All articles

Solving Alert Fatigue Requires Shared Ownership, Defined Language, And Risk-Based Prioritization

The Security Digest - News Team
Published
July 13, 2026

Aditya Bhise, Senior Manager of Information Security at Avaya, walks through why solving alert overload starts with governance, shared ownership, and organization-specific interpretation.

Credit: The Security Digest

Make The Security Digest one of your go-to sources on Google

Add The Security Digest on Google

The cybersecurity industry doesn’t have a shortage of security tools or data. It mostly has a shortage of context and operational capacity.

Aditya Bhise

Senior Manager of Information Security

Aditya Bhise

Senior Manager of Information Security
Avaya

Security teams are drowning in alerts, and the industry's default response has been to buy more tools to sort through them. Rising AI threats and shortened cyber fix windows have accelerated the spending, but the alert fatigue problem hasn't resolved. The gap between the number of alerts a SOC receives and the number a SOC can meaningfully action traces back to interpretation, not technology. Teams cannot determine which alerts represent actual risk without knowing the specifics of their own environment.

Aditya Bhise, Senior Manager of Information Security at Avaya, brings over 12 years of enterprise cybersecurity experience to the disconnect between raw security data and the intelligence security teams can actually act on. Managing enterprise alert volumes requires moving away from generic technical severity as the primary prioritization framework, and toward organization-level risk framing: the specific assets, exposure, financial impact, and business priorities of the organization receiving each alert.

"The cybersecurity industry doesn't have a shortage of security tools or data. It mostly has a shortage of context and the operational capacity," says Bhise. Much of the alert volume comes from disconnected tools each watching a different slice of the environment. Cloud posture tools, internal monitoring platforms, and external perimeter scanners fire alerts independently, and the same underlying issue frequently gets flagged multiple times. As executives plan new uses for AI to filter that noise, Bhise sees automation working best as a first-pass contextual layer bounded by strict, organization-specific parameters.

Defining the shared risk language

Every business unit handling company data carries responsibility for reducing risk. What often derails those conversations is that leadership, business, and technical teams interpret the same risk report differently. A shared enterprise-wide standard for how reports get read and escalated is where alert triage starts to align with broader SOC strategy and risk assessment. "The language of the reading needs to be defined," Bhise advises. "Once that language is defined, then I feel that there wouldn't be any lack of information or missed information, or any false negatives or false positives within all the different hierarchies, and everyone reads out the same set of information in the same way."

The prioritization problem sitting underneath the language problem is that generic scoring systems fail to capture the specifics that determine whether a given alert actually represents risk. CVSS metrics weren't designed to account for the internal mitigating controls, virtual patching, or environmental factors that materially change exploitability inside a given organization. A Heartbleed vulnerability detected inside an internet-facing production environment reads very differently from the same vulnerability inside an isolated test environment. "In my view, CVSS alone shouldn't be considered as the only factor," says Bhise. "I think vulnerability management overall should be risk based and CVSS alone isn't enough to go in and do the remediation or the prioritization because some organizations may be doing virtual patching."

The risk-based prioritization mandate

The AI vulnerability discovery and triage bottleneck is ultimately a cultural problem. Even the most sophisticated detection stack loses effectiveness quickly when only the security team feels responsible for the outcomes it produces. Bhise views shared accountability across finance, legal, sales, marketing, and IT as the operational condition for making security a true organizational function that everyone contributes to. "Every single person who handles organization data indirectly or directly is responsible for security because a user's negligence could result in huge consequences," he notes.

The stakes on that cultural point are higher than the language often suggests. A single exposure can neutralize the technical investment sitting behind it, which is why security awareness is now treated as a leadership-level operating requirement across mature SecOps automation programs. "One single exploit or one single accidental click could lead to quite intense repercussions," says Bhise. "If that happens, then no matter how many security tools are deployed, that really wouldn't matter because that backdoor has already been opened by someone clicking something that they shouldn't have clicked in the first place."

The practical mandate for security leaders is to reduce the risks that would meaningfully damage the organization. Eliminating every risk in a threat landscape adding new exposures continuously isn't a realistic goal, but the alert fatigue problem starts to resolve when leadership accepts risk-based prioritization as the operating standard. "There will always be new risks arising every day, every minute, every second as we speak. It's about reducing the risk that matters the most to every organization," Bhise concludes. "If that can be attained, then there will be quite a lot of noise that can be suppressed, allowing us to focus on things that actually matter the most."

The views and opinions expressed are those of Aditya Bhise and do not represent the official policy or position of any organization.