Why one-time security assessments are no longer sufficient [Q&A]

With cyber threats becoming more numerous and ever more sophisticated, it’s becoming more critical than ever for organizations to prioritize targeted threats, optimize their existing defensive capabilities and proactively reduce their exposure.

One-time security assessments are looking increasingly inadequate. We spoke to CyberProof CEO Tony Velleca to discuss how organizations can effectively implement a Continuous Threat Exposure Management (CTEM) strategy to improve their protection.

BN: Can you provide an overview of the top threats organizations are facing today?

TV: Organizations are facing a new level of sophisticated attacks with the rise of generative artificial intelligence (AI) based threats. The threat landscape has become dynamic over the last few years, with new vulnerabilities and attack vectors emerging daily. As our threat research team constantly evaluates these changes, we are noticing the same consistent threats: business email compromise, social engineering attacks and third-party vulnerabilities. While these threats are not always sophisticated, they are being developed more quickly and becoming harder to detect with the help of AI.

We recently identified the top trending threats that organizations are battling and the tactics that adversaries are relying on, including:

• Geopolitical conflicts and cyberwarfare have led to the development of new techniques and tactics in the cybersecurity industry, which have inevitably trickled down to adversaries. This enables them to target vulnerable operational technology (OT) and internet of things (IoT) systems, allowing them to expand attacks to industries like manufacturing. This has led to a 55 percent increase in distributed denial of service (DDoS) attacks against critical infrastructure in the last four years
• Healthcare as a top target for cybercriminals- 67 percent of healthcare organizations were impacted by ransomware attacks in 2024
• Collaboration between APT and ransomware groups- The number of name-and-shame ransomware campaigns reached an all-time high, with 40 active listings of victims on dedicated leak sites
• The rise of supply-chain attacks- It is projected that the cost of a software supply chain attack is expected to reach $138 billion by 2031, a significant jump from 2023's $46 billion

Organizations must have a comprehensive understanding of these threats and continually receive updated insights to inform their security operations, enabling them to properly assess and protect their networks.

BN: Why isn’t a one-time security assessment enough anymore?

TV: One-time security assessments were once a reliable measure of an organization’s security posture, but now are insufficient in today’s evolving threat landscape, where new and sophisticated attacks occur daily. The rise of AI and other technologies further complicates the situation, allowing adversaries to develop more effective and faster-moving attack methods. By limiting the assessment to one time a year, organizations are leaving gaps in their defenses.

Additionally, companies are dealing with a cybersecurity skills shortage. The World Economic Forum recently reported that 67 percent of organizations have a moderate to critical skills gap in cybersecurity, leaving many security teams strapped for time and overwhelmed with alerts. Defenders can’t afford to be surprised, especially when they don’t have to be.

Companies need a real-time and holistic view of their threat landscape. By taking a continuous approach to analyzing vulnerabilities and threats, security leaders can proactively mitigate exposures in their defenses and prioritize resources where they will have the most impact.

BN: What are the top three things CISOs can do right now instead?

TV: In order to be effective, I recommend that Chief Information Security Officers (CISOs) do the following:

• Understand the threats targeting their organization- When organizations have a full grasp of the threats that are going after their networks, security teams can better prioritize alerts and save the company time and resources
• Optimize their existing defensive capabilities- Budgetary restrictions are constantly top of mind for CISOs. By taking full advantage of what they already have in their arsenal as far as defensive capabilities, they are able to alleviate not only the difficulties of managing too many integrated tools, but also having one source of truth for security teams, all while reducing unnecessary spending
• Proactively reduce their exposure- By continuously evaluating an organization’s attack surface and leveraging penetration testing, CISOs can assess where and how threat actors are most likely to enter the network and designate the necessary resources to protect exposed areas

Many CISOs are prioritizing posture management as new solutions and AI-powered tools continue to enter the market. While this is an important focus, it's critical for security leaders to take a step back and first address estate management. You must have a holistic view of the network and estate to effectively measure your security posture. This is where Continuous Threat Exposure Management (CTEM) can have a significant impact.

BN: Can you tell us more about Continuous Threat Exposure Management (CTEM)?

TV: Continuous Threat Exposure Management (CTEM) is the future of security. CTEM enables organizations to stay ahead of adversaries by continuously monitoring vulnerabilities and minimizing potential attack surfaces. It helps identify and mitigate vulnerabilities before they can be exploited. By leveraging automated scanning, AI-driven analysis and threat intelligence, security teams are informed of potential attacks in real-time.

Unlike any other security solution, CTEM provides automatic and constant insights into a company’s security posture, allowing for threats to be detected and addressed immediately. It enhances security operations by streamlining detection and responding to cyber risks more efficiently.

This solution pairs and strengthens many key security strategies, including:

• Threat Exposure Management to operationalize real-time threat intelligence to continuously evaluate an organization’s exposure and defensive capabilities relative to the latest tactics and techniques
• Exposure Management is enhanced prioritization of all exposures based on targeted threats, including vulnerabilities, cloud posture, application security defects, etc.
• Defense Surface Management enables a security operations team to continuously adapt their defense capability, including detection rules, playbooks and recovery procedures against the most recent threats

BN: How can organizations effectively implement a successful CTEM strategy?

TV: First, organizations must lay the foundation. We call this managing their estate or Estate Management. All assets, whether on-premise, cloud or OT, must be managed in accordance with their security policy, be associated with their proper risk category (e.g., an application, a user, a system), and assigned to an owner. This step is often missed but critical.

Second, the information from the security telemetry must be collected, analyzed and the findings must be made actionable. This methodology leverages MITRE to create a relationship to the prioritized threats and campaigns.

Third, this must be a continuous process, including a mechanism for trending using a risk-based mechanism.

Image credit: alphaspirit/depositphotos.com