Full Report
Check out the Cloud Security Alliance’s recommendations for rolling out AI apps securely. Meanwhile, a Deloitte survey found GenAI initiatives by cyber teams deliver highest ROI to their orgs. Plus, the NSA urges orgs to combat GenAI deepfakes with content provenance tech. And get the latest on CISO trends; patch management; and data breach prevention.Dive into six things that are top of mind for the week ending Jan. 31.1 - CSA: Best practices for secure AI implementationLooking for guidance on how to securely deploy AI systems? You might want to check out the Cloud Security Alliance’s new white paper “AI Organizational Responsibilities: AI Tools and Applications.”Published this week, the paper covers three key areas: the security of large language models and generative AI applications; supply chain management; and additional implementation elements, such as employee use of generative AI tools. Each of those three areas is analyzed according to six areas of responsibility for teams deploying AI systems:Evaluation criteria: To assess AI risks, organizations need quantifiable metrics. That way they’ll be able to measure elements such as model performance, data quality, algorithmic bias and vendor reliability.RACI model: It’s key to be clear about who is responsible, accountable, consulted and informed (RACI) regarding AI decisions, selection of tools and vendor management.High-level implementation strategies: Teams should outline the process for integrating AI tools and applications into existing workows, and particularly how they’ll address challenges such as data integration and model deployment.Continuous monitoring and reporting: The paper recommends continuously monitoring elements such as AI tool performance and data drift, and regularly generating reports on AI system health and vendor compliance.Access control: It’s critical to implement strong access-control mechanisms to protect algorithms, data and AI infrastructure.Adherence to AI standards and best practices: Complying with AI standards, regulations and guidelines will help teams, for example, secure AI applications, conduct responsible AI development and mitigate supply chain risks.“As AI technologies evolve and their adoption expands across industries, the need for strong governance, security protocols, and ethical considerations becomes increasingly critical,” Michael Roza, the paper’s lead author, said in a statement.Some of the white paper’s key takeaways include:AI security requires addressing both traditional and AI-specific cybersecurity concerns.Effective third-party and supply chain management is critical. Organizations need clear policies and guidelines for employees’ AI use.AI governance requires clear role definitions and specialized skills.For more information about AI security, check out these Tenable blogs:“Securing the AI Attack Surface: Separating the Unknown from the Well Understood”“6 Best Practices for Implementing AI Securely and Ethically”“How AI Can Boost Your Cybersecurity Program”“Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach”“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources”2 - Report: Cybersecurity use of GenAI produces highest ROIAs enterprises deploy generative AI across their business, cybersecurity initiatives are generating the highest return on investment (ROI).Moreover, cybersecurity initiatives are more deeply integrated into work processes than initiatives from other departments, such as sales, research and development and finance.Those findings come from Deloitte’s “The State of Generative AI in the Enterprise: Generating a new future” report, which is based on a survey of about 2,770 directors and CxOs from organizations that are piloting or implementing generative AI.“Relative to other types of advanced GenAI initiatives, those focused on cybersecurity are far more likely to be exceeding their ROI expectations,” reads the report from Deloitte, which polled respondents in 14 countries.Specifically, respondents reported that 44% of cybersecurity initiatives are delivering an ROI that is “somewhat or significantly above expectations.” (Source: Deloitte’s “The State of Generative AI in the Enterprise: Generating a new future” report, January 2025)Meanwhile, the report found that cybersecurity initiatives have the highest level of work-process integration.While these findings reflect positively on how cybersecurity departments are deploying generative AI, the technology still faces adoption challenges in enterprises in general, the report notes, including:Regulatory uncertaintyRisk managementData deficienciesWorkforce issuesSpecifically, regulatory concerns have become the top barrier for generative AI adoption, while almost 70% of respondents estimate that it’ll take their organizations more than a year to fully implement a generative AI governance strategy.The report’s recommendations for successful adoption of generative AI in enterprises include:CxOs must ensure IT and business leaders work in tandem.Ensure generative AI initiatives