How Exposure Management Helps Communicate Cyber Risk

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. This week, Tenable experts discuss best practices for communicating cyber risk. You can read the entire Exposure Management Academy series here.

Despite headline-grabbing incidents and keen interest from C-suites and boardrooms, many security leaders still struggle to gain executive buy-in or rally cross-departmental support. The challenge isn’t the data itself. On the contrary, it’s often how you deliver the message. Many security teams are buried in mounds of information from an array of disconnected security solutions. This makes it tough to present a consolidated, understandable overview of cyber risk.

That brings up a couple of questions. First, what can you do to fix this communication challenge and improve how technical teams convey risk to non-technical decision-makers? Second, how can security teams give context to their IT counterparts to effectively prioritize remediation efforts? One way is to move to exposure management. 

Exposure management gives security leaders the processes and technologies they need to continuously assess the accessibility, exploitability and criticality of digital assets across all systems, applications, devices, resources and identities. As a result, security leaders can proactively answer questions about their organization’s exposure risk. 

A well-executed exposure management program can help you distill complex issues and vast stores of data into clear, digestible metrics. You’ll also be able to avoid overly technical language, which will help engage with leadership and board members. And you’ll avoid burning out your IT teams with endless tasks by giving them real-world guidance about what to fix first and why.

Speak in a language the board and C-suite understand

Security professionals understand technical jargon. But most others don’t. Board members focus on business disruption, liability and cost. C-level executives worry about the overall strategic direction of the business, along with any risks that might imperil the future of the organization. Other executives, especially those who run a line of business, are laser-focused on their respective areas. They appreciate security but likely don’t know the lingo and lack the context needed to understand cyber risk.

Exposure management helps translate technical complexity into clear, concise business language. This translation is vital for winning executive support and for shifting security from a reactive posture to a strategic mindset 

Jorge Orchilles, Senior Director of Readiness and Proactive Security at Verizon, summed it up well in his contribution to the Exposure Management Academy: “Instead of delivering long lists of vulnerabilities that mean little to non-technical leaders, we can present a clear picture in a few key points.”

Cut through the noise and focus on what matters

A primary stumbling block that stands in the way of clear communication in cybersecurity is information overload, with teams often buried in alerts and data, much of which is just noise.

As Robert Huber, Tenable’s Chief Security Officer and Head of Research, wrote recently, “Not all risks are created equal.” He says that, if you think of everything as a top priority, then nothing is. 

An exposure management program can help organizations focus on the issues that pose a true disruption to the business. That clarity, which distinguishes between meaningful signals and background noise, is invaluable for making better, more explainable decisions. Huber says that this approach has enabled his team to zero in on critical issues so they can focus on what really matters and drive the right outcomes.

Communicate to drive collaboration

Effective cyber risk management can be hindered when IT and security operate in separate spheres, speaking different languages, which can create friction and missed opportunities.

An exposure management platform can offer a common framework and a shared view of risk for both security and IT. Tenable’s CIO, Patricia Grant, sees securing the enterprise as a joint responsibility. 

“The security team sets the posture,” she says. “But IT owns the infrastructure. Exposure management gives us a common language to operate in.” 

Grant adds that, when you can put an issue in the context of the risk it poses, rather than just thinking about it as another patch, you’ll see much better engagement. The lesson here is that clear communication is more than a nicety. It can create action. Moreover, when technical teams and business stakeholders align, they agree on priorities and make progress.

Move from blind spots to insights

Successful exposure management extends beyond prioritizing known vulnerabilities. It provides a full picture of deficiencies across all your environments. 

“As security professionals, we’ve had to move away from thinking of cybersecurity as just ‘scan-patch-rescan,’” says Arnie Cabral, Senior Staff Security Engineer at Tenable, echoing Grant. “Exposure management has been the catalyst for that shift and gives us a much broader lens with the ability to narrow the scope.”

This fresh perspective can yield surprising benefits. 

“Our exposure management platform became our de facto inventory tool,” Cabral says. “There were times people would ask, ‘What’s this asset doing here?’ We didn’t have an easy answer. Now, we do. We’re able to transform the data into actual usable information with real insight.” 

That visibility, combined with clear communication about the risk implications of these findings, helps his team connect with wider stakeholders. “We’re doing more than just fixing exposures,” he says. “We’re helping the business as a whole understand its risk and take actions where necessary.”

Takeaways

By enabling a centralized perspective, exposure management can foster more straightforward communication throughout an organization with consistent metrics and easily understandable visuals. 

Of course, technical specialists can access the detailed data that’s essential for their work. But, at the same time, executives and board members will gain a clear understanding of the organization’s overall security status. They’ll see the areas that need attention without needing to decipher complex technical details. 

All members of an organization — technical and non-technical — can compare performance against industry counterparts and monitor key performance indicators (KPIs) over time. This benchmarking helps provide invaluable context and addresses the common question that plagues us all: “How is the organization performing?” 

These valuable perspectives enable more targeted resource deployment and build cooperation across different business units by furnishing the metrics they care about.

Ultimately, exposure management helps organizations transcend the limitations of isolated data and inscrutable terminology. It creates a comprehensive awareness of the entire attack surface, which lets security leaders clearly define risk, demonstrate progress and helps everyone understand their role in an organization’s cyber readiness.

Learn more

• Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.