Why effective exposure management is key to cybersecurity [Q&A]

Thanks to the rise of hybrid working and SaaS the traditional concept of ‘attack surface’ -- limited to hardware, software, and network infrastructure -- is dangerously outdated and no longer sufficient to ensure cybersecurity.

We spoke to Mike Riemer, senior vice president Network Security Group and field CISO at Ivanti, to find out how organizations need to adapt to keep their systems secure.

BN: How has the attack surface evolved and what security risks are organizations encountering because of it?

MR: In the past, organizations have focused primarily on protecting tangible assets like hardware, software, and network infrastructure. The traditional concept of ‘attack surface’ -- limited to those areas -- is dangerously outdated and no longer sufficient. The modern attack surface has evolved, requiring an evolved mindset: an ‘attack atmosphere.’ It encompasses a massive, growing ecosystem of both physical systems and intangible assets -- from cloud infrastructure and IoT devices to supply chains, identities and permissions.

As this attack atmosphere has expanded, attackers have become more resourceful and sophisticated in their approach, no longer simply threatening single critical vulnerabilities but rather often chaining two to three vulnerabilities in attack sequences allowing them to more easily bypass traditional prioritization systems focused on individual high-severity flaws.
They're also increasingly targeting user identities through mobile devices, which offer multiple attack vectors. Once they compromise credentials, attackers can leverage that access to launch various secondary attacks across an organization's infrastructure.

BN: What is exposure management and how does it differ from traditional vulnerability management?

MR: Traditional vulnerability management focuses on fixing issues based on technical severity scores, primarily targeting software and hardware. However, today's threat landscape extends far beyond these assets to include cloud environments, third-party vendors, supply chains, and intangible assets.

Exposure management represents a fundamental shift in how organizations approach security. Rather than simply cataloging vulnerabilities, it provides contextual understanding of threats within your specific business environment. This approach answers critical questions: Why does this threat matter to your organization? What makes you specifically vulnerable? Which risks demand immediate attention based on your unique circumstances?

Unlike traditional approaches that rely on subjective assessments, effective exposure management enables proactive threat anticipation through objective, data-driven measurements. This strategic approach requires moving beyond simply integrating existing security tools to achieve a comprehensive, end-to-end transformation in how organizations quantify and manage cyber risk across their entire attack surface -- or as we like to think about it, attack atmosphere.

BN: Could you explain what you believe are the most significant barriers organizations face when trying to implement more objective exposure management strategies? What are specific steps they could take to improve this?

MR: Based on our research findings, the most significant barrier to objective exposure management is the disconnect between having risk frameworks (83 percent of companies have them) and actually following them (51 percent don't follow their own guidelines). This occurs because system complexity, sprawl, and silos create unreliable data, forcing nearly half of security professionals to rely on instinct rather than objective data since they can't access the right information for risk measurement.

To improve this, organizations should take three specific steps:

• Develop a complete attack surface inventory to eliminate blind spots
• Assign financial values to assets for monetary risk calculations
• Ensure their risk thresholds use the same scoring schema as their assessment framework.

These actions create the data foundation needed to move from instinct-based to truly objective, framework-driven risk management that aligns with organizational risk tolerance.

BN: Why are metrics and data important for quantifying risk exposure and what metrics would you prioritize specifically?

MR: Many security professionals face significant barriers when measuring and managing risk exposure. In fact, 49 percent of security professionals say they can’t access the right data to measure and manage risk. And 51 percent of security professionals say they lack the talent to properly measure risk, according to recent research. With exposure management, there is a greater access to quantifiable data which will in turn reduce the present reliance on qualitative judgements. This empowers data-driven decisions based on measurable risk factors.

One hurdle we’ve observed is that the modern enterprise is data-rich, but information-poor. Organizations accumulate vast quantities of raw data but struggle to convert it into meaningful insights. To make data accessible and convert data into meaningful security decisions, companies need to dismantle security and IT silos and leverage a platform that integrates and correlates data from across every department. Additionally, security teams can leverage automation and AI solutions to derive insights from large data sets -- using the information to communicate clearly and drive better decision-making across the entire organization.

By aggregating data to ensure a comprehensive view of the organization's attack surface, exposure management can help develop realistic metrics that align with the organization’s risk appetite and business objectives.

Metrics that organizations can use to analyze and guide every element of their exposure management programs can be broken down into operational, decision-making and performance metrics.

• Operational metrics are used by security teams to guide day-to-day exposure management activities and include attack surface visibility, assets under management and exposure risk ratings.
• Decision-making metrics empower C-level executives, boards of directors and other executive stakeholders to make informed decisions around exposure management. These metrics include cyber risk level, projected cyber risk level and annual loss expectancy (ALE).
• Performance metrics show the results of exposure management activities and can be measured with retired threat debt, cyber risk level changes and return on security investment (ROSI). Proving positive impact can increase organizational support for and investment in exposure management.

BN: What approaches have you found most successful for gaining buy-in from departments outside of IT and security when looking to implement new security tools like exposure management?

MR: There’s a problematic communication divide in cybersecurity management. Technical security experts possess deep expertise but often lack the ability to translate their insights into language that resonates with executive leadership. Meanwhile, executives recognize cybersecurity as mission-critical and understand the dangers of inadequate protection, yet they frequently lack the technical foundation needed to connect meaningfully with their IT and security personnel.

Without clear dialogue between technical teams and leadership, companies struggle to establish appropriate cybersecurity investments and develop coherent security strategies. The result is often strategic misalignment, wasteful spending, and unclear ownership of security outcomes.

In order to effectively communicate cybersecurity risks, it is necessary to have easily understood metrics. Currently, there are no reliable methods that offer objectivity and a direct connection to data-driven choices. This makes it difficult, if not impossible, to incorporate cybersecurity into business strategy, which hinders the ability to thoroughly assess the organization's tolerance for risk.

Implementing exposure management will allow top-level executives to develop a fundamental skill in making well-informed, consistent, and explainable decisions regarding cybersecurity risk management. By utilizing viable data and advanced analytics, leaders will be able to relate risk to business terms, making communication and collaboration within the organization more effective. This goal cannot be achieved solely through new capabilities from vendors, but also requires a shift in corporate culture and a willingness to reevaluate decision-making processes.

Image Credit: Ahmadrizal7373/Dreamstime.com