Speed Is a Governance Decision

Attackers do not wait for your approval chain

A flaw becomes public. Within a day, attackers are moving. Security teams start counting exposed systems, legal starts asking for impact, operations starts worrying about downtime, and executives start hoping the issue is "contained." It rarely is.

That is the wrong frame. The real question is simpler. In your company, who is authorized to move faster than the attacker?

Dark Reading reported that a max-severity Ivanti flaw was exploited within 24 hours of disclosure, with signs that attackers had already mapped likely targets before the news was public. CISA, in a separate headline this week, rewrote federal patching requirements so agencies have three days to fix the most dangerous flaws. Those are two different stories. They point to the same lesson.

Speed is a governance choice as much as an IT metric.

A lot of executive teams still treat urgent remediation like a technical workflow. It is not. It is a pre-approved business decision about risk, authority, and interruption. If your team has to negotiate every emergency patch with every application owner, regional leader, and uptime-sensitive business unit, you do not have a patching process. You have a committee.

Attackers love committees. They know exactly what happens inside large organizations when a disruptive decision must be made quickly. Meetings appear. Exceptions multiply. Someone asks for more validation. Someone else asks whether there is evidence of active targeting in your sector. By then, the window is gone.

You have seen this movie before. Different vendor. Different flaw. Same ending.

The leadership mistake is not failing to predict every zero-day. That is fantasy. The mistake is failing to decide, in advance, what the company values more in the first 72 hours of uncertainty: temporary friction or avoidable exposure.

That decision belongs above the CISO. It belongs with the executive team and the board committee that oversees operational risk. Why? Because emergency remediation can interrupt revenue, service delivery, and customer experience. If leaders want speed when it matters, they must bless the tradeoff before the crisis arrives.

What would a smart executive do differently? First, define a narrow set of triggers that automatically authorize emergency action. Not discussion. Action. Second, make sure the people running infrastructure, customer operations, communications, and legal all know the same playbook. Third, measure time to decision, not just time to patch.

That last one matters more than most dashboards admit. A company can have excellent engineers and still lose days waiting for permission. If your internal approvals take longer than the attacker's reconnaissance cycle, your technical capability is beside the point.

This is also where boards need to mature. Too many still ask whether management is "patched up" in the abstract. That question is useless. The better question is this: when a severe issue emerges on a Friday afternoon, what powers has management already delegated so the company can act before Monday's status meeting?

You do not need perfect asset visibility to improve this. You do not need a new slogan. You need decision rights that work under pressure.

The Ivanti story will be filed as another fast-moving exploit. It is more valuable than that. It is a reminder that the first contest is not between your tools and theirs. It is between their speed and your bureaucracy.

A flaw becomes public. Within a day, attackers are moving. That scene is no longer exceptional. Plan like it.

Pre-authorize the hard calls. Measure decision latency. If speed matters, govern for it.