How Tenable Moved From Siloed Security to Exposure Management

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In the first of a two-part blog series, Tenable CSO Robert Huber shares how he and his team have guided the company to unified exposure management. You can read the entire Exposure Management Academy series here.

If you’re in cybersecurity, you’ve probably heard or said these words more than a few times: "I don't need more tools." In quiet moments, I often take a deep breath and repeat them like a mantra. 

But tool sprawl underscores a significant challenge our industry created. We've become accustomed to a seemingly endless proliferation of security solutions, each designed to address a specific policy or threat vector. The result hasn’t simplified our lives. On the contrary, we’re buried in a dizzying array of tools and an overwhelming flood of alerts — all of which led to a fundamental disconnect between security efforts and business outcomes. 

Alarmingly, a typical large enterprise might juggle 70 or more technology vendors, each offering a "solution" to a perceived security need. At Tenable, my team manages around 50 different tools. Although some are our own, the sheer volume underscores the pervasive problem. 

As one security leader told me, "I don't want to buy more alerts." 

Tool sprawl comes home to roost

We've diligently crafted policies for areas like cloud security, network security and vulnerability management. Often, the central assumption is that for us to adhere to these policies, we need yet another tool. 

This creates a vicious cycle: New policies lead to new tools, which generate more alerts, without a corresponding increase in the headcount needed to address them.

The consequence is security teams drowning in data. 

Whether from endpoint detection and response, cloud-native application protection platforms or vulnerability management, the sheer volume of alerts is unmanageable. As one security leader told me, "I don't want to buy more alerts." 

The reality is that organizations don't have the personnel to triage and respond to every notification. This creates an unfortunate bottleneck, with valuable insights lost under a mountain of noise.

Everybody gets a report!

Security teams often find themselves generating endless spreadsheets, pivot tables and dashboards for various stakeholders, such as heads of engineering, CIOs and other organizational leaders. And, like audience members at The Oprah Winfrey Show, nobody goes home empty-handed! "You get a report! You get a report! Everybody gets a report!" 

This approach, while well-intentioned, is incredibly inefficient. 

Leaders are left with multiple streams of information, without any clear sense of what's most important or what actions they should prioritize. Instead of having a clear remit, they come back asking, "OK — so, what do you want me to work on?"

Moving to business impact

This challenge is not theoretical. It's a lived reality even within my company. 

Our vulnerability management team, once singularly focused on vulnerability management, has increasingly become a wrangler of alerts and reports as we've added more tools to their arsenal. And there are no signs of this slowing down. 

The emergence of new technological frontiers, such as artificial intelligence, only makes the problem worse. When leadership and the board inquire about securing AI, a couple of questions come up immediately: 

• Do we have the people?
• Do we have the controls?
• What risk does the use of AI introduce?
• How do we manage that risk?

The answer is often "no" to the first two questions, which leads to the inevitable acquisition of more tools, more alerts, more data and more things to prioritize.

This endless cycle of tool acquisition and alert fatigue highlights a fundamental flaw in our current approach to cybersecurity. We've focused on generating data, but failed to effectively translate that data into actionable insights for the business. 

When discussing cybersecurity with leadership, the conversation shouldn't revolve around the number of assets or findings. Those are operational metrics that generally hold little interest for the C-suite. What they truly want to know is: How does this impact the business? What is the security posture of a revenue-generating or service-providing entity?

Our job as security professionals is to communicate risk to the board. But silos make connecting the metrics to the business a challenge. We need to translate the myriad assets, events and alerts into a business context but there has been no simple way to do that. 

Effective security and communication requires context

Our job as security professionals is to communicate risk to the board. But silos make connecting the metrics to the business a challenge. We need to translate the myriad assets, events and alerts into a business context but there has been no simple way to do that. 

To bridge this gap, at Tenable, we conduct an annual "Cyber Screen" survey, engaging 5% of the company to identify the most critical business functions, assets and services. This user-centric approach helps us understand what's truly essential to the business, including what needs to be operational 24/7 and what processes cannot fail. 

We combine this with business impact assessments, audits and enterprise-wide events to place our most important functions in buckets. This forms the basis of our internal "scorecard" for the board.

We designed this scorecard for simplicity, with well-understood Red, Yellow and Green areas. 

Simply put, Red signifies a critical risk, Yellow are things that need attention and Green indicates a good security posture. 

This simple, intuitive framework enables leaders to quickly grasp the actual exposure and business impact, regardless of whether they generate revenue. 

This business-centric view is paramount. And, although operational metrics are still valuable for justifying headcount and budget internally, the overarching goal is to provide business leaders and board members with a clear, concise understanding of the enterprise's security impact. They want to know: Is it Red, Yellow or Green? And naturally, their focus will be on the red items.

Takeaways

The industry hasn't yet solved this problem of data overload and fragmented reporting. 

The industry has excelled at selling more alerts and data, but it hasn't adequately helped organizations wrangle that data into meaningful, actionable intelligence. This has led many organizations to build their own "cyber data lakes" and employ dedicated cyber data analysts. It’s a commendable effort but an inefficient use of scarce cyber resources. These individuals should be solving cyber problems, not spending their time on data analytics that should be provided by vendors.

Building these custom data lakes is a significant undertaking. It often starts with seemingly "free" solutions, only to quickly escalate into substantial investments in infrastructure, expertise and countless integrations and workflows. The reality is that many large organizations have taken this path because a consolidated solution hasn't been available. 

Try as it might, the industry has not solved this problem. Attempts to figure out pieces of the problem, like Cyber Asset Attack Surface Management (CAASM) for unified asset inventory, haven’t been effective in unifying assets, risk data and context. This is where exposure management comes in. Tenable pioneered exposure management to solve the unification and context problem we defined earlier. The paradigm is shifting. And it’s shifting to exposure management.

In the next part of this blog series, I’ll look closer at how exposure management can address these very challenges, shrink the tool sprawl problem and enable a more unified, effective approach to cybersecurity.

Learn more

Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.