Getting your Trinity Audio player ready...
It’s a classic dilemma in any domain: how to accomplish more, without spending more. Addressing the ever-growing number of exposures that organizations have is no different – although the stakes are arguably higher.
However, it’s crucial because effectively managing exposures directly impacts cybersecurity resilience. Controlling and minimizing exposure to potential threats and vulnerabilities, i.e., building an effective exposure management program, is the best way to protect sensitive data, intellectual property, and critical infrastructure – while also ensuring compliance with regulatory standards and maintaining the trust of customers and stakeholders.
So Why is Building a Continuous Exposure Management Program So Hard?
In our recent 2024 State of Security Posture Report, we stated:
“As the number of vulnerabilities in their environments continues to rise, organizations face an uphill battle in addressing them comprehensively. The sheer volume of vulnerabilities makes them practically impossible to address, resulting in a widening remediation gap. Notably, this finding only measures CVEs, which represent just one type of exposure. Combined with other exposure types—such as misconfigurations of systems and applications and insufficiently managed identities—organizations are grappling with a multifaceted, growing threat landscape.”
It’s a pervasive problem, one that the vast majority of organizations – a mind-blowing 82% of surveyed companies – are not handling satisfactorily, by their own admissions. These companies are standing on the precipice of a widening chasm between the number of exposures in their environments and their ability to remediate them. They simply cannot keep pace – which is understandable, given that on average, companies can address 48 exposures per month, in the face of nearly the 2000 new vulnerabilities discovered each month.
In this blog, I’ll look at two of the most pervasive challenges keeping organizations from implementing better exposure management processes and one way to perform a route-recalculation to get more done.
Challenge 1 – Not enough people-power
Lack of people is often seen as one of the critical blockades to improving exposure management processes. And not surprisingly, expanding headcount is often viewed as the ideal solution to bolster exposure management challenges. Seems like a no brainer, right? Throw more bodies at a problem and watch it magically go away. But while growing headcount is straightforward, it’s definitely not cost-effective – and it may not fully address the issue.
One issue with adding more people is well, it takes time. It’s neither fast, nor a guaranteed home-run. You could spend months trying to find the right people, and only then can you start to train them, which is an equally time-consuming task.
Moreover, training new team members takes the time and resources of OTHER team members who could be working on other necessary tasks. And to be honest, a larger team doesn’t necessarily equate to improved efficiency. Communication challenges and coordination issues frequently hinder the swift responses required in the face of emerging cyber threats. The law of diminishing returns is highly relevant to investment in headcount, especially when a security team grows beyond its optimal size.
Challenge 2 – Technological and organizational silos
Another issue I see all the time is that of the siloes that exist that prevent teams from upgrading their exposure management programs.
These can be technological siloes; this team is knee-deep in Windows, that one lives in Linux-land – and the two lack the ability to understand each other well enough to communicate risk effectively.
Then there are location siloes – with global teams, there could quite literally be language barriers that hinder effective communication location, some by technology. Then there’s the ever-present disconnect between teams – Security, IT, DevOps, etc,. – wherein the lack of common understanding of issues and what should be prioritized leads to potentially dangerous gaps.
How to Bridge the Gaps with External Mobilization
In Gartner’s Continuous Threat Exposure Management framework, Mobilization is the fifth and final stage (but not really final, because that “continuous” thing means it repeats itself over and over, for well, forever.)
According to Gartner, “the objective of the “mobilization” effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows.”
In normal-people speak, this means communicating needs effectively to all involved parties, making sure everyone understands their roles and responsibilities, and that everyone has the tools and capabilities needed to accomplish the remediations required. This is nice, but as I said above, the lack of people, plus the ever-present technological and otherwise siloes makes mobilizing properly a real challenge.
This is why IMO, it’s best to have an external entity to facilitate mobilization. That means leveraging external resources to act as a connective fabric that pulls everything under one umbrella, seeing all, connecting all the dots and giving context to all requests. This entity sets up and maintains this approach, which includes communicating between IT personnel, security personnel, and anyone else involved in the CTEM program.
This same entity ensures that all stakeholders are aware of their roles and will keep management updated on progress. By mobilizing all people and resources, and ensuring that all stakeholders are aware of their role in the program, this is the ticket to Exposure management remediation success.
The Takeaway – Extend Your Team for the Win
When it comes to building an effective Exposure Management program, the stakes are high and the challenges are immense. Extending your team through effective mobilization will allow you to effectively establish your program and meet CTEM in the most efficient way possible.