We’re Answering Your Exposure Management Questions

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this Exposure Management Academy FAQ, we help CISOs understand exposure management, look at how advanced you might be and outline how to structure a program. You can read the entire Exposure Management Academy series here.

Since we started the Exposure Management Academy in March, we’ve received lots of questions. To provide answers, we launched an exposure management FAQ series in April and we’re following that with a few more questions and answers. 

Do you have a question about exposure management? If so, fill out the form at the bottom of this page and we’ll address your question in a future post.

I’m a CISO. What should I know about exposure management?

This is a fundamental question we hear from many CISOs. In short, exposure management offers CISOs a unified view of the most significant cyber exposures across their organization’s entire attack surface. 

Toxic combinations of preventable weaknesses — including vulnerabilities, misconfigurations and excessive permissions — can lead to substantial business exposure if they’re exploited. To effectively practice exposure management, you need to be able to identify these toxic risk combinations that create attack paths leading to your most valuable assets or administrative privileges. 

Implementing an exposure management program can help you streamline prioritization and remediation efforts, making it easier for your security teams to be proactive about reducing your exploitable attack surface. 

Exposure management helps unify the data produced by disparate proactive security functions, including vulnerability management, web application scanning, cloud security, identity security, OT security and attack surface management.

Ultimately, exposure management improves both security and business results. By delivering comprehensive visibility, a unified view of security data and enriched context regarding asset and identity interdependencies and potential impact, exposure management initiatives enhance productivity and efficiency while decreasing overall costs and exposure.

Want to learn more? Browse the posts in the Exposure Management Academy archive. Every week, we release a new post that focuses on how you can make the most of exposure management.

How do I know how advanced we are with exposure management?

Exposure management includes a lot of things your security team is already doing, like vulnerability management, web application security and attack surface management. Based on the work we’ve done to help organizations implement exposure management, Tenable developed an exposure management maturity model that identifies five stages of exposure management maturity:

Stage 1: Ad hoc

This initial stage is characterized by tools and processes, with significant visibility gaps and reactive response..

Stage 2: Defined

At this stage, you have basic tools, processes and frameworks, with siloed visibility and response..

Stage 3: Standardized

With mature tools and processes, you’re beginning to unify data and add business context.

Stage 4: Advanced

You have unified visibility, with rich business context and some technical context.

Stage 5: Optimized

Your organization has aligned views of exposure, with consistent metrics, reporting, prioritization and workflows.

Which stage fits your current situation? If you’re in the early stages, you’re like most organizations. You can use our maturity assessment to see where you stand. If you’ve moved beyond the early stages, we’d love to hear from you — fill out the form below and tell us your story. 

How should I structure my exposure management program?

These are the four fundamental components of exposure management:

• Strategy: Define the problems exposure management can help you solve and the objectives you want to achieve by implementing an exposure management program or platform. Consider the risks you’re trying to mitigate and the cyber threats that are most relevant to your organization. Then evaluate your team's current exposure management maturity (see above) and identify any gaps in capabilities you’ll need to fill.
• Visibility: You’ll need to enhance your ability to identify all preventable risks (i.e., vulnerabilities, misconfigurations and excessive permissions) and discover all assets, identities and applications across your entire attack surface, including cloud, OT, and IoT environments. A key here is using a central inventory to consolidate and standardize all asset and risk data.
• Insight: A consistent scoring methodology across all risk types and attack surfaces is a critical replacement for the disparate scoring you get with individual tools. You’ll enhance your exposure data with technical and business context so you can prioritize remediation based on the potential business impact of exploitation.

Action: Defining necessary roles and allocating cross-functional resources is a central element of the exposure management journey. Here, you’ll integrate, streamline and activate processes and workflows that will help you identify, prioritize and remediate exposures. Plus, you’ll be able to optimize workflows and track program effectiveness through cross-domain analytics and reporting.

Have a question about exposure management you’d like us to tackle?

We’re all ears. Share your question and maybe we’ll feature it in a future post.