Full Report
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable CSO Robert Huber shares practical advice on using an exposure management program to focus on risks that have business impact. You can read the entire Exposure Management Academy series here.There’s a trap security practitioners can often fall into. No, it’s not some tactic employed by the bad guys to trip us up. It’s a fairly simple trick of the mind: thinking that every risk deserves urgent attention. Maybe it’s human nature. If there’s a problem — no matter how big or small — some of us are just wired to want to fix it right away and get it off our punch list. But I’ve learned the hard way that not all risks are created equal. So treating each one as number-one priority is a surefire shortcut to burnout and inefficiency.Like many of you, here at Tenable, we’ve been building our own internal exposure management program. On this journey, one of the most profound lessons I’ve learned is to prioritize risk based on business impact. Moving to that line of thinking has helped me bring clarity to chaos. It has reduced the noise and allowed me to focus myself and my team on what really matters, which is the key to a successful exposure management program.Start with the right dataOne of the big struggles for security professionals is context switching. When you meet with your business leaders to update them, you often have to scramble to pull together inputs from a dozen different tools and teams. That’s because the data is siloed, often incomplete and nearly impossible to compare. Our job in security is to provide these leaders — maybe your CEO or head of a business unit — with a clear, coherent picture of the most acute exposures. Try as we might, those pictures have been partly cloudy with a chance of inaccuracies.So, as we started on the exposure management journey, our initial step was to assimilate the data. And I mean all of it. With help from Vulcan (now part of Tenable), we combed through tools, platforms and teams for every scrap of data. Believe me, until you do that, you can’t prioritize meaningfully. You’re just guessing.Understand risk in contextOK, bringing all that data together was a huge task. You’ll probably think, “Mission accomplished!” But that’s just the start.Once the data’s in one place, the real work begins. That’s when I ask: What does this risk mean in context?You should look at it from a couple of angles: First, consider it in the context of other risks across your organization. Then, think about the risks in the context of the business itself. How could this risk affect your revenue, operations or reputation? If you don’t think this way right off the bat, you’ll just end up reacting to the loudest alert, not the most important one. And we know how that goes. As I heard often during officer candidate school in the military: focus on the important, not the urgent — which is especially helpful when you don’t have enough time in the day.Identify the systemic issuesExposure management isn’t about patching one vulnerability at a time. It’s about identifying what I call the big rocks. Whatever you call them, these are systemic issues that affect thousands of assets or users. Left unaddressed, they can truly put the business at risk.Sometimes we don’t fix those big rocks right away. That might be because a patch broke a critical system or legacy infrastructure doesn’t support a specific control. When that happens, the exposure becomes a tracked business risk on our risk register. And it stays on the radar until we resolve it.That’s a big shift from the old model, where issues could disappear into ticket queues with no clear owner and no resolution in sight. With exposure management platforms, leadership and even the board can have their eyes on these issues. That’s because we’re aligning security priorities with business priorities.Clearly communicate risk Of course, none of this works unless you communicate clearly. And communication can be a big challenge. You could use simple traffic light charts (i.e., red, yellow, green) to represent control coverage. But how do you accurately assign those colors? It can be a subjective exercise based more on your gut than real data. With exposure management software, your eventual goal should be to make that process quantitative and, ideally, real-time so you don’t have to pull a team off their work every quarter to do manual updates. Soon, we’ll live in a world where the moment something changes, we’ll see it communicated immediately. With that instantaneous information at our disposal, we’ll decide whether to act, defer or escalate.Manage change so it doesn’t manage youExposure management isn’t just a technical shift. It’s a change management exercise. You’re asking teams to work differently, respond to new priorities and trust a centralized system that makes decisions based on data that might be unfamiliar.That kind of shift takes time. It requires building relationships, clarifying expectations and iterating on the program until it works for everyone. As my colleague Arnie Cabral wrote in What it Takes to Start the Exposure Management Journey, we’ve started by rebuilding our policies, defining roles and responsibilities and ensuring that the people doing the work know exactly what’s expected — and why.Takeaways: This is the path forwardWe’re in the early days of this exposure management journey. And some of our industry certifications and policies still require us to fix everything above a certain CVSS score, whether or not it truly poses a threat. So there will be a level of reconciliation ahead between traditional compliance models and this more pragmatic, business-aligned approach.But I believe exposure management, when done right, can bridge that gap. It will give you the ability to say, “These are the risks that matter most — and here’s why.”That’s how you’ll make better decisions in the long run. You’ll better protect your business. And you’ll move security from reactive to strategic.Have a question about exposure management you’d like us to tackle?We’re all ears. Share your question and maybe we’ll feature it in a future post. MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);
Analysis Summary
The provided context is highly fragmented and primarily consists of navigation links, commercial product mentions (specifically the Tenable One Exposure Management Platform), and an executive biography. It **does not contain explicit, detailed cybersecurity best practices, configuration guidelines, or step-by-step instructions** that can be directly extracted into the requested actionable format.
However, the core underlying theme is the shift towards **Exposure Management** as a methodology for prioritizing risk based on business impact. I will structure the summary based on the *implied* best practices necessary to implement a robust Exposure Management program, drawing inferences from the platform capabilities mentioned (Vulnerability, Cloud, OT/IoT, Identity Exposure, Attack Path Analysis).
# Best Practices: Implementing Business-Driven Exposure Management
## Overview
These practices focus on moving beyond traditional siloed vulnerability scanning to an integrated Exposure Management approach. The core goal is to gain comprehensive visibility across the entire attack surface (including IT, Cloud, OT, and Identity) and prioritize remediation efforts based on the **business risk** associated with exploitable attack paths, rather than just vulnerability severity scores.
