{"id":14786,"date":"2025-09-12T19:38:16","date_gmt":"2025-09-12T19:38:16","guid":{"rendered":"https:\/\/newestek.com\/?p=14786"},"modified":"2025-09-12T19:38:16","modified_gmt":"2025-09-12T19:38:16","slug":"how-wesco-cut-through-the-noise-and-reimagined-risk-management","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14786","title":{"rendered":"How Wesco cut through the noise and reimagined risk management"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Wesco is best known as a leading supply chain partner that provides electrical and communication systems and safety equipment to utilities, manufacturers, hospitals, and construction firms.<\/p>\n<p>But behind the scenes, the company faces the same challenge that all organizations grapple with: how to manage thousands of security alerts. For Wesco, the question was clear: How do you separate what\u2019s urgent from what can wait?<\/p>\n<p>That question inspired Wesco\u2019s \u201cPrioritized Risk Management Initiative,\u201d a project designed to cut through alert clutter. By pulling risk data from different platforms into a single framework, the company gave its teams a clearer view of security vulnerabilities and the ability to focus on the most urgent threats.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Four cornerstones of Wesco\u2019s risk management strategy<\/h2>\n<p>Wesco\u2019s new approach rested on four main strategies, each designed to make risk management more actionable for the teams responsible for it.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Proactive defense<\/strong>: Real-time threat intelligence feeds allow Wesco to spot and neutralize vulnerabilities before they escalate.<\/li>\n<li><strong>Improved awareness<\/strong>: Developers and security teams have clearer visibility into zero-day threats and can act faster.<\/li>\n<li><strong>Application security posture enhancement<\/strong>: A \u201csecurity champions program\u201d ensures accountability doesn\u2019t sit only with the security team but across development and executive teams, too.<\/li>\n<li><strong>AI-driven risk mitigation<\/strong>: Artificial intelligence helps developers resolve vulnerabilities faster by automating manual tasks such as troubleshooting alerts and sifting through vulnerability scans.\n<\/li>\n<\/ul>\n<p>The backbone of the project is integration. Wesco connected more than a dozen platforms\u2014including GitHub, Azure DevOps, Veracode, JFrog, Kubernetes, Microsoft Defender, and CrowdStrike\u2014into a single view.<\/p>\n<p>\u201cSecurity teams were inundated with alerts and had no holistic view of security risks,\u201d says John Sander, Wesco\u2019s vice president and chief information security officer.<\/p>\n<p>\u201cWe\u2019ve consolidated all that data, and we now use application security posture management [ASPM], threat modeling, and risk scoring to streamline risk visibility and adapt to evolving threats.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>The challenges of turning chaos into clarity<\/h2>\n<p>No risk management strategy unfolds easily, and Wesco\u2019s initiative faced obstacles.<\/p>\n<p>The first challenge was sheer volume. Thousands of alerts streamed in from various platforms, with no way to separate real threats from noise. On top of that, the fragmented data created gaps in visibility. Each platform provided only part of the picture, making it difficult to understand the true risk landscape.<\/p>\n<p>The overlap didn\u2019t help, either. The same vulnerability might appear in more than one tool, which meant teams wasted valuable time addressing it more than once. And without clear accountability, developers and business units weren\u2019t always sure who was responsible for remediation.<\/p>\n<p>Sander recalls one especially frustrating example: \u201cThe same third-party vulnerability might show up in both Veracode and GitHub, and different teams would try to fix it in inconsistent ways.\u201d<\/p>\n<p>A key breakthrough came when the team began using the following programs and technologies to evaluate threats.<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Security champions program<\/strong>: Assigns security ownership within development teams<\/li>\n<li><strong>ASPM and threat modeling<\/strong>: Provides automated risk scoring and centralized insights<\/li>\n<li><strong>AI-powered security automation<\/strong>: Automates vulnerability resolution using AI-assisted tools<\/li>\n<li><strong>Operational risk reporting<\/strong>: Ensures end-to-end visibility from developers to executives<\/li>\n<\/ul>\n<p>\u201cWith these tools, we were able to ask: Is there a known exploit? Are there mitigating controls in place? And what\u2019s the actual business impact?\u201d says Sander.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Results that move the risk management needle<\/h2>\n<p>By combining automation, AI, and accountability, the team has sped up vulnerability detection and remediation while easing the strain on developers and security staff.<\/p>\n<p>The results of Wesco\u2019s risk management initiative have been impressive, says Sander, and the numbers help tell the story.<\/p>\n<p>Some of the standout improvements include:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>9,000 development hours saved each year<\/strong> thanks to automation that handles much of the manual troubleshooting work.<\/li>\n<li><strong>30% drop in application risk scores<\/strong> across critical systems, giving the company a stronger security posture.<\/li>\n<li><strong>50% fewer new vulnerabilities<\/strong>, helping cut down long-term security debt.<\/li>\n<li><strong>Faster resolution times<\/strong>, with AI assisting developers to pinpoint root causes and suggest fixes quickly.<\/li>\n<li><strong>Higher external ratings<\/strong>, including improved BitSight scores, which reinforce customer trust.<\/li>\n<\/ul>\n<p>Perhaps even more important than the numbers has been a shift in culture that blends security and software development. Through Wesco\u2019s security champions program, developers no longer wait for the security team to hand down fixes; they\u2019re fixing vulnerabilities themselves early in the development lifecycle.<\/p>\n<p>\u201cFor instance, when Veracode flagged a critical container vulnerability, the security champion on that team used AI tools to identify the root cause and apply a fix within hours without relying on the central AppSec team,\u201d says Sander.<\/p>\n<p>\u201cThis cultural shift has shortened response cycles and increased collaboration across the org.\u201d<\/p>\n<p><em>For its risk management project, Wesco earned a <\/em><a href=\"https:\/\/event.foundryco.com\/cso-conference-awards\/?utm_source=cso.com&amp;utm_medium=blog&amp;utm_campaign=CSO2025_Wesco\"><em>2025 CSO Award<\/em><\/a><em>. The award honors security projects that <\/em><a href=\"https:\/\/www.csoonline.com\/article\/570667\/us-cso50-2022-awards-showcase-world-class-security-strategies.html\"><em>demonstrate outstanding thought leadership and business value<\/em><\/a><em>.<\/em><\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Keys to smarter risk management: visibility and ownership<\/h2>\n<p>When asked what advice he\u2019d give other security leaders about managing risk, Sander is straightforward: Bring the data together and make security part of everyone\u2019s job.<\/p>\n<p>\u201cWhen you consolidate data from all security tools into a centralized platform, you eliminate duplication, streamline triage, and get a true picture of risk,\u201d he says.<\/p>\n<p>Equally important, Sander adds, is moving security out of its silo and embedding it into daily work across departments. That\u2019s where culture comes into play.<\/p>\n<p>\u201cSecurity champions programs like ours create distributed accountability,\u201d he says. \u201cDevelopers will see security as part of their role if they have tools that assist rather than obstruct.\u201d<\/p>\n<p>Wesco\u2019s award-winning initiative proves that managing risk doesn\u2019t have to be overwhelming. With data consolidation, automation, and a culture that shares responsibility, the company turned a flood of security alerts into clear, actionable priorities.<\/p>\n<p>Wesco turned overwhelming security alerts into clear, actionable priorities\u2014and you can learn how leaders everywhere are reimagining risk management. Join the CSO Conference &amp; Awards to explore award-winning strategies like Wesco\u2019s that save time, reduce risk, and strengthen culture. <a href=\"https:\/\/event.foundryco.com\/cso-conference-awards\/?utm_source=cso.com&amp;utm_medium=blog&amp;utm_campaign=CSO2025_Wesco\">Register now<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Wesco is best known as a leading supply chain partner that provides electrical and communication systems and safety equipment to utilities, manufacturers, hospitals, and construction firms. But behind the scenes, the company faces the same challenge that all organizations grapple with: how to manage thousands of security alerts. For Wesco, the question was clear: How do you separate what\u2019s urgent from what can wait? That&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14786\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14786","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14786","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14786"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14786\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14786"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14786"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14786"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}