ICYMI: Exposure Management Academy on Attack Surface Management, Proactive Security and More

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we look back on the guidance and best practices shared in the past several months. You can read the entire Exposure Management Academy series here.

Let’s look back at key takeaways from the Exposure Management Academy over the past several months, including ones that address: 

• Attack surface management and visibility
• The shift in mindset required to move to proactive exposure management
• Exposure context and prioritization based on business impact
• Fostering a culture of shared responsibility for managing and remediating exposures

Attack surface visibility and management

Consider this question that you’re bound to get several times a week (if not daily): Where are we exposed? To provide an answer, you need a complete understanding of your organization’s attack surface, including all possible entry points that a threat actor could use to launch an attack. 

As Aaron Roy wrote in Understanding Your Attack Surface: The Key to Effective Exposure Management, every application, server, cloud instance and employee laptop connected to the internet is a part of that surface. But unlike physical inventory, the digital attack surface is not static. It’s an amorphous and constantly expanding environment that has undergone significant changes in the wake of the move to remote work and the proliferation of connected devices. Plus, every new technology (think cloud, AI and more) forces even more change. 

To deal with this, modern security teams have had to quickly adapt. Running periodic vulnerability scans isn’t enough these days. 

So, what can you do in the face of this change? 

Modern security teams need to take a more holistic approach with a continuous discovery process that maps the entire landscape. That means finding assets you didn’t even know you had, including the ever popular forgotten servers and shadow IT that can become gaping holes in your defenses. 

By meticulously identifying and mapping the entire attack surface, cybersecurity teams lay the critical foundation for a strong security program, transforming unknown risks into a manageable and defensible scope. Without this clarity, teams are left chasing shadows, which is a primary driver of the stress and burnout mentioned earlier.

“The goal isn’t to fix everything. It’s to fix what matters most. Chasing thousands of vulnerabilities without context wastes time and energy. Exposure management helps us shift the conversation from volume to impact.”

The strategic shift to proactive exposure management

With a clear picture of the attack surface, it’s time to figure out where to focus your defensive efforts. Contributors to the Exposure Management Academy have been clear: there’s been a fundamental shift in mindset from reactive vulnerability patching to proactive exposure management. 

For too long, security teams were caught in a cycle of chasing every vulnerability, regardless of severity, which is exhausting and inefficient. Exposure management breaks this cycle with a simple but powerful principle: prioritization over volume.

Robert Huber, Tenable CSO, has written about not trying to fix everything, notably in Turn to Exposure Management to Prioritize Risks Based on Business Impact. As Huber wrote, “Maybe it’s human nature. If there’s a problem — no matter how big or small — some of us are just wired to want to fix it right away and get it off our punch list.” He added: “So treating each one as number-one priority is a surefire shortcut to burnout and inefficiency.”

Reinforcing that point, Patricia Grant wrote in Exposure Management Works When the CIO and CSO Are in Sync that, “The goal isn’t to fix everything. It’s to fix what matters most. Chasing thousands of vulnerabilities without context wastes time and energy. Exposure management helps us shift the conversation from volume to impact.”

That conversation shift enables you to stop chasing your tail and start answering a couple of questions, such as: Is this weakness actually exploitable by an attacker? Is the asset it affects critical to our operations or revenue?

Exposure context and prioritization based on business impact

With exposures linked to real-world business impact, teams can prioritize their work with strategic precision. Instead of producing a report with thousands of low-level vulnerabilities (and a few critical ones buried in the noise), security groups can now confidently highlight the exposures that pose a real, material threat to the organization.

By breaking down the silos that have long plagued security, exposure management provides a unified view of all that security data. As Jorge Orchilles, Senior Director of Readiness and Proactive Security at Verizon, wrote in Exposure Management Is the Future of Proactive Security, this integrated approach enables smarter decisions and a more defensible security posture. It also changes the conversations at the executive level. 

Added Orchilles: “Instead of delivering long lists of vulnerabilities that mean little to non-technical leaders, we can present a clear picture in a few key points:

• What’s at risk?
• How could an attacker get in?
• What are the most urgent priorities to fix?

And when a major vulnerability hits, we don’t have to scramble to figure out if we are affected. We have the data at our fingertips.” That state of readiness, which replaces panic with process, is the ultimate antidote to reactionary stress.

“Security teams accustomed to working in silos must now share data and decision-making, which can be a tough adjustment. I found that the key to overcoming this is transparency and partnership. In fact, reading a bit of Dale Carnegie regularly can be just as important as a daily dose of Brian Krebs.”

Fostering a culture of shared responsibility for exposure management

A truly effective security program certainly uses technology, but it’s built on a foundation of people and partnership. As a cybersecurity professional, you probably understand that better than anyone. And, if you’re a leader, you are probably increasingly focused on building a durable culture of security throughout your organization, with a critical theme: security is a shared responsibility.

More than ever, leaders and practitioners alike have to focus on education, empowerment and collaboration. 

As Patricia Grant wrote, “At Tenable, we’ve taken a firm stance: when a zero-day emerges, patch your device within 24 hours or it’ll be automatically locked.”

Then she added: “But security doesn’t stop at the office door. No matter where employees are, they’re part of the defense. That’s why we focus on education — not to slow people down, but to empower them to keep the business safe.”

Grant is breaking down the walls between IT, security and business units. She’s fostering the teamwork the company needs to be resilient. This requires some soft skills, an often-overlooked part of the job. That means showing colleagues how security makes their jobs easier, not harder. 

As Jorge Orchilles wrote, “Security teams accustomed to working in silos must now share data and decision-making, which can be a tough adjustment. I found that the key to overcoming this is transparency and partnership. In fact, reading a bit of Dale Carnegie regularly can be just as important as a daily dose of Brian Krebs.”

By bringing everyone into the process, the folks who do the cybersecurity work will ensure that security isn’t something that is done to the organization. Instead, security can transform into what it should be: a shared mission, shaped and supported by everyone in the organization.

What do you think?

You’ve heard from us. We’d love to hear from you: 

• What are your thoughts on exposure management?
• How do you answer the “Where are we exposed?” question?
• How do you drive accountability for remediating exposures?

Share your feedback. We’ll keep it anonymous.