Full Report
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Jorge Orchilles, Senior Director of Readiness and Proactive Security at Verizon, offers an up-close glimpse at the thinking that drove his move to exposure management. You can read the entire Exposure Management Academy series here.As we shift our security focus at Verizon to proactive exposure management, we’re consolidating tools and teams to focus on real-world, exploitable risks. By aligning offensive security functions under a unified strategy, prioritizing exploitable threats and fostering collaboration, we're moving our focus beyond compliance-based remediation to risk-based remediation.You know the story: Those of us in cybersecurity play a high-stakes game of Whac-a-mole® just about every day. We spend our lives chasing down vulnerabilities and issuing (or responding to) mandates like, "Patch within 30 days” or “Code red, patch now!”But as attack surfaces grow and threat actors become more sophisticated, this reactive approach has become inadequate. At Verizon, we recognized that, with such a heterogeneous landscape that has to serve the diverse needs of corporate, retail, mobile field techs and more, the best solution was not another collection of disparate tech. We needed a single, consolidated exposure management platform that could cover every corner of our enterprise. The journey to get there broke down silos and shifted our mindset from being compliance-driven to a risk-based focus. Importantly, before we even considered new technology, we needed to align multiple teams, each with their own tools and priorities, behind a shared strategy.Bringing separate tools together as oneSecurity teams have always juggled a patchwork of tools: Separate tools for attack surface management, asset visibility, vulnerability scanning, identity exposure and cloud security. In most companies, different teams operate the solutions and each one requires its own set of expertise. The intent of the fragmentation is to ensure you have people with the right skills remediating the right problems. The siloed approach slows response times and creates blind spots that can leave critical vulnerabilities unaddressed simply because they fall outside a team’s area of expertise. You cannot do attack path analysis in silos!I don’t want to be in the business of just checking boxes. We needed to build a security program that prioritizes real-world risks, rather than every vulnerability. And, in that effort, it’s clear that the value of an integrated approach outweighs the benefits of niche features.So, to handle these challenges, we opted to consolidate under a single platform: Tenable One.The key to managing change: A little bit of Dale Carnegie While the right platform makes all the difference, implementing exposure management isn't purely technical. It’s organizational. Launching an exposure management program means shifting ownership of key, siloed security functions, which can require teams to work together in ways they haven’t before.For example, at Verizon, attack surface management was previously handled by a separate team. Now, those individuals are part of my group. The Active Directory team, which runs identity exposure tools like Bloodhound, remains independent, but we collaborate closely so they see the security insights as valuable rather than punitive. The internet of things (IoT) and operational technology (OT) security specialists who previously used a different set of tools now all work within the same framework.Security teams accustomed to working in silos must now share data and decision-making, which can be a tough adjustment. I found that the key to overcoming this is transparency and partnership. In fact, reading a bit of Dale Carnegie regularly can be just as important as a daily dose of Brian Krebs. So, to ease the transition, rather than imposing top-down mandates, we’ve focused on aligning teams through shared objectives, clear communication and demonstrating value early in the process. By involving stakeholders from the start, in areas like identity security, IT operations and cloud security, we’re ensuring that change isn’t something done to them, but something they actively shape and support.I want to emphasize that none of this happened overnight. It required high-level buy-in and careful planning. These teams weren’t just being asked to use a new tool, they were being asked to change the way they work. The only way to make that transition successful is by showing team members how this approach makes their jobs easier, not harder.Stop trying to fix everythingOne of the biggest mindset shifts in exposure management is recognizing that not every vulnerability needs to be patched immediately. Sure, it can be a hard thing to wrap your head around. But when everything is critical, nothing is critical. And that approach just leads to burnout, inefficiency and more exposures. Instead, at Verizon, we focus on vulnerabilities that are actually exploitable and part of a realistic attack path.So, if there’s a critical vulnerability in an application but no feasible way for an attacker to reach it, should it really be the top priority? On the other hand, if a vulnerability provides a direct path to a crown jewel asset, we need to address it immediately. The key is prioritization based on real-world attack scenarios, not arbitrary severity scores.Working with the C-suiteAnother critical advantage of exposure management is how it changes security conversations at the executive level. Instead of delivering long lists of vulnerabilities that mean little to non-technical leaders, we can present a clear picture in a few key points:What’s at risk?How could an attacker get in?What are the most urgent priorities to fix?And when a major vulnerability hits, we don’t have to scramble to figure out if we are affected. We have the data at our fingertips. That’s the real value of exposure management: Speed, clarity and the ability to act before attackers do.The future of cybersecurity is proactive exposure managementAt its core, exposure management is about shifting from reactive security to proactive security. It’s not just about fixing vulnerabilities anymore. It’s about understanding risk in the context of the business. As more organizations move in this direction, exposure management will continue to evolve. Vendor consolidation is ongoing, teams are being restructured and security leaders are realizing that patching everything everywhere all at once is an impossible task. So, like Verizon, the industry must focus on what really matters: Preventing the attacks that could actually lead to a compromise.And for those of us at the tip of the spear in this shift, it’s time to stop being reactive and start managing exposure like the strategic risk it is.Jorge shares what you should focus on next Learn moreRead the Security leaders’ guide to exposure management strategy, a proven, pragmatic approach to standing up an exposure management program — plus advice for scoping it, engaging stakeholders and obtaining buy-in.Whac-a-Mole is a registered trademark of Mattel Inc.
