Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable’s chief security officer Robert Huber looks at how exposure management can help you move beyond silos. You can read the entire Exposure Management Academy series here.
The way we use technology — in IT, cloud security, operational technology (OT), internet of things (IoT), AI and countless applications — has led to a corresponding array of specialized security tools. Think about all the tools you use: vulnerability assessment, identity security, endpoint detection and response (EDR), data loss prevention (DLP), cloud native application protection platforms (CNAPP), mail protection, cloud access security broker (CASB), mobile device management (MDM) and privilege access management (PAM).
That’s a lot of tools — and a lot of silos. But it doesn’t end there. Each of those tools has a subset of capabilities that can result in even more silos across your security program. Of course, all of this reflects the issues we face and the way our organizations are structured. But, sadly, attackers don’t care about our org charts or toolsets. And thank goodness they haven’t figured out how to use pivot tables yet!
They just look for weaknesses, exploit them and move laterally across domains to achieve their goals. In fact, those silos we’ve built can inadvertently help them by hindering communication and context between teams, making it difficult to see our true exposures — or the risks that pose a real threat.
As a security leader myself, I know this pain firsthand.
Buried in fragmented data
Before adopting a more unified approach, I constantly felt like I was buried in fragmented data from countless tools and teams.
Much of my day was lost to context-switching, trying to manually piece together a coherent picture from disconnected silos. This makes communicating clear priorities incredibly difficult.
You often can’t compare apples-to-apples, leading to subjective decisions about which risk truly matters most. It’s an exhausting, inefficient cycle that makes it hard to confidently answer a key question: “What should we focus on right now?” It also makes it tough to report accurately on our risk posture.
This struggle highlights why distinguishing significant exposures from the background noise of all possible weaknesses is so critical for effective risk management. If you want to reduce your risk, you need to identify the problems that truly matter most to your organization. Key questions to ask yourself as you evaluate your organization’s exposures include:
- Is it preventable? Most breaches start with something that could have been fixed, such as a misconfiguration, a known vulnerability or unnecessary privileges.
- Is it exploitable? An attacker needs a way to actually use the weakness. This could be via a known exploit code, weak passwords or multi-factor authentication (MFA) identity compromise.
- Is it impactful? A weakness that results in lost revenue, data theft or operational downtime could significantly harm the organization’s mission. Linking technical risk to potential business impact is key.
What’s holding security leaders back?
Too often, we approach security in fragments, unlike attackers who look for any viable path. This leaves us struggling to be strategic. Some of the common roadblocks include:
- Lack of a unified view: Different tools focus on specific domains or risk types, so no single platform provides a complete view of the attack surface.
- Inconsistent risk scoring: Each tool uses its own metrics, which makes it hard to compare relative risk across the environment or understand the cumulative risk associated with critical assets.
- Missing technical context: If you don’t connect the dots between assets, identities and their associated risks, it’s impossible to understand the likely attack paths available to adversaries.
- Missing business context: Security data often lacks information about which assets support critical business functions, hindering the ability to prioritize based on potential business impact.
Proactive prevention just makes sense
Historically, a significant portion of our security investments focused on detecting and responding to attacks already in progress. This makes sense because it’s where breaches cause obvious damage.
But regulations and best practices are changing. Rules from the U.S. Securities and Exchange Commission (SEC) (requiring reporting of material impact within four days for public companies) and the Cybersecurity and Infrastructure Security Agency (CISA) (requiring reporting of “substantial cyber incidents” within three days for critical infrastructure) mandate much faster transparency and accountability. The timeframe for understanding and disclosing significant incidents is shrinking dramatically.
This pressure, combined with the high cost of breaches, increases the strategic importance of finding and fixing significant exposures before they lead to reportable incidents and material impact. Investing proactively in understanding and reducing exposure is often far less costly and disruptive than managing the fallout of a major breach. Reduce risk and increase security ROI.
Optimizing prioritization and preventing breaches
Understanding how breaches happen and the limitations of siloed security points to the need for a more integrated, exposure-focused strategy. This isn’t about abandoning detection and response capabilities. On the contrary, it’s about augmenting those capabilities by strengthening preventative security to better understand and prioritize risks before they cause harm.
Solving this requires a structured approach. As my colleague Nathan Dyer wrote in Five Steps to Move to Exposure Management, the core principles involve:
- Gaining comprehensive visibility across the entire attack surface, including assets and identities
- Identifying all forms of preventable risk, such as vulnerabilities, misconfigurations and privilege issues with consistent, contextualized scoring
- Critically aligning technical risk with business context to understand potential impact and prioritizing remediation on the exposures and attack paths, including key choke points, that pose the greatest threat to critical functions
- Continuously measuring and communicating exposure to optimize security investments and report effectively to stakeholders, including the board
Exposure management platforms support this lifecycle, providing capabilities to aggregate disparate data, calculate risk scores (like asset exposure scores, vulnerability priority rating, asset criticality rating) that incorporate exploitability and criticality, map assets to business functions, visualize attack paths, identify choke points for efficient remediation, and provide dashboards for tracking and reporting exposure trends against internal goals or industry benchmarks.
Ultimately, by breaking down data silos and adopting an exposure management mindset, security leaders can gain a more holistic view of their attack surface and true business risk. This enables better resource allocation, more defensible prioritization, clearer communication about security posture and, ultimately, a more effective preventative security program aligned with organizational objectives.
Takeaways
Here’s my advice to security leaders fighting silos and looking to move to exposure management.
- Think like an attacker: Adversaries exploit seams between siloed views. Security strategy must strive for a unified understanding of the attack surface.
- Focus on material exposure: Prioritize risks that are preventable, exploitable and demonstrably impactful to critical business functions, not just technically severe in isolation.
- Drive strategic outcomes: Implementing an exposure management approach enables more effective resource allocation, clearer communication of risk posture to stakeholders (including the board) and ultimately, a more defensible and efficient security program.
Have a question about exposure management you’d like us to tackle?
We’re all ears. Share your question and maybe we’ll feature it in a future post.