The CVE your team missed because nobody owns the asset list

There's a pattern in post-mortems that nobody talks about. A CVE drops. Security team checks the advisory. Engineering checks the affected version. Nobody checks whether you're actually running that version — because nobody has a current list. The asset inventory is 4 months stale. Or it's in a spreadsheet. Or it's in three different spreadsheets that contradict each other. So the CVE slips through. Not because anyone was negligent. Because the process depends on data that doesn't exist in a queryable form. The real problem isn't patching speed. It's asset visibility. Most teams have their device and software data somewhere. It's in their MDM, their deployment logs, their monitoring stack. But it's not accessible — not in a way where you can ask "are we running OpenSSL 3.1.x anywhere?" and get an answer in seconds. The fix isn't a better spreadsheet. It's treating your IT asset data like a first-class database — something you can query in real time, not export once a quarter. We built