Full Report
Some security teams are taking a do-it-yourself approach to exposure management, according to a recent study conducted by Enterprise Strategy Group, now part of Omdia, in partnership with Tenable. But are they really ready for the hidden costs and challenges that come with a homegrown system?Key takeawaysOrganizations are managing as many as 25 different security tools and struggling to make sense of all the alerts and data. Some teams are turning to homegrown data security lakes and data fabrics to stitch together the output from all these tools. DIY solutions introduce hidden costs and risks and place burdens on security teams, distracting them from their main mission: reducing cyber risk.How do you manage the cacophony of alerts and floods of data coming at you from your various siloed security tools? If you’re like most security leaders, you probably figure the best option is to just handle it yourself. After all, who else knows your infrastructure like you do? You’ve invested time and resources in deploying the security tools that best serve your needs and choosing the right teams to manage them.And, let’s face it, do-it-yourself (DIY) projects can be fun…until they’re not. A study conducted by Enterprise Strategy Group, now part of Omdia, in partnership with Tenable, reveals that organizations are managing as many as 25 different security tools, each with its own unique way of presenting findings. Among these tools are:Cloud security posture management (CSPM)Cyber asset attack surface management (CAASM)Identity security posture management (ISPM)Endpoint detection and response (EDR)Application security vulnerability scanners (e.g., SAST, DAST, and SCA) Source: Enterprise Strategy Group, now part of Omdia, Research Report, “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management,” July 2025 Nearly two-thirds of organizations (63%) are currently using or in the process of implementing their own security data lakes or security fabric to make sense of the output from all these siloed security tools. Another third (34%) are in the process of evaluating or planning an implementation in the next 12 months.While it may be tempting to build rather than buy, there are numerous pitfalls in this approach. “Building these custom data lakes is a significant undertaking,” wrote Tenable CSO Robert Huber in the blog How Tenable Moved from Siloed Security to Exposure Management. “It often starts with seemingly ‘free’ solutions, only to quickly escalate into substantial investments in infrastructure, expertise, and countless integrations and workflows.”Pulling all your data together is just the first step. You have to normalize, deduplicate, enrich and continuously analyze that data in order to have an accurate assessment of your risk. These are just some of the challenges we see in homegrown solutions:Lack of consistencyData quality problemsA lack of data deduplication and normalizationHigh storage and computing costsSkills and knowledge gaps in your teamsInfrequent exposure assessments, leading to increased riskInability to gather meaningful and actionable intelligenceInefficient workflows and prioritizationBuilding a DIY data lake requires you to employ dedicated cyber data analysts, an inefficient use of scarce cyber resources. “These individuals should be solving cyber problems, not spending their time on data analytics that should be provided by vendors,” wrote Huber.Analysis isn’t happening often enoughDespite all the effort, many DIY approaches still rely on point-in-time assessments. Pulling together reports, stitching dashboards from multiple sources, and trying to normalize and enrich all that data is time-consuming and complex. As a result, organizations often end up relying on infrequent snapshots that quickly become outdated, leaving critical blind spots. Meanwhile, attackers have a continuous, real-time view of your environment — the less frequent your analysis, the greater the advantage you’re giving them.Continuous assessment is the only way to truly reduce risk, prioritize remediation effectively and stay ahead of evolving threats.The problem lies in the misconceptions organizations still have about the benefits they will gain from using a modern platform. Many teams assume that even with a threat and exposure management (TEM) platform, updates will still be infrequent — monthly or quarterly at best. In fact, our study finds that only 14% of organizations expect to conduct weekly exposure assessments and even fewer expect to achieve continuous monitoring with a platform.The reality is very different. Modern TEM platforms, like Tenable One, deliver continuous, real-time analysis across all assets, risks and data sources. Only a TEM platform can close the visibility gap, turning reactive security into proactive defense and giving teams the insight they need to stay ahead of evolving threats. Source: Enterprise Strategy Group, now part of Omdia, Research Report, “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management,” July 2025 How an exposure management platform outperforms the DIY approachManaging risk with DIY tools is complex, time-consuming and often leaves dangerous blind spots in your protection. The Tenable One Exposure Management Platform provides a unified, continuous and contextual approach to exposure management, helping organizations stay ahead of threats and make informed, actionable decisions.Unified visibility: Ingest data from all your existing security tools — including cloud security, vulnerability management, application scanners, identity management, endpoint detection and more — into a single view to eliminate blind spots.Contextual prioritization: Gain context-rich, actionable insights that highlight the risks that matter most to your specific business, enabling your teams to focus on what truly reduces exposure.Continuous assessment: Monitor your environment in real time to stay ahead of attackers and address vulnerabilities before they can be exploited.Executive-ready reporting: Access unified dashboards and reports that track business risk, analyze trends and share progress with leadership and the board.Lower operational costs: Avoid the high storage and computing expenses of running your own data lake or fabric and eliminate the need to dedicate resources to managing infrastructure, integrations and workflows.Tenable One empowers organizations to move beyond fragmented, point-in-time assessments and achieve continuous, proactive exposure management that drives real risk reduction.Learn moreRead the Enterprise Strategy Group report, “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management”Check out the Exposure Management Resource CenterVisit the Exposure Management AcademyLearn more about Tenable One
Analysis Summary
# Best Practices: Exposure Management (Buy vs. Build Considerations)
## Overview
These practices address the strategic decision between building in-house, fragmented security tooling versus adopting a unified, purpose-built platform for continuous exposure management. The focus is on leveraging integrated solutions to gain unified visibility, contextual prioritization, and reduce operational costs associated with DIY security infrastructure.
