One of the biggest benefits that an exposure management program can afford a security program is the power of risk-informed prioritization. When security leaders think of tooling like attack surface management (ASM) platforms, the most evident prioritization benefits come in the day-to-day tactical decisions of which threats and which exposures to have SecOps practitioners tackle first. But the truth is that with the right mindset, governance, and processes, visibility into enterprise exposures can push priorities all the way up into the strategic realm of enterprise risk management—whilst enabling a threat informed defense posture.
In fact, today's most advanced CISOs actively leverage exposure management visibility to help them develop a security roadmap and prioritize investment decisions based on business risk—rather than the latest threat headlines. The common theme we hear from high-performing security executives is that the insights that exposure visibility provides them offer meaningful insights to identify the riskiest gaps in controls and carefully plan new investments and initiatives accordingly. This means that exposure management can serve as an incredibly powerful tool for CISOs engaging in developing a proactive and programmatic security strategy.
Translating Exposure Data to Risk Priorities
The key for using exposure management to drive disciplined security roadmapping is tapping into the right tooling and analytical lens to translate exposure data into risk prioritization.
ASM tools support visibility into an organization’s landscape, which supports current and emerging regulations where timely reporting requires an understanding of critical assets and their value and exposure footprint. They also provide a holistic understanding of the current state of an organization's assets—where they are, what they're exposed to and the criticality of those exposures from both exploitability and business criticality perspectives.
Once a security program has tapped into that visibility on a continuous basis, security leadership can start translating that into security performance by looking at changes over time. When you measure how quickly different types of exposures are being resolved you start getting a clearer picture of how well different areas of a program are delivering positive security outcomes.
Exposure data is just a point-in-time view while security performance data is exposure over time.
Digging into this, it is important for CISOs to understand that exposure management is a very, very technical data domain with a high frequency of collection and analysis. Exposure management tooling looks at things on a real time basis and in larger organizations that visibility spans across thousands and thousands of assets that are pumping out millions and millions of telemetry data points.
Performance is sort of a summarized view of exposure that offers slightly less frequent modality for analysis. This provides the metrics that will help a CISO and their leadership team track security outcomes across different asset groupings, giving insight into how well teams are performing on a weekly, monthly, quarterly, and annual basis.
Getting to that next level of risk visibility requires taking that performance data and layering other data and analysis dimensions into the mix. This means adding context about where and how different asset groupings are used and then benchmarking performance to industry averages, competitor performance, and so on. This is the last step that helps translate exposure visibility into risk visibility. When a CISO is able to achieve that level of understanding it becomes easier to facilitate decisions based on risk. The discussions with security and business stakeholders start examining things at a business level rather than an asset-by-asset, vulnerability-by-vulnerability level.
A CISO can say "This business unit manages these 20 websites or applications and it's not performing as well as this other business unit." Or "Our controls in this specific security domain are lagging industry standards by 20%, let's examine why and make some risk decisions." Maybe one team is not as mature as another or those applications are just more complex than average. Or maybe investments are lagging and need to be targeted in a specific area in the coming year.
Ultimately, that final layer of translation is the ammunition a CISO needs to ask for specific budgetary requests and make very targeted recommendations to the C-suite, the chief risk officer, the CFO, the CEO and the board about the next steps to meet their biggest risks.
The Power of Benchmarking
The real key in all of this is how equipped an exposure management and security performance management program is to establish strong external and internal benchmarks. When a CISO can compare the performance of an entire organization, of a region or business group, or just a group of applications against other organizations, that's when senior business leaders sit up and listen closely. If a security leader is able to provide comparisons with a business' closest peers, its industry sector and maybe even aspirational organizations known for security best practice, they'll gain instant credibility from the board and business stakeholders. That's how almost all business is done and cyber risk management should be no different.
Threat-informed data needs to be complemented with financial ROI, asset value, and current exploitability to justify investments that executives can understand and take accountability for—ensuring they are appropriately resourced and funded.
CISOs that come to the board room table to explain their program's priorities are able to not only say 'We're doing well and headed on the right track,' but also answer the inevitable follow up question of 'Compared to what?'