deliver measurable ROI by, for example, focusing on high-impact use cases; establishing centralized governance; and continuously iterating.Plan for the eventual adoption of agentic AI systems, which can act with a high degree of autonomy, requiring little or no human intervention.To get more details, check out the report’s announcement, the full report and this video of a panel discussion about the report:For more information about using generative AI for cybersecurity:“GenAI’s Impact on Cybersecurity” (InformationWeek)“Generative AI in Cybersecurity: Assessing impact on current and future malicious software” (The Alan Turing Institute)“How Can Generative AI Be Used In Cybersecurity?” (eWeek)“Building a Generative AI-Powered Cybersecurity Workforce” (SANS Institute)“GenAI use cases rising rapidly for cybersecurity — but concerns remain” (CSO)3 - How content provenance tech helps flag AI deepfakesOrganizations must get acquainted with a key technology designed to track the origin of media files and that way verify if they have been maliciously created or modified to spread falsehoods and misinformation.That’s the message from the Australian, Canadian, U.K. and U.S. governments, which this week jointly published the document “Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era.”“Advanced tools that allow the easy creation, alteration, and dissemination of digital content are now more accessible and sophisticated than ever before,” the 25-page document reads. “This escalation threatens organizations’ security, with AI-generated media being used for impersonations, fraudulent communications, and brand damage. Therefore, restoring transparency has never been more urgent,” the document adds.The technology in question is called Content Credentials, and, according to the document, it’s in the process of becoming global ISO standard 22144. It tracks the provenance of media files by logging their creation and changes, and storing that information as encrypted, tamper-evident metadata.Co-authored by the U.S. National Security Agency, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security and the U.K. National Cyber Security Centre, the document seeks to:Explain how Content Credentials can provide media-provenance transparencyCreate awareness about how Content Credentials is being developedRecommend best practices for how to preserve provenance dataStress why broadly adopting Content Credentials is criticalThe Content Credentials technical specification is developed and maintained by the Coalition for Content Provenance and Authenticity (C2PA) and implemented by the Content Authority Initiative (CPI). For more information about Content Credentials:“The inside scoop on watermarking and content authentication” (MIT Technology Review)“Best Inventions of 2024: Content Credentials” (Time Magazine)“What are Content Credentials? Here's why Adobe's new AI keeps this metadata front and center” (ZDNet)“New technology to show why images and video are genuine launches on BBC News” (BBC)“Not Sure if an Image Is AI? Check Its Nutrition Label, Thanks to a New Adobe App” (Cnet)VIDEOJoin the movement for content authenticity (Content Authenticity Initiative)4 - Study: CISOs’ access to the board and CxOs is criticalOrganizations where the CISO works closely with the board of directors and with fellow CxOs have stronger security programs than organizations where this collaboration is weaker.In addition, CISOs with strong ties to their boards and CxOs tend to be happier at work and to earn more.Those are two findings from the “State of the CISO 2025 Report” from IANS Research and Artico Search, based on a survey of 830 security executives.“This report demonstrates that board engagement and C-suite access is critical in shaping the future of a security program and a CISO’s career,” Steve Martano, IANS Faculty and Executive Cyber Recruiter at Artico Search, said in a statement.Yet, only 28% of survey respondents fell into the category of “Stragegic CISO,” defined as one with outstanding C-suite access and boardroom influence. The majority – 50% – were deemed as “Functional CISOs,” who despite having “significant influence” nonetheless lack consistent visibility with the board or CxOs.The rest – 22% – were classified as “Tactical CISOs” because they focus mostly on technology and have minimal interaction with the C-suite and the board. (Source: “State of the CISO 2025 Report” from IANS Research and Artico Search,” January 2025)Obviously, the recommendation is for all CISOs to rise to the category of “Strategic CISO,” as close communication and collaboration with the board and fellow CxOs -- including CFOs -- is essential to align the security program with the business strategy.For CISOs to have optimal communication with board members and CxOs, the report recommends that they:Volunteer for projects and committees to explain to fellow business leaders the security angle of these cross-functional initiatives.Delegate tactical and operational tasks on your team members so you have more time for