25 miles inland and capture control of Saint-Lô. Each step brought heavier barriers and entrenched resistance. After six weeks of grinding progress through hedgerows and fierce defenses, Allied forces finally broke through, opening the gateway that allowed them to fan out across France, sever supply lines, and clear the path to Paris. Isolating the enemy and their ability to resupply proved key.

Map of D-Day Landings, Source: Wikipedia

The victory didn’t end the war outright, but it added the momentum needed to liberate France and Western Europe. 

Just a few years prior, France had fallen, and Britain had retreated from Dunkirk to defend the homeland. Without the innovative Dowding System during the Battle of Britain, all may have been lost. These moments showcased the power of mission focus, resource-limited orchestration, and relentless execution against overwhelming odds.  

Lessons like these became the backbone of Allied success: 

  • Victory against a prepared, well-equipped enemy required more than innovative manufacturing, heaps of firepower, and lots of dedicated people.  
  • Clear mission goals and understanding the battlefield are key. 
  • Distracting the enemy with “noise” can be an effective weapon. 
  • Turning strategy into results demands orchestration and intentional collaboration. 
  • Decisive execution secures objectives and eliminates threats. 

These same principles apply in cybersecurity. Resilience can’t be measured by alerts, dashboards, or vulnerability counts alone. Just as the Allies turned intelligence, misdirection, and decisive execution into advantage on D-Day, modern teams must be focused, while blending insight, strategy, and timely action to reduce risk and successfully outmaneuver threats. 

Connecting the Five Steps to TruRisk™  

Digital signals should always reveal decisive moves, making business risk something that’s eliminated, not just tracked. As we’ve shown throughout this series, chasing volume metrics and gaps without context drains time, energy, and resources.  

  • Step 1: Shift to PriorityLeading the shift to risk-based prioritization means fostering collaboration and a shared language across the organization. Risk (TruRisk) = Likelihood (QDS) x Impact (ACS
  • Step 2: Measure – Accurately identify asset and threat likelihood. Asset context (ACS) combined with threat intelligence (QDS) is key. 
  • Step 3: Get StartedFocus on High-Impact Risks: Prioritize remediation efforts on the highest potential business impact. When teams know what makes the cash register ring, it’s clear where efforts start. 
  • Step 4: CommunicateTracking and conveying cyber risk in business terms builds trust, aligns teams, and secures resources. In the end, it’s the gap between confident execution and assumed results. 

Now, in Step 5: Eliminate, it all comes together. Execution is the capstone of a broader risk-based approach: Measurement, intelligence, prioritization, and communication become decisive actions that rapidly reduce risk to the business.  

With the Qualys Enterprise TruRisk™ Platform, that final step is much clearer. 

Closing the Unpatchable Gap with TruRisk™ Eliminate 

Mitigate, Isolate and Remediate 

Closing the Unpatchable Gap with TruRisk™ Eliminate, means teams no longer have to choose between waiting on a patch and living with exposure. TruRisk™ Eliminate helps organizations reduce risk through Patching, Mitigation, Isolation, and advanced Remediation strategies. With built-in automation and full control over impact, uptime, and business cycles, TruRisk ™ Eliminate accelerates remediation, strengthens overall security posture, and addresses those unpatchable gaps.   

Mitigate, Isolate, Patch and Remediate options, fed directly from VMDR, let defenders apply the right fix at the right time.

  • Windows, Linux, and Mac OS patching 
  • Third-party application patching 
  • Vulnerabilities without an available Patch 
  • Vulnerabilities where Patches cannot be deployed 

Mitigate enables teams to apply risk controls and configuration changes to address threats, particularly for unpatchable vulnerabilities, or situations where patching carries operational risk. 

Isolate provides a proactive way to quarantine risky assets and prevent exploitation, offering an alternative to reactive EDR approaches. It isolates devices from the network while still enabling remote patching. 

  • Integrated with VMDR, vulnerabilities get marked as Mitigated(“Isolated”) and will reduce the associated Qualys Detection Score 
  • Also, supports exceptions for trusted applications and destinations (Windows or Linux), ensuring isolated assets remain connected to essential resources 

See TruRisk™ Eliminate Blog: needrestart, WinVerifyTrust, and LPE  

Together, these capabilities give security teams a unified, risk-focused approach, eliminating threats where possible, mitigating when patching isn’t an option, isolating to prevent compromise and even remediating with custom fixes if necessary.  

Custom and Battle-tested Eliminations 

Every Qualys Cloud Agent can run custom or platform-approved scripts via Qualys Custom Assessment and Remediation (CAR). We also offer various out of the box, curated, scripts for remediations, that go above and beyond simple patching use cases. 

CAR adds flexibility, with curated or custom actions, streamlining workflows, and strengthening overall security posture.  

With Qualys TruRisk ™ Eliminate, teams unlock confident execution, enabling faster, trackable risk reduction. Thanks to the Qualys Enterprise TruRisk™ Platform, digital defenders now have a different feel for that final action.

Explore how the TruRisk™ platform helps organizations to reduce cyber risk across the extended enterprise. 

Measure with Precision, Communicate with Impact, Eliminate with Purpose 

“United we fought and united we prevail” – Chester Nimitz, US Chief Commander, WWII Pacific Front 

Throughout history, victory has gone to those willing to change their approach. Inspired leadership, intentional collaboration, relentless innovation, and a refusal to accept the status quo, are all common threads. 

Ford’s assembly line revolutionized production by rethinking the process entirely. Washington’s spies didn’t just collect intelligence; they turned it into coordinated, mission-aligned action, tactics essential to defeating a seasoned opponent.  

The Allies shared tactics, resources, and intelligence across borders, proving that trust and prioritization could outmatch a well-equipped adversary. Prioritized workflows enable leaders to focus efforts and execute decisive strikes. As we look back at history, this discipline was key, when outnumbered… and out resourced.  

Victory doesn’t come from more data or more effort, but from disciplined workflows that prioritize, coordinate, and execute with precision. Maps, trends, dashboards, and reports alone will never close the gap; only decisive, data-driven action will.  

The Steps to TruRisk™ series applies these same principles to cybersecurity.  

  • Measuring with speed, precision, and priority  
  • Communicating with impact, intelligence, and context 
  • Eliminating with confidence, purpose, and authority, knowing the team has all they need to finish the job!  

When teams gain clarity on the right threats and their true impact, the path forward becomes clear. Just as D-Day’s success hinged on prioritized planning, coordinated execution, and relentless persistence, eliminating cyber risk requires the same clarity and dedication. 

It’s time to lead the shift, turn the tide, and finish the mission with Qualys TruRisk™.

See what eliminating risk looks like in practice. Join the conversation and turn strategy into confident execution.

Register for Webinar

Ready to put the insights to work? Start your Free Trial for TruRisk Eliminate!

Our contributors

  • Marcus Burrows, Lead Technical Trainer 
  • Lavish Jhamb, Senior PM, Compliance Solutions 
  • Eran Livne, Senior Director, Endpoint Remediation  


 

Share your Comments

Comments

Your email address will not be published. Required fields are marked *