By Jeremy D’Hoinne, VP Analyst at Gartner
Today’s cybersecurity attackers pivot fast, leaving organizations scrambling to automate controls and deploy security patches to keep up, but such tactics don’t reduce future exposure. What’s needed is a continuous threat exposure management (CTEM) program that surfaces and actively prioritizes whatever most threatens your business. Creating any such program requires a five-step process.
Step No. 1: Scope for Reducing Cybersecurity Exposure
Start by scoping your organization’s “attack surface” — vulnerable entry points and assets — which extends beyond the focus of typical vulnerability management programs. Include not just traditional devices, apps and applications but also less tangible elements such as corporate social media accounts, online code repositories and integrated supply chain systems.
Organizations looking to pilot their first CTEM initiative could consider one of the following two areas:
- External attack surface, which combines a relatively narrow scope with a growing ecosystem of tools.
- SaaS security posture, which has become an increasingly important area of focus as more remote workers have resulted in more critical business data being hosted on SaaS.
Step No. 2: Develop a Discovery Process for Assets and Their Risk Profiles
While many discovery processes initially focus on areas of the business that were identified during scoping (Step No. 1), they should proceed to identify visible and hidden assets, vulnerabilities, misconfiguration and other risks.
Confusion between scoping and discovery is often the first failure when building a CTEM program. The volume of discovered assets and vulnerabilities is not success in and of itself; it’s far more valuable to accurately scope based on business risk and potential impact.
Step No. 3: Prioritize the Threats Most Likely to Be Exploited
The goal of this process is not to fix every single security issue. Prioritization should factor in:
- Urgency
- Security
- Availability of compensating controls
- Tolerance for residual attack surface
- Level of risk posed to the organization
The key is to identify the high-value assets of the business and focus on a plan of treatment that addresses them.
Step No. 4: Validate How Attacks Might Work and How Systems Might React
First, confirm how attackers could exploit a vulnerability. Analyze all potential attack pathways to the asset and identify if the current response plan is fast and substantial enough to protect the business. Also, key is convincing all the business stakeholders to agree on what triggers lead to remediation.
By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach.
Step No. 5: Mobilize People and Processes
You can’t wholly rely on the promise of automated remediation (though it might make sense for some obvious and unobtrusive issues). Rather, communicate your CTEM plan to the security team and to business stakeholders, and make sure it’s well understood.
The objective of the “mobilization” effort is to ensure teams operationalize the CTEM findings by reducing any obstacles to approvals, implementation processes or mitigation deployments. In particular, document cross-team approval workflows.