strategic work.Instead of limiting yourself to technical topics, address strategic governance issues and that way act as a partner to the other CxOs.To get more details, check out:The blog “Build CISO Strategic Impact and Visibility”The “State of the CISO 2025 Report”The announcement “IANS Research and Artico Search Unveil The State of the CISO, 2025 Report”5 - Tenable: What are your patch management challenges?During our recent webinar “From Reactive to Proactive: Expert Guide to Effective Remediation Automation,” we polled attendees about their struggles with patch management. Check out what they said. (124 webinar attendees polled by Tenable, January 2025)Check out the on-demand webinar to learn about actionable strategies and proven approaches for streamlining remediation, improving patching efficiency and reducing risk.To learn more about patch management and vulnerability management, check out these Tenable resources:“Elevate Your Vulnerability Remediation Maturity” (white paper)“Context Is King: From Vulnerability Management to Exposure Management” (blog)“The State of Vulnerability Management” (white paper)“What is patch management?” (article)VIDEOKey Elements of Effective Exposure Response6 - Data breach report: Many incidents preventable with standard cyberAlmost 200 U.S. data breaches last year, including several of the largest ones, could have been prevented via the use of well-known cybersecurity practices.That’s one of the findings from the Identity Theft Resource Center’s “2024 Data Breach Report,” which was published this week and is the latest reminder to adopt foundational cybersecurity tools and procedures.“A significant number of data compromises could have been avoided with basic cybersecurity,” ITRC President James E. Lee wrote in the report’s introduction.Specifically, four of 2024’s “mega-breaches,” which collectively resulted in the issuance of 1.24 billion victim notices, were deemed preventable through cybersecurity processes and techniques, including:multi-factor authentication (MFA) or passkeyssecure software software developmentvulnerability patchingsecurity awareness trainingHere are other key findings from the report:The 3,158 U.S. data compromises recorded in 2024 fell 1% compared with 2023. Most of the incidents – 90% – were categorized as data breaches.Cyberattacks caused the majority – 80% – of data breaches. The rest were caused by system & human errors; physical attacks; and supply chain attacks.Victim notices skyrocketed 312% to 1.72 billion, driven by six “mega-breaches,” each of which generated at least 100 million notices.The hardest hit industry was financial services, followed by healthcare and professional services.To get more information, check out the ITRC’s report announcement and the full report.For more information about data security:“How To Protect Your Cloud Environments and Prevent Data Breaches” (Tenable)“Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches” (CISA)“Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (Tenable)“Preventing data breaches” (Australian Cyber Security Centre)“Why data breaches have become ‘normalized’ and 6 things CISOs can do to prevent them” (VentureBeat)
Analysis Summary
The provided text is an excerpt from a Tenable promotional page or blog post, primarily focused on marketing their Exposure Management Platform, specific products (Tenable One, Nessus Expert), and alignment with compliance (SLCGP). **It does not contain general cybersecurity best practices, configuration guidelines, or step-by-step security instructions beyond product utilization.**
Therefore, the summary will focus on the implied security directives related to **Exposure Management and Vulnerability Control**, based on the products mentioned.
# Best Practices: Comprehensive Cyber Exposure Management
## Overview
These practices focus on establishing a unified program for managing organizational cyber risk exposure by gaining visibility across the entire attack surface, prioritizing remediation based on exploitability, and communicating risk effectively to business stakeholders.
## Key Recommendations
### Immediate Actions
1. **Deploy Vulnerability Scanning Capabilities:** Immediately begin testing critical assets using vulnerability scanners like Nessus Expert to establish a baseline understanding of the current security posture across IT and cloud environments.
2. **Activate Free Trial/Evaluation:** Utilize free trials (e.g., Nessus Expert 7-day free trial) to rapidly onboard and assess initial security findings.
### Short-term Improvements (1-3 months)
1. **Implement Centralized Vulnerability Management:** Deploy a centralized vulnerability management platform (e.g., Tenable Vulnerability Management or Security Center) to aggregate data from disparate scans and asset types.
2. **Integrate Cloud Security Posture Management (CSPM/CIEM):** Integrate cloud security tools (e.g., Tenable Cloud Security, CIEM) to gain visibility into misconfigurations, identity entitlements, and vulnerabilities within cloud environments.
3. **Automate Remediation Workflow:** Initiate integration between security findings and IT patch management systems (e.g., Tenable Patch Management) to shorten the Mean Time to Remediate (MTTR).
### Long-term Strategy (3+ months)
1. **Establish an Exposure Management Framework:** Mature security operations by adopting an exposure management model that prioritizes threats based on observed exposure, attack path analysis, and business context, rather than just raw severity scores.
2. **Define and Report on Security Metrics:** Develop standardized exposure metrics and reporting mechanisms to accurately communicate cyber risk to business leadership for optimal decision-making.
3. **Formalize Compliance Alignment:** Ensure all security controls and reporting structures actively align with relevant cybersecurity mandates, such as the SLCGP requirements mentioned, through integrated platform capabilities.
## Implementation Guidance
### For Small Organizations
- **Prioritize Foundational Scanning:** Focus initial budget and effort on robust external and internal vulnerability scanning (e.g., Nessus Expert) to cover the entire known attack surface.
- **Utilize Cloud-Native Tools:** Leverage integrated features within cloud provider security tools before investing heavily in third-party solutions, supplementing with tools that offer consolidated visibility (like Tenable One).
### For Medium Organizations
- **Adopt Centralized Management:** Implement a Security Center or equivalent platform to standardize scanning policies, assessment, and reporting across IT general and cloud environments.
- **Focus on Attack Path Analysis:** Begin leveraging capabilities that analyze attack paths to move beyond simple vulnerability counts and focus remediation efforts where an actual exploit chain exists.
### For Large Enterprises
- **Deploy Full Exposure Management Platform (Tenable One):** Implement a comprehensive platform to unify vulnerability, cloud, identity, and OT/IoT exposure data for holistic risk assessment.
- **Implement Zero Trust Elements:** Utilize solutions like Just in Time Access (JIT) to enforce least privilege, particularly in cloud environments, reducing potential breach impact.
- **Streamline Collaboration:** Formalize integration between security and IT teams using patch management automation tools to ensure rapid and auditable remediation execution across complex infrastructures.
## Configuration Examples
*The provided text did not contain specific technical configuration examples (e.g., firewall rules, registry edits). Configuration focus is on product adoption:*
- **Just in Time Access (JIT):** Configure JIT policies to automatically grant escalated privileges only for defined, time-bound operational needs in cloud environments.
- **Vulnerability Scanning Policy:** Configure Nessus/Security Center scans to prioritize authenticated checks for comprehensive coverage across managed systems.
## Compliance Alignment
Based on the implicit context of mature security operations and compliance mention:
* **SLCGP:** Solutions are mentioned as fulfilling requirements of the SLCGP Cybersecurity Plan.
* **NIST CSF:** Risk Assessment, Identify, and Protect functions are supported by comprehensive exposure management.
* **ISO/IEC 27001:** Establishing clear visibility and control over assets addresses requirements related to A.8 (Asset Management) and A.12 (Operations Security).
## Common Pitfalls to Avoid
1. **Ignoring the Cloud Attack Surface:** Focusing only on traditional network assets while neglecting cloud exposure (misconfigurations, identity sprawl, open storage buckets).
2. **Treating Vulnerabilities as Pure IT Problems:** Failing to engage business leaders with risk-based metrics, leading to delayed remediation and poor investment decisions.
3. **Using Scanners Without Context:** Relying solely on raw vulnerability counts without utilizing attack path analysis or exposure metrics to prioritize which vulnerabilities pose the highest *actual* risk.
4. **Manual Patch Management:** Allowing remediation efforts to remain heavily manual, leading to significant MTTR and increased exposure windows.
## Resources
- **Exposure Management Platforms:** Tenable One Exposure Management Platform.
- **Vulnerability Scanning:** Tenable Nessus Expert, Tenable Vulnerability Management.
- **Cloud Security:** Tenable Cloud Security (CNAPP, CIEM).
- **Compliance Inquiries:** Contact Tenable via `[email protected]` for specific compliance guidance.