## Key Recommendations
### Immediate Actions
1. **Establish Attack Surface Context:** Immediately begin documenting or mapping critical business assets and processes to the underlying IT/Cloud/OT infrastructure components that support them.
2. **Integrate Key Exposure Inputs:** Ensure that data feeds from critical security disciplines—Vulnerability Management, Cloud Security Posture Management (CSPM), Identity Exposure, and OT/IoT context—are being collected, even if they remain in separate tools for now.
3. **Identify Business-Critical Systems:** Designate the top 10-20 most critical systems (by impact to revenue, safety, or compliance) to serve as the initial focus group for risk prioritization.
### Short-term Improvements (1-3 months)
1. **Implement Risk Prioritization Methodology:** Adopt a framework (like one informed by asset context and attack path analysis) that surfaces exposures that are both technically vulnerable *and* impact a critical asset.
2. **Enable Attack Path Analysis:** Begin utilizing tools capable of chaining identified vulnerabilities, misconfigurations, and excessive identity entitlements into comprehensive attack paths leading to critical assets.
3. **Standardize Reporting Metrics:** Shift reporting focus from "Total Vulnerability Count" to "Business Risk Score" or "Exposure Score" related to critical assets.
### Long-term Strategy (3+ months)
1. **Achieve Full Surface Visibility:** Integrate security monitoring for all defined exposure categories: Vulnerability Exposure, Cloud Exposure (IaaS/PaaS/SaaS), Operational Technology (OT/IoT) Exposure, and Identity Exposure (CIEM).
2. **Automate Risk Reduction Workflows:** Implement workflows that automatically surface high-risk exposures impacting critical assets directly to the relevant asset owner or remediation team in their native tracking system (e.g., ticketing system).
3. **Continuous Risk Communication:** Embed the exposure management risk metrics into executive and board-level reporting to ensure security efforts remain aligned with business objectives and strategic investment priorities.
## Implementation Guidance
### For Small Organizations
- **Focus on Consolidation:** Prioritize using fewer, integrated products to cover the primary attack surfaces (e.g., traditional IT vulnerabilities and basic Cloud posture).
- **Manual Context Mapping:** Since named platforms might be resource-intensive, start by manually documenting which assets (servers, applications) are mission-critical and use existing vulnerability scanner data filtered against that list.
### For Medium Organizations
- **Phased Integration:** Select one major silo (e.g., Vulnerability Management) and integrate its output with a simplified Attack Path Analysis layer.
- **Start Identity Focus:** Begin assessing Identity Exposure (e.g., privileged access in cloud environments) as a key enabler of successful attacks against existing vulnerabilities.
### For Large Enterprises
- **Platform Adoption:** Implement a unified Exposure Management platform capable of ingesting data from diverse sources (Cloud, VM, OT, Identity) to enable comprehensive, unified attack path modeling.
- **Governance and Ownership:** Establish clear governance structures where asset owners are accountable for risk reduction metrics tied specifically to their business-critical systems, as identified by the exposure management program.
## Configuration Examples
*Since the source article promotes products, direct technical configuration snippets are unavailable. The conceptual configuration task based on the context is:*
**Configuration Goal: Prioritizing Remediation Based on Attack Path:**
Configure the security platform to calculate a "Business Risk Score" instead of relying solely on the base CVSS score for critical assets. This calculation must incorporate:
1. **Vulnerability Severity (CVSS/VPR).**
2. **Asset Criticality Weighting** (e.g., Asset Tier 1 = 10x weight).
3. **Attack Path Detectability:** Is there a verifiable, unmitigated path from the internet to the vulnerable asset? (If yes, escalate priority).
## Compliance Alignment
Exposure Management fundamentally supports organizational compliance requirements by ensuring risk reduction efforts are effective and targeted.
| Standard/Framework | Alignment Point |
| :--- | :--- |
| **NIST CSF** | **Identify (ID)**: Understanding the full attackable surface; **Protect (PR)**: Focusing protection efforts based on potential pathways; **Detect (DE)**: Improved context for monitoring. |
| **ISO 27001/27002** | Annex A.12 (Operations Security) and A.14 (System Acquisition, Development, and Maintenance) by ensuring vulnerabilities are managed according to defined business risk tolerance. |
| **CIS Critical Security Controls (CSCs)** | Directly enhances **Control 3 (Asset Inventory)** and **Control 4 (Secure Configuration)** by providing business context on *which* assets/configurations matter most. |
## Common Pitfalls to Avoid
- **Ignoring Non-Traditional Assets:** Focusing solely on IT assets while ignoring significant risk vectors from unmanaged OT/IoT devices or improperly secured Cloud Infrastructure (IaaS/PaaS).
- **Sticking to CVSS:** Using raw Common Vulnerability Scoring System (CVSS) scores alone for prioritization; this ignores exploitability, asset value, and potential attack chaining.
- **Siloed Metrics:** Reporting on technical metrics (e.g., "We ran 100 cloud scans") instead of communicating the reduction of *business impact exposure*.
- **Incomplete Identity Data:** Failing to connect identity exposures (e.g., overly permissive roles or unused credentials) as a direct step in attack path analysis.
## Resources
- **Framework Focus:** Utilize established asset inventory and risk assessment methodologies (e.g., NIST SP 800-30).
- **Service Integration:** Investigate integrated security platforms that combine Vulnerability Management, Cloud Security Posture Management (CSPM), and Identity Governance functions to facilitate Attack Path Analysis.