Wesco is best known as a leading supply chain partner that provides electrical and communication systems and safety equipment to utilities, manufacturers, hospitals, and construction firms.
But behind the scenes, the company faces the same challenge that all organizations grapple with: how to manage thousands of security alerts. For Wesco, the question was clear: How do you separate what’s urgent from what can wait?
That question inspired Wesco’s “Prioritized Risk Management Initiative,” a project designed to cut through alert clutter. By pulling risk data from different platforms into a single framework, the company gave its teams a clearer view of security vulnerabilities and the ability to focus on the most urgent threats.
Four cornerstones of Wesco’s risk management strategy
Wesco’s new approach rested on four main strategies, each designed to make risk management more actionable for the teams responsible for it.
Proactive defense: Real-time threat intelligence feeds allow Wesco to spot and neutralize vulnerabilities before they escalate.
Improved awareness: Developers and security teams have clearer visibility into zero-day threats and can act faster.
Application security posture enhancement: A “security champions program” ensures accountability doesn’t sit only with the security team but across development and executive teams, too.
AI-driven risk mitigation: Artificial intelligence helps developers resolve vulnerabilities faster by automating manual tasks such as troubleshooting alerts and sifting through vulnerability scans.
The backbone of the project is integration. Wesco connected more than a dozen platforms—including GitHub, Azure DevOps, Veracode, JFrog, Kubernetes, Microsoft Defender, and CrowdStrike—into a single view.
“Security teams were inundated with alerts and had no holistic view of security risks,” says John Sander, Wesco’s vice president and chief information security officer.
“We’ve consolidated all that data, and we now use application security posture management [ASPM], threat modeling, and risk scoring to streamline risk visibility and adapt to evolving threats.”
The challenges of turning chaos into clarity
No risk management strategy unfolds easily, and Wesco’s initiative faced obstacles.
The first challenge was sheer volume. Thousands of alerts streamed in from various platforms, with no way to separate real threats from noise. On top of that, the fragmented data created gaps in visibility. Each platform provided only part of the picture, making it difficult to understand the true risk landscape.
The overlap didn’t help, either. The same vulnerability might appear in more than one tool, which meant teams wasted valuable time addressing it more than once. And without clear accountability, developers and business units weren’t always sure who was responsible for remediation.
Sander recalls one especially frustrating example: “The same third-party vulnerability might show up in both Veracode and GitHub, and different teams would try to fix it in inconsistent ways.”
A key breakthrough came when the team began using the following programs and technologies to evaluate threats.
Security champions program: Assigns security ownership within development teams
ASPM and threat modeling: Provides automated risk scoring and centralized insights
AI-powered security automation: Automates vulnerability resolution using AI-assisted tools
Operational risk reporting: Ensures end-to-end visibility from developers to executives
“With these tools, we were able to ask: Is there a known exploit? Are there mitigating controls in place? And what’s the actual business impact?” says Sander.
Results that move the risk management needle
By combining automation, AI, and accountability, the team has sped up vulnerability detection and remediation while easing the strain on developers and security staff.
The results of Wesco’s risk management initiative have been impressive, says Sander, and the numbers help tell the story.
Some of the standout improvements include:
9,000 development hours saved each year thanks to automation that handles much of the manual troubleshooting work.
30% drop in application risk scores across critical systems, giving the company a stronger security posture.
50% fewer new vulnerabilities, helping cut down long-term security debt.
Faster resolution times, with AI assisting developers to pinpoint root causes and suggest fixes quickly.
Higher external ratings, including improved BitSight scores, which reinforce customer trust.
Perhaps even more important than the numbers has been a shift in culture that blends security and software development. Through Wesco’s security champions program, developers no longer wait for the security team to hand down fixes; they’re fixing vulnerabilities themselves early in the development lifecycle.
“For instance, when Veracode flagged a critical container vulnerability, the security champion on that team used AI tools to identify the root cause and apply a fix within hours without relying on the central AppSec team,” says Sander.
“This cultural shift has shortened response cycles and increased collaboration across the org.”
For its risk management project, Wesco earned a 2025 CSO Award. The award honors security projects that demonstrate outstanding thought leadership and business value.
Keys to smarter risk management: visibility and ownership
When asked what advice he’d give other security leaders about managing risk, Sander is straightforward: Bring the data together and make security part of everyone’s job.
“When you consolidate data from all security tools into a centralized platform, you eliminate duplication, streamline triage, and get a true picture of risk,” he says.
Equally important, Sander adds, is moving security out of its silo and embedding it into daily work across departments. That’s where culture comes into play.
“Security champions programs like ours create distributed accountability,” he says. “Developers will see security as part of their role if they have tools that assist rather than obstruct.”
Wesco’s award-winning initiative proves that managing risk doesn’t have to be overwhelming. With data consolidation, automation, and a culture that shares responsibility, the company turned a flood of security alerts into clear, actionable priorities.
Wesco turned overwhelming security alerts into clear, actionable priorities—and you can learn how leaders everywhere are reimagining risk management. Join the CSO Conference & Awards to explore award-winning strategies like Wesco’s that save time, reduce risk, and strengthen culture. Register now.
No Responses