Ivanti Originals
Audio versions of original Ivanti research on IT, security and the future of work. Visit ivanti.com/research for additional media, including presentation-ready slides and downloadable charts and graphs.
Ivanti Originals
Exposure Management: From Subjective to Objective Cybersecurity
Title
Exposure Management: From Subjective to Objective Cybersecurity
Show notes
Ivanti’s research — a global study of more than 2,400 executive leaders and cybersecurity professionals — delves into how exposure management offers cybersecurity and executive leaders a more informed and intelligent approach to risk but misaligned priorities and data accessibility barriers impede cybersecurity efforts. Ivanti's global research shows how to balance your risk appetite and business objectives.
Listen to “Exposure Management: From Subjective to Objective Cybersecurity” to discover how to exposure management reframes how cybersecurity and business leaders understand risk and gives your organizations the methodology and tools to make strategic cybersecurity risk management decisions.
Get more resources
To read the report and access additional media, including presentation-ready slides and downloadable charts and graphs, visit ivanti.com/proactive-security
For more Ivanti research on IT, security and the future of work, visit ivanti.com/research.
About Ivanti
Ivanti elevates and secures anytime, anywhere work so that people and organizations can thrive. We make technology work for people, not the other way around. Today’s employees use a wide range of corporate and personal devices to access IT applications and data over multiple networks to stay productive wherever and however they work. Ivanti is one of the only technology companies that finds, manages and protects each IT asset and endpoint in an organization. Over 40,000 customers, including 88 of the Fortune 100, have chosen Ivanti to help them deliver excellent digital employee experiences and improve IT and security team productivity and efficiency. At Ivanti, we strive to create an environment where all perspectives are heard, respected and valued, and we are committed to a more sustainable future for our customers, partners, employees and the planet. For more information, visit ivanti.com and follow @GoIvanti.
Introduction:
Exposure management gives business and cybersecurity leaders the methodology and tools to make informed cybersecurity risk management decisions. Significant barriers stand in the way of adoption.
You’re listening to the audio version of Exposure Management: From Subjective to Objective Cybersecurity, part of Ivanti’s state of cybersecurity research series. To see more Ivanti research visit ivanti, I-V-A-N-T-I.com/research.
[Music begins]
Part one: Digital sprawl is driving up vulnerability
Modern attack surfaces now encompass a massive, growing ecosystem of assets — from cloud infrastructure and IoT devices to supply chains, identities and permissions. To stay protected, organizations must first make sense of this scale and complexity.
[Music ends]
Managing the vast breadth of modern IT ecosystems is increasingly overwhelming for IT and security teams alike. In addition to keeping up with the constantly evolving array of cyberthreats and attack types, IT and security teams must contend with the shelf life and complexity of their organizations’ software.
Nearly half (48%) of security professionals say their organization uses software that has reached “end of life” EOL. Software that no longer receives security patches, technical support and updates can leave devices vulnerable to cyberattacks and data breaches.
And 43% of security professionals have not identified the most vulnerable third-party systems / components in their software supply chains.
The situation is particularly alarming in highly regulated industries. In healthcare, for example — where disruptions in critical systems have higher stakes and can directly affect patient care and treatment outcomes - 54% of IT and security professionals in the healthcare sector say they use software that has reached end of life.
It’s no wonder 40% of security professionals globally say their tech infrastructure is so complex that they can’t uphold basic security practices.
[Sting]
How can you take action?
Here’s what Karl Triebes, Ivanti’s Chief Product Officer, has to say:
“Exposure management expands that definition of an asset to go beyond just hardware and software assets to encompass any tangible or intangible element of business value. And it all goes back to ‘how am I managing the value of the business in the context of these risks that are within my infrastructure?’ So, to understand and address visibility gaps, organizations need to conduct an attack surface review of all known and unknown assets. Discovery solutions that detect new or unknown devices joining your network. Instantly provide the single source of truth, you know, helping IT gain complete visibility and preparing them to optimize asset value, plug security vulnerabilities and understand the service mapping dependency. So, by expanding the attack surface to include these additional areas, organizations can achieve a more comprehensive and contextual view of cybersecurity risks and enhancing the overall resilience.
So, it's important to have defined processes of prioritization for securing assets. Based on the factors like business impact, likelihood of exploitation by malicious actors, et cetera, et cetera. You know, you find all these assets and then what you do is you look at that risk that they provide and then you categorize and prioritize that risk. You take actions based on that. You look at the outcomes and then you see what the impact is on your overall risk score.”
[Music begins]
Part two: Access denied: Unlocking data accessibility
When data is inaccessible, it erodes the value of new tech investments, makes security vulnerabilities harder to detect and manage, and impairs data-driven decision making.
[Music ends]
Our research shows many companies struggle to access and leverage their vast troves of data. Security professionals report many areas with missing or incomplete data and insights — making it difficult, for example, to detect shadow IT (45%) or confidently identify specific vulnerabilities based on existing data (41%). All of these gaps add to an organization's security blind spots.
Making matters worse, more than half (55%) of IT professionals say their companies’ security and IT data are siloed. The situation is improving (this number is down 14 points from last year), but significant work remains.
The modern enterprise is data-rich, but information-poor. Organizations accumulate vast quantities of raw data but struggle to convert it into meaningful insights. Even when data is accessible to some, silos prevent a comprehensive approach to threat detection and incident response.
For example: Fifty-three percent of security professionals say data silos weaken their organization’s security posture.
And sixty-two percent of security professionals say siloed data slows down security response times.
Fixing the problem won’t be easy. IT professionals estimate that breaking down data silos inside their organizations would take five years on average — an eternity for companies hoping to leverage data-hungry gen AI and automation solutions for mission-critical work like automated vulnerability management or proactive threat intelligence.
Even so, improving data accessibility and visibility is essential for companies looking to turn data into insight and action. When properly harnessed, enterprise data becomes the lifeblood of AI systems and automated workflows, powering intelligent decision making and operational efficiencies — all of which are critical steps toward a more strategic approach to security.
[Sting]
How can you take action?
Here’s what Daren Goesen, Ivanti’s Senior Vice President of Product Management, has to say:
“So, some of the things that companies can do. To really make this data visible and accessible. Number one is they can create a comprehensive data management strategy. They're understanding what data they're managing and it's part of their overall strategy. Self-service tools like business intelligence tools are great for making this data accessible within the organization. Of course, if we think about how we can convert this into meaningful insights to power these security decisions.
Number one, correlation of data. We're talking about data from the security organization, from the IT organization, from the business, and correlating that all gives you the ability to look at things from different dimensions within your data set.
Two is leverage platforms. Forms give you the ability. To get insights quicker because the data is integrated and correlated together. And then of course, use AI to really drive the insights. Humans can't look at large data sets and get the insights out of them. And AI does that with these large data sets. So, these are all strategies collectively. If you put them together, it allows data to be more accessible. To the right authