Athletes in the world of endurance sports often spend considerable time training in the outdoors exposed to the sun, which makes them vulnerable to UV rays overexposure, and serious skin cancers. To minimize this danger, they follow a strict schedule and regimen of training in the early hours of the morning when the sun is not at its sharpest, religiously using protective clothing and repeatedly applying that age-old favorite sunscreen.
Exposure of any kind brings with it risks, and risk forms the basis of Risk Management. In the world of cybersecurity, where organizations’ ‘exposed’ digital assets make them candidates for exploitation by bad actors, an equally stringent regime to manage the risk is called for – one that will prevent data breaches and ensure business continuity.
Understanding Exposure Management
Cyber threat exposure refers to the security risks associated with the compromise of digital assets. Exposure Management (EM) or Continuous Threat Exposure Management (CTEM) as Gartner calls it, is the process (1) of identifying, evaluating, and addressing the risks associated with these digital assets. Sometimes referred to as Attack Surface Management (ASM), it includes vulnerability identification and remediation.
Applying a risk-based method of thinking, an Exposure Management program addresses known vulnerabilities, and identifies possible attack paths, with a view to secure critical organizational assets. In short, it ensures a better and more robust security posture.
Benefits of a reliable system
Often regarded in cybersecurity circles as a Risk Management exercise, Exposure Management offers immense benefits. It is often regarded as the blueprint of an organization’s cybersecurity posture. Some of the benefits that accrue from a good Exposure Management System:
- Lowered risk levels
- Data protection due to enhanced levels of security
- Business continuity due to fewer interruptions and faster uptimes
- Greater insight/visibility into the cybersecurity threat landscape, visibility gaps in exposed assets/attack surfaces, and effectiveness of cybersecurity metrics (4) deployed
- Cost savings as a consequence of reduced impact in the event of a breach
- Greater sense of confidence and involvement in the team
- Investor and external stakeholder confidence
- Improvement of third-party (suppliers) risk tolerance
The challenges
Though the benefits accruing from EM are considerable, organizations are still likely to encounter some challenges in implementing a system. These may include lack of conviction and buy-in from the C-suite, considerable costs in system study and implementation, complexity in arriving at prioritizing of risks listed, difficulty in identifying vulnerabilities, maintaining the program embarked upon, and dealing with internal misgivings from team members due to their reluctance to accept new thinking.
Implementing an Exposure Management System
In the digital realm, an organization is only so strong as its security posture. Cybercrime is a real-time danger, and data breaches can have a devastating effect on an organization’s existence. To stay secure, organizations must secure their multiple exposed attack surfaces. Today, IoT devices, endpoints, applications, processing solutions, and cloud resources represent exposed attack surfaces. Exposure Management is key to an organization’s Risk Management program, offering critical insights into the process of risk assessment, management, and mitigation. Ultimately, exposure management is structured around well-defined and systematic processes. These processes work together to identify and assess the risks among all digital assets vulnerable to cyberattacks.
Cybersecurity firm Upguard (2) summarizes the basic stages involved in Exposure Management:
- Understanding exposure
- Prioritizing risks
- Organizing responses
- Establishing exposure remediation measures
Crowdstrike’s (1) provides a more detailed listing of the steps involved:
- Identifying the exposed assets like applications, endpoints, IoT devices, cloud-based storages, data points, etc.
- Attack surface mapping that will provide insights into visible attack paths that bad actors may use
- Risk assessment of each vulnerability factoring in the sensitivity of the vulnerability, and the probability and impact of the attack
- Prioritizing the remediation of exposures based on their risk assessment quotient
- Exposure mitigation measures like applying software patch updates, closing down compromised assets, and taking potential vulnerabilities offline, if warranted
- Continual monitoring for new threats
Organizations would benefit by paying attention to some of the best practices being followed in the industry. These best practices (3) could include:
- Automating processes or steps defined above in the EM lifecycle. Automation reduces time, provides reliable, error-free results, and injects confidence in the SOC/EM
- Investing in Artificial Intelligence (AI) and Machine Learning (ML) solutions that provide faster, more insightful solutions, especially in the area of new threats
- Ongoing monitoring, penetration testing, and preventive measures like patch updation
- Instituting a good audit plan to validate effectiveness achieved and ensure a lessons learned
environment
- Inculcating an atmosphere of ongoing training and education amongst employees, including sharing of test results of EM exercises
Outlook
It would not be out of place to say that ‘times are a-changing’. Business leaders have become more concerned about the risks inherent in the digital environment. Cybersecurity legislation (5) in recent times has set the tone for a more studied approach on the part of organizations’ C-suites to cyber threats. Though boards of directors in the public company space in the US are mandated to have at least one director who is solely responsible for cybersecurity, there is still some way to go, due to a paucity of cyber-skilled directors (6). Still, Gartner’s prediction (3) that 70 percent of boards will include one member with cybersecurity expertise by 2026 is seen as a positive sign that organizations are embracing cybersecurity and committing to a secure digital transformation.
All this augurs well for Exposure Management in organizations, as they navigate the exposures in their cybersecurity journeys. After all, like the endurance athlete, they too are there for the long haul.
References:
- What Is Exposure Management in Cybersecurity? – CrowdStrike
- Exposure Management in Cybersecurity? | UpGuard
- Exposure Management: Best Practices for Getting Ahead of Cyber Risk | Bitsight
- Evaluating Cybersecurity Systems Through Rigorous Testing – Aurora Systems Consulting Inc. (aurorait.com)
- New Cybersecurity Legislations: Guiding Organizational Action and Beyond – Aurora Systems Consulting Inc. (aurorait.com)
- The Role Of Cybersecurity Experts On Public Company Boards (forbes.com)