## Key Recommendations
### Immediate Actions
1. **Inventory Existing Data Sources:** Immediately map all current security tools (vulnerability scanners, cloud security tools, identity management, endpoint detection) currently deployed across the environment.
2. **Identify Data Silos:** Quantify the gap between current data collection efforts and the need for a single, unified view of cyber risk exposure.
3. **Establish Risk Context Benchmarks:** Define necessary context tags (e.g., business criticality, asset owner) that must be applied to exposures for meaningful prioritization.
### Short-term Improvements (1-3 months)
1. **Evaluate Data Ingestion Capabilities:** Assess the feasibility and overhead of integrating existing third-party security tool data into a central repository versus using platform connectors designed for seamless integration.
2. **Implement Unified Dashboards for Key Metrics:** Begin piloting a central reporting mechanism that combines data from at least two disparate security domains (e.g., vulnerability data and cloud misconfigurations) to simulate unified visibility.
3. **Define Contextual Prioritization Logic:** Develop initial rules or workflows based on combining asset context with threat intelligence to focus remediation efforts on the highest-risk exposures.
### Long-term Strategy (3+ months)
1. **Adopt a Unified Exposure Management Platform:** Strategically move away from managing disparate, custom-built tools toward a comprehensive platform that provides continuous assessment and integrates all exposure vectors (cloud, on-prem, identity, OT/IoT).
2. **Automate Remediation Workflows:** Integrate the prioritization engine with ticketing and remediation systems to automate workflows for critical and high-risk findings, minimizing manual handoffs.
3. **Formalize Executive Risk Reporting:** Establish executive-ready dashboards that track risk reduction trends over time, utilizing unified data to communicate cyber risk impact to leadership and the board accurately.
## Implementation Guidance
### For Small Organizations
- **Prioritize Key Verticals:** Focus initial efforts on high-impact areas like basic vulnerability management and configuration assessment for the most critical internet-facing assets.
- **Leverage Integrated Trials:** Opt for unified platforms that offer basic connectors for existing external tools to avoid investing heavily in building custom integration infrastructure.
- **Focus on Cyber Hygiene:** Implement continuous assessment focused on maintaining a strong security baseline (e.g., patching, configuration standards) rather than attempting complex correlation initially.
### For Medium Organizations
- **Standardize Connectors:** Mandate the use of platform connectors (APIs) to link existing security investments (e.g., existing endpoint protection, cloud security posture management) to the central exposure management system.
- **Resource Allocation Review:** Conduct a cost-benefit analysis comparing the FTE time spent maintaining custom scripts, storage, and data processing versus the subscription and management costs of a unified platform.
- **Phased Rollout:** Roll out specialized visibility components (e.g., Identity Exposure) incrementally, ensuring data feeds correctly into the central prioritization engine before full adoption.
### For Large Enterprises
- **Mandate Data Unification as Policy:** Enforce a policy requiring all new security tooling acquisitions to provide robust API support compatible with the designated exposure management platform to prevent future data siloing.
- **Develop Custom Analytics via Platform Tools:** Utilize the platform's capabilities (e.g., GenAI analytics, custom reporting) to analyze aggregated data against proprietary business risk models.
- **Continuous Assessment & Emergency Response Planning:** Fully leverage real-time monitoring capabilities for continuous assessment and integrate the platform with IR playbooks for rapid response to emerging threats identified across previously siloed datasets.
## Configuration Examples
*(The source material focuses on platform features rather than specific configuration commands. The best practice here is platform adoption.)*
- **Data Ingestion:** Configure platform connectors to seamlessly pull asset and finding data from third-party security tools (e.g., configuration data from CNAPP, findings from vulnerability scanners) into the central exposure management database.
- **Prioritization Logic:** Configure risk scoring based on a formula combining **Vulnerability Severity** + **Asset Criticality** + **Exploitability Status** confirmed via unified threat intelligence feeds.
## Compliance Alignment
- **NIST CSF:** Alleviate gaps in **Identify (ID)** and **Protect (PR)** functions by achieving unified visibility across IT assets and prioritizing identified risks based on business context.
- **ISO 27001:** Support Annex A controls related to asset management and vulnerability management through continuous, contextualized monitoring mapped to a single source of truth.
- **CIS Controls:** Directly support the operationalization of controls requiring accurate asset inventory and continuous assessment of security configuration and vulnerability status.
## Common Pitfalls to Avoid
- **DIY Infrastructure Overload:** Avoid investing significant engineering resources into building and maintaining custom data lakes or data fabrics solely for security data correlation, as this incurs high storage, computing, and maintenance costs.
- **Point-in-Time Thinking:** Do not rely on periodic, fragmented security assessments; exposure management must be continuous, leveraging real-time monitoring.
- **Ignoring Context:** Do not prioritize remediation based solely on raw vulnerability severity scores; ensure context (asset value, exposure path) is always factored in to focus efforts on risks that truly matter.
## Resources
- **Exposure Management Platform Documentation:** Review vendor documentation for specifics on connector availability and integration capabilities to ensure existing tools can feed the central system.
- **ESG Report:** Reference external analyst reports such as the Enterprise Strategy Group report on "The Evolution of Risk Reduction" for validation on the benefits of unified threat and exposure management.
- **Academy/Training:** Utilize platform-specific training resources (e.g., Exposure Management Academy) to train staff on contextual risk analysis and unified reporting.