Guest: Steve Winterfeld (LinkedIn)
Company: Akamai
Show Name: Secure By Design
Topic: Security

Most enterprise security teams run scans, generate reports, and move on. But when the same vulnerability—say, local file inclusion—appears five times in one quarter, you don’t have a developer problem. You have a systemic failure in training, tooling, or validation.

Steve Winterfeld, Advisory CISO at Akamai, has seen this pattern across hundreds of organizations. In a recent conversation with TFiR, he outlined the critical difference between treating security frameworks like OWASP as compliance checklists versus using them as diagnostic tools to identify root causes.

From Scanning to Root Cause Analysis

The first question Winterfeld asks when reviewing vulnerability scans isn’t “How many?” It’s “Why?” If a scan reveals five instances of local file inclusion, his immediate focus shifts to pattern analysis: Are these vulnerabilities clustered around one developer? Four different developers? A specific team or project?

“I’m going to walk that back and get rid of that root cause. I want to do root cause analysis of why I’m seeing the number of vulnerabilities I’m seeing,” Winterfeld explains.

This approach transforms security scans from reactive noise into strategic intelligence. Instead of treating each vulnerability as an isolated incident, the analysis reveals whether the organization has a training gap, a tooling deficiency, or a breakdown in secure development practices.

Building Security Maturity Beyond the Checklist

Once root causes are identified, Winterfeld advocates for a maturity-focused response that goes several layers deeper than typical remediation. The key areas include:

Validation and Testing: Are development teams actually testing for the vulnerabilities flagged in frameworks? Are security operations center (SOC) analysts trained to recognize exploitation patterns?

Training Investment: Are developers being sent to classes that address the specific vulnerability patterns emerging in scans? Is the training reactive (after a breach) or proactive (integrated into onboarding and continuous education)?

Vendor Management: How are third-party vendors being validated? Is the organization relying on questionnaires that can be answered favorably without verification, or demanding attestation through frameworks like SOC 2 that require independent validation?

“Am I working with my vendor management and how are we validating that? Is it just through a questionnaire? Are we demanding attestation like a SOC two?” Winterfeld asks.

The Cost of Compliance Theater

The distinction Winterfeld draws is critical for enterprise security leaders facing board-level scrutiny and regulatory pressure. Compliance frameworks like OWASP Top Ten are essential—but only if they’re used as diagnostic tools, not checkbox exercises.

When security teams treat frameworks as static lists to “complete,” they miss the dynamic intelligence these tools provide. Recurring vulnerabilities aren’t failures of the checklist—they’re signals of deeper organizational issues that won’t be solved by better scanning tools alone.

For CISOs and security leaders, Winterfeld’s approach offers a blueprint: Use vulnerability data to identify training gaps, evaluate tooling effectiveness, and demand real validation from vendors. Treat security as a maturity journey, not a compliance destination.