ICYMI: A Look Back at Exposure Management Academy Highlights

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. This week, we look back on some highlights from the first couple of months of posts, including the broad view exposure management provides, business impact and getting to a single pane of glass. You can read the entire Exposure Management Academy series here.

Since we started the Exposure Management Academy in March, we’ve covered a range of topics with contributions from many of Tenable’s industry experts. In this post, we look at a few of the highlights, focusing on the work of three Tenable thought leaders: information security engineer Arnie Cabral, CSO Robert Huber and CIO Patricia Grant.

Exposure management provides a broader view

If you’re wondering about exposure management, you should pay attention to Arnie Cabral. He’s on the front lines as we move to exposure management internally. Cabral wrote that Tenable’s shift began with a simple realization.

“We knew that, although it is critical to modern cybersecurity, vulnerability management alone doesn’t provide a complete picture of cyber risk,” he wrote. He added that traditional vulnerability management involves scanning assets for known vulnerabilities and remediating them based on severity scores. 

“However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility and real-time threat intelligence,” he wrote. 

To get going, he reframed existing policies to align with the new approach. This wasn’t just a matter of editing the text, he noted. 

“Instead, we redefined our objectives and transformed our policies to ensure alignment with emerging risk-based exposure management frameworks,” he wrote.

Read all of Arnie’s post: What it Takes to Start the Exposure Management Journey.

It’s all about business impact

With a quarter century in cybersecurity, Robert Huber has the perspective it takes to separate the wheat from the chaff when it comes to risk prioritization.

Robert believes that, in the shift to exposure management, you need to start with the right data. “One of the big struggles for security professionals is context switching,” he wrote. “When you meet with your business leaders to update them, you often have to scramble to pull together inputs from a dozen different tools and teams.” 

He added that data is siloed, often incomplete and nearly impossible to compare. 

He noted that security professionals need to be able to give CEOs and other leaders a clear, coherent picture of the most acute exposures. But they often struggle to obtain an accurate picture.

So, when Tenable started moving to exposure management, Huber ensured that the first step was to assimilate the data. 

“And I mean all of it,” he wrote. “We combed through tools, platforms and teams for every scrap of data.”

He added that, until you bring all that data together, you can’t prioritize. 

Read all of Robert’s post: Turn to Exposure Management to Prioritize Risks Based on Business Impact.

Getting to a single pane of glass 

Tenable CIO Patricia Grant has 30 years of experience leading technology transformation initiatives for both employees and customers.

She thinks that securing an enterprise is a responsibility that IT and security share. 

“While the CSO defines the strategy and risk posture, IT plays a critical role in execution — from patching systems and deploying controls to maintaining uptime and interpreting security signals,” she wrote.

As a result, she believes a tight alignment between IT and security is essential. 

“Ultimately, you can’t do exposure management the right way without a strong relationship between the CIO and the CSO,” she wrote. “We’re both accountable and responsible for protecting our employees, customers, partners and the company. And we both bring something essential to the table.”

She added that exposure management helps keep IT and security teams on track — and they gain a unified view across all assets. 

“I’m not a fan of ‘swivel-chair security,’” she wrote. “I don’t want my team jumping between tools trying to figure out what to fix first. Exposure management moves us toward a single pane of glass.” 

According to Patricia, it’s easier to understand what needs to be patched now and what can wait. 

“That kind of visibility is essential when your infrastructure spans everything from data centers and headquarters to home offices and digital nomads working from just about anywhere,” she wrote.

Read all of Patricia’s post: Exposure Management Works When the CIO and CSO Are in Sync