As part of a new blog series, Sekuro Field CTO, Jason Trampevski chats with Nathan Wenzler, Chief Security Strategist at Tenable to get his take on exposure management and the broader cyber security landscape. From the human-centricity of cyber security to the role of a CISO, this is your chance to be a fly on the wall for an insightful conversation (and sometimes deep philosophising) between two cyber security leaders.
The second in the series, this blog will focus on why vulnerability management has evolved into exposure management.
Exposure management: Visibility, context, prioritisation, and communicatioN
Exposure management is broadening the scope of what we're trying to deal with. It's acknowledging that cyber risk is not just your Windows analytic systems, it's anywhere in your technology space. It's anywhere within the attack surface, and that is a business risk. It has to be communicated with non-technical people. Better decisions have to be made about where, how, and when we action, resolve, reconfigure or fix code or whatever the mitigation step is.
Jason: Can you explain what exposure management means to Tenable and how you are addressing it differently?
Nathan: The industry is still defining what exposure management is. Gartner wrote a report on this in 2022, and it provides a good framework outlining the concept and what it’s about. And essentially, exposure management comes down to four elements.
First, it’s about acknowledging that because the technology landscape has gotten so broad and managing an attack surface has gotten so complex, organisations now need to have a better understanding of what they have visibility over. Then it’s about quantifying risk based on good threat intelligence, and I argue business intelligence too, so that you have the context you need. From there it’s about prioritisation. This means figuring out which risks are most problematic and dealing with those first. And then the key for me, which Gartner specifies heavily, is communication. IT leaders must be able to communicate those risks to all stakeholders in the organisation, not just the IT group, not just the security team.
For folks who’ve been in the industry a long time, this might sound like what they’ve been trying to do with vulnerability management –- to get visibility and prioritise. But the reality is that the term vulnerability management has taken on the de facto definition of being nothing more than the tool that generates a list of missing patches for a patch management program.
It is not uncommon for major organisations to tell me they have a very robust program dedicated to threat and vulnerability management. In many cases, my first question will be to ask what they’re doing to solve the SQL injection vulnerabilities we just found on their website. To which they’ll tell me that’s not part of their program and it’s quickly apparent that they just deploy Windows patches.
I think the industry has a big challenge with how it approaches this issue. Even the analyst groups, if you go back a few years –- Gartner, Forrester, all those folks, stopped looking at vulnerability management as a practice and started seeing it as a commodity, mainly because it was seen as this thing to generate patch lists. Exposure management in a lot of ways is a really important term because it is, to some extent, an acknowledgement that we’re letting go of the old term and instead talking about things from a risk exposure perspective.
Exposure management is broadening the scope of what we’re trying to deal with. It’s acknowledging that cyber risk is not just your Windows analytic systems, it’s anywhere in your technology space. It’s anywhere within the attack surface, and that is a business risk. It has to be communicated with non-technical people. Better decisions have to be made about where, how, and when we action, resolve, reconfigure or fix code or whatever the mitigation step is.
And when you lay it out like that, it becomes an obvious evolution for a company like Tenable. We’ve been in the vulnerability management space for a long time but the mission has always been about identifying an organisation’s risk and helping them make good decisions so they can prevent attacks before they happen. That philosophy extends into all the other technology types –- into your cloud environment, your IT space, your identity directory management, and so on.
What we’re doing as a company isn’t really new from a philosophy standpoint. It’s just that we need to look at it more broadly and not just at what a Nessus scanner can reach.
It’s really been a fascinating growth, at least for us over the last few years. But fundamentally, exposure management in the way we’ve just spoken about it, it’s kind of what we’ve always done.
SCANNING IS NOT MANAGEMENT
It really does give us as an industry an opportunity to encourage people to see their security program as less of an IT function that's just pushing buttons and conducting operations and to get them more aligned with the proper business risk management function so that they can advise the business better. That's really where your security program should be but that can be a tough transition for a lot of folks.
Jason: I feel like the market is confused because what customers and organisations have been doing is vulnerability scanning but they call it vulnerability management.
Nathan: One hundred per cent.
Jason: And it doesn’t inform their risk management because a scan will pick up a risk and then they’ll give it a scoring.
Nathan: When I’m talking about our tooling and the different modules and software pieces we offer, I always try to refer to them as sensors, because ‘scan’ is such a loaded word. They’ll tell me they’ve been doing scanning for a long time, but the real question is whether they’ve been doing it well and if they’ve been using that information for anything valuable.
The question becomes, “Well, did you run an authenticated scan? Did you scan everywhere? Did you actually prioritise? Did you actually do a risk assessment?” And you start to see customers’ eyes glaze over and they’ll say, “Oh gosh, no, I just sent the output to my team and I assume they’re doing something.”
To your point, it’s all just scanning or barely running an assessment, but it’s not proper management. And that’s, again, why I think it’s good we’re evolving into this new term, even if it’s a little bit confusing right now.
It really does give us as an industry an opportunity to encourage people to see their security program as less of an IT function that’s just pushing buttons and conducting operations and to get them more aligned with the proper business risk management function so that they can advise the business better. That’s really where your security program should be but that can be a tough transition for a lot of folks.
To be continued…
Nathan Wenzler
Chief Security Strategist, Tenable
Chief Security Strategist, Tenable
Nathan has over 25 years of experience in the trenches as CISO of Information Security programs, helping organisations to optimise, mature and accelerate their information security and risk management programs. Nathan’s focus areas include vulnerability and exposure management, PAM, incident response, process and workflow improvements, executive-level program management, and the human-focused aspects of InfoSec.
Jason Trampevski
Field Chief Technology Officer (CTO), Sekuro
Field Chief Technology Officer (CTO), Sekuro
Jason is a strategic technology leader dedicated to helping organisations achieve their goals through the effective use of technology. His expertise lies in building resilience and driving business success. As a specialist in transforming complex business requirements into streamlined technology solutions, his focus lies in harmonising the essential components of people, processes, and technology to empower organisations to maintain agility and competitiveness in today's rapidly evolving digital world.
More Articles
Facing post-tech stack consolidation blues head on
Selling the Strategic Imperative of Zero Trust to Your Board
