How Top CISOs Approach Exposure Management in the Context of Managing Cyber Risk

Wondering what your peers think of exposure management? New reports from the Exposure Management Leadership Council, a CISO working group sponsored by Tenable, offer insights. 

If you’re a CISO and you’re like me, you routinely seek your peers’ perspectives on emerging trends and daily challenges. From securing AI to communicating with the board about cyber risk, it’s crucial to know what’s working and what’s not.

With exposure management gaining significant market momentum, you may be wondering if your peers believe there’s any real substance to it.

The answer is a resounding yes. For proof, check out the perspectives of top security leaders who make up the Exposure Management Leadership Council, a working group dedicated to developing and advancing principles and best practices for exposure management.

The Exposure Management Leadership Council functions as a confidential, vendor-neutral forum where senior leaders can share candid insights and practical strategies for managing enterprise-wide exposure. As the Council’s sponsor, Tenable organizes quarterly meetings (which I facilitate), synthesizes meeting discussions into reports and shares these reports industrywide for the benefit of as many security practitioners as possible.

Because Council meetings operate under the Chatham House Rule to foster trust and openness, we don’t attribute any direct quotes or paraphrased statements to specific Council members.

What are CISOs saying about exposure management?

“Exposure management is extremely important for us. We have a very high threat profile and tend to be targeted heavily by advanced persistent threat groups.”

— Member of the Exposure Management Leadership Council

CISOs see exposure management as a solution to the boardroom communication gap

“Exposure management can shift the cyber conversation in the boardroom and make it more strategic.”

— Member of the Exposure Management Leadership Council

Council members believe exposure management can improve their ability to answer the following cyber-related questions that their boards of directors truly care about:

• How much cyber risk is the organization carrying?

• Does it exceed our appetite?

• What’s the potential business impact of this risk?

• What are the most critical areas to address?

• What’s the cost of inaction, and which risks are we willing to accept?

Exposure management enables CISOs to shift from reporting on siloed security operations metrics to communicating a clear, unified and business-driven view of an organization’s end-to-end cyber exposure. Council members see the potential for exposure management to help them create a standardized, repeatable and defensible process for measuring and reporting on risk — something akin to a cyber version of the accounting industry’s generally accepted accounting principles (GAAP).

To learn how exposure management can elevate board-level discussions of cyber risk, see the Exposure Management Leadership Council report, “Board Meetings and the Dreaded Cyber Risk Update: A Use Case for Exposure Management.”

How do CISOs distinguish between exposure management and vulnerability management?

Prioritizing vulnerabilities and driving accountability for remediation remains a challenge for many CISOs, according to the discussion that took place during the first Council meeting (see the executive summary). They bemoan the inadequacies of relying on CVSS scores alone for prioritization.

While exposure management, by definition, expands the scope of security issues that remediation teams need to address beyond traditional software vulnerabilities, it’s simultaneously designed to unify and enhance risk scoring and prioritization. By taking into account CVSS scores, EPSS data, threat intelligence and business and technical context, exposure management can make it easier for security teams to convince remediation owners to fix the highest-risk exposures — those toxic combinations of vulnerabilities, misconfigurations and excessive permissions that can have significant operational impact when exploited.

The really juicy part of exposure management is that it provides context.

— Member of the Exposure Management Leadership Council

What other use cases for exposure management are CISOs considering?

Council members see AI security and controls monitoring as additional use cases for exposure management. They regard AI as both a new attack surface their security teams need to monitor and a powerful threat vector. They’re concerned about data leaks and threat actors leveraging AI to execute more stealthy and pernicious attacks. Consequently, they recognize the need for exposure management programs to address the rapidly expanding AI attack surface.

Similarly, they see exposure management as a potential solution to yet another challenge: monitoring the effectiveness of their security controls. What makes controls monitoring so difficult, they say, is inadequate attack surface management and visibility:

"What good is saying that you’re 95% compliant with your internal cybersecurity controls if that 95% is based on just 10% of known assets?”

— Member of the Exposure Management Leadership Council

More to come from the Exposure Management Leadership Council

The Exposure Management Leadership Council will continue to meet quarterly and work toward its long-term goal of establishing principles, best practices, policies and frameworks for exposure management. Stay tuned for future reports and updates as we work together to advance exposure management into a strategic discipline.