Analysis Summary
# Best Practices: Proactive Exposure Management
## Overview
These practices advocate for shifting cybersecurity from a reactive stance (patching everything) to a proactive one (managing exposure) by understanding cyber risk in the context of the business, prioritizing efforts to prevent likely attacks, and ensuring rapid response capabilities across the entire attack surface (including Cloud, OT/IoT, Identities, and traditional assets).
## Key Recommendations
### Immediate Actions
1. **Develop Contextual Risk Snapshots:** For non-technical leaders, prepare concise summaries detailing: "What’s at risk?", "How could an attacker get in?", and "What are the most urgent priorities to fix?"
2. **Establish 'Data at Your Fingertips' Access:** Ensure immediate access to consolidated data that pinpoints if the organization is affected when a major vulnerability emerges, eliminating scramble time.
3. **Identify the Proactive Security Leader:** Assign ownership for the transition toward a proactive exposure management program among senior security staff.
### Short-term Improvements (1-3 months)
1. **Begin Attack Surface Consolidation:** Start efforts to combine data from disparate security tools (e.g., vulnerability scanners, cloud security posture management, identity tools) into a unified platform to gain comprehensive visibility.
2. **Focus Effort on Preventing Likely Attacks:** Shift resource allocation away from generic, comprehensive patching schedules to efforts targeting vulnerabilities actively being exploited or those that align with known attacker paths.
3. **Implement Formalized Exposure Management Scoping:** Utilize a proven, pragmatic guide (like the recommended "Security leaders’ guide to exposure management strategy") to formally scope out the initial objectives and boundaries of the new exposure management program.
### Long-term Strategy (3+ months)
1. **Embed Exposure Management as Strategic Risk:** Integrate exposure management workflows into core business risk reporting, ensuring security posture directly informs business performance discussions.
2. **Drive Security Tool Consolidation:** Evaluate and reduce the number of siloed security tools by prioritizing platforms that integrate and normalize data across different security domains (Cloud, OT/IoT, Identity, Vulnerability).
3. **Standardize Stakeholder Engagement:** Establish ongoing processes for communicating security priorities clearly and obtaining consistent buy-in from business unit owners based on prioritized risk data.
## Implementation Guidance
### For Small Organizations
- **Prioritize Core Visibility:** Focus initial efforts on integrating data sources that represent the highest potential impact (e.g., internet-facing assets and critical business applications) into a single reporting view.
- **Leverage Integrated Platforms:** Look for solutions that offer integrated vulnerability and cloud security capabilities to reduce the need for managing multiple point solutions.
### For Medium Organizations
- **Define Clear Prioritization Metrics:** Establish custom risk scoring that incorporates exploitability, asset criticality, and existing compensating controls, moving beyond raw CVSS scores.
- **Begin Stakeholder Buy-in:** Start practicing the clear communication framework (risk, entry points, priorities) with department heads to gain initial departmental commitments for remediation.
### For Large Enterprises
- **Mandate Data Integration via Connectors:** Implement standardized connectors to seamlessly combine native sensor data with data from existing third-party security tools to create a holistic view.
- **Formalize Emergency Response Playbooks:** Develop and test playbooks for high-severity events based on the centralized exposure data, ensuring rapid identification (using 'data at your fingertips') and coordinated response across large, complex environments.
## Configuration Examples
*No specific technical configurations were provided in the text; however, the focus is on integrating data streams to feed **Exposure Prioritization** and **Exposure Analytics** capabilities within a management platform.*
## Compliance Alignment
While the text does not explicitly list compliance frameworks, the principles align with modern risk-based security frameworks:
- **NIST Cybersecurity Framework (CSF):** Directly supports the **Identify** (Asset Management, Risk Assessment) and **Respond** (Incident Response planning based on clear data) functions by shifting the focus from patching compliance to managing actual risk.
- **ISO 27001 (Risk Management):** Supports the core concept of treating security as a strategic business risk rather than just a technical compliance checkbox.
## Common Pitfalls to Avoid
- **Treating Security as Purely Reactive:** Continuing to operate under the assumption that "patching everything everywhere all at once" is a feasible or effective strategy.
- **Allowing Data Silos:** Failing to integrate data from various security functions (cloud, OT, identity, vulnerability management) into a single, actionable view, which leads to fragmented risk assessment.
- **Overwhelming Non-Technical Leaders:** Presenting security data using only technical metrics (like raw vulnerability counts) instead of translating risks into business impact ("What's at risk?").
## Resources
- **Exposure Management Strategy Guide:** Security leaders’ guide to exposure management strategy. (Used for scoping, stakeholder engagement, and buy-in.)
- **Key Concept:** Shifting focus to **Preventing the attacks that could actually lead to a compromise.**