While various aspects of cloud security continue to coalesce around application protection tools and solutions, we must not lose sight of the basics—detecting vulnerabilities without business context is not enough. Organizations need to know which vulnerabilities have the greatest potential impact on business in order to prioritize and expedite remediation.Rising adoption of cloud-native development offers speed and agility, but it exponentially raises complexity as the architectural shift has dramatically changed the way applications themselves are secured.We are hearing a lot about the collision of cloud-security capabilities like Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP), which has resulted in a new genre of application-security platforms and tools born in the cloud. These Cloud Native Application Protection Platforms (CNAPPs) help ensure that development velocity keeps pace with securing the growing attack surface.Aiming to achieve a real-time view of security risk across cloud workloads and infrastructure, these platforms are meant to offer a more complete security-posture assessment that helps unify efforts across development and security teams. For example, these solutions aim to help teams prioritize and focus on the most important cloud-security issues, rather than chasing low-priority fixes to merely reduce the overall number of vulnerabilities, allowing for more efficient and more impactful remediation.However, business risk is an essential component of the security-risk equation, which has not been adequately addressed. While security vendors are expanding their approach to comprehensive cloud security—services, endpoints, applications, and even cloud connection points—modeling business risk is more than simply understanding the risk profile of vulnerabilities as it relates to an organization’s IT footprint.As developers move even faster to release new code into production, each release has the potential to affect the security of the entire application environment. Looking at just a single aspect of this, Gartner forecasts that fewer than half of enterprise APIs—already a prime target for hackers—will be managed by 2024.Should application assets become compromised, the downstream impacts on business cannot be understated. This is not to suggest that business expediency should take precedence over foundational security, or that business risk should be considered ad hoc to tame an already diverse, hyper-networked attack surface.While security-risk tools from cloud providers may seem like an interesting approach, they are typically incompatible with multi-cloud strategies, fall short of offering business risk assessment, and fail to provide a single-pane-of-truth view across all environments.Moreover, while shifting left may address security earlier in the development pipeline and increase the chances of catching issues before they cause problems, addressing business risk demands that we also shift right—monitoring user behavior, application performance, and network metrics to protect application landscapes in runtime.In this code-to-cloud context, business risk assessment demands a comprehensive, integrated approach to the identification and prioritization of vulnerabilities. Prevention across the code, build, and deployment phases before production are as essential as understanding potential runtime attack paths as they emerge.It requires new approaches to cloud-native application observability that combine rich telemetry data, dependencies mapping, and network insights to more easily—and accurately—identify, triage, and remediate critical attack paths regardless of provenance.Development, operations, and security teams contend with an intensifying threat landscape, unyielding tool sprawl, and a more complex application stack. Add that to resource constraints, expanding compliance mandates, and competitive pressures to create always-on, secure, and exceptional user experiences in every instance.The stakes are high.The ability to identify, understand, and act on business risk is essential to cloud-first strategies. It has the potential to revolutionize security by closing the gaps between siloed views of line-of-business, production, workload, open-source components, and infrastructure risk so organizations can gain a strategic advantage in the experience economy.Learn more about how you can deliver always-on, secure, and exceptional digital experiences: Cisco Full-Stack ObservabilityAbout the AuthorAs Chief Strategy Officer and GM of Applications at Cisco, Liz Centoni partners with the executive leadership team to drive the company’s overall strategic direction. She leads a team that incubates emerging solutions to create new markets and businesses and is responsible for Cisco’s portfolio of observability solutions that power application experiences which are drivers of business in today’s cloud-first world.