Last updated at Tue, 13 Feb 2024 21:57:55 GMT

In an ongoing effort to help security organizations gain greater visibility into threat exposure risk, we have determined four key questions every CISO should be considering based on our understanding of the recommendations of a new report from Gartner®. The report, 2024 Strategic Roadmap for Managing Threat Exposure, can help CISOs and other top executives steer away from risk by analyzing their attack surfaces for gaps.

Question #1: What Do You Already Know?

What are the business-driven events that have already been or are currently being scoped and planned for? In analyzing threat exposure for specific events along the course of the year, a security organization will have the power to better tailor their risk mitigation approaches.

“It’s crucial to scope risk in relation to threat exposure, as this is one of the key outputs that will benefit the wider business. To do so, senior leaders must understand the exposure facing the organization, in direct relation to the impact that an exploitation of said exposure would have. Together, with this information, executives can make informed decisions to either remediate, mitigate or accept the perceived risks. Without impact context, the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.” says the Gartner report.

Post-risk scoping, it’s a good idea to then consider if there are any measures that can be taken to better protect certain business-driven events if they have been found to have a greater chance of threat-actor exploitability.

Question #2: How Visible Are Your Critical Systems?

It is also incredibly valuable to take inventory of the most critical and exposed systems in the network, along with each system’s level of visibility and its location. Having a thorough catalog of the points that are or could be the most vulnerable is a must. Just because an exploitable asset might not be considered a remediation priority, there is always the possibility it could be exploited down the line.

Within the context of the report, Gartner details a visibility framework that can aid with vulnerability prioritization:

“Coupled with accessibility is the visibility of the exploitable service, port, or asset. These technologies implement configuration to ensure that details of exploitable elements are not revealed to potential attackers, but not directly removing the possibility of their exploitation.”

Therefore, it becomes necessary to leverage technologies that can provide insights into the visibility of an asset so that – if there is currently a low likelihood of exploitability – remediation efforts can be focused elsewhere and efficiencies can be gained within the security organization.

Question #3: Who “Owns” IT Systems?

Identifying who is responsible for the deployment and management of critical IT systems is key if the security organization is to get interdepartmental buy-in for an effective plan to manage threat exposure. Sometimes there isn’t just one person responsible for a certain aspect of network management, which is important to keep in mind as efforts to mitigate threat exposure are built out.

Security personnel, as with so many business operations in which they take part, also must keep in mind that there could be pushback or slow buy-in to a plan that is perceived to lack context. To this point, the research states:

“Without impact context, the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.”

Question #4: Who is Responsible for Risk?

Potential friction could also lie in the effort to convince a system owner that there is real action required – and that it could upend that team’s workflow. Effective communication will be imperative here, as will the ability to provide the visibility needed to quickly convince stakeholders that action is, indeed, needed and worth the potential interruption. The report drives home the need for allying with those responsible for risk decisions:

“From the perspective of the organization’s business risk owner, it’s important to recognize that the security team’s role is to support risk management in such a way that the owner can make informed data-driven decisions.”

The CISO Says It All

It will ultimately be up to the CISO to manage and connect separate plans to both limit and eliminate threat exposure along attack surfaces. Through this effort, the CISO can demonstrate the benefits of implementing platforms to manage the growing risk of threat exposure. They’ll also be able to prove the worth of the security operations center (SOC) as both key partners in the effort to keep business secure.

We’re pleased to continually offer leading research to help you gain clarity into managing the risk of threat exposure. Read the Gartner report to better understand how a broad set of exposures can impact the workloads of a security organization – and how important it becomes to prioritize properly and communicate effectively.

Gartner, 2024 Strategic Roadmap for Managing Threat Exposure, Pete Shoard, 8 November 2023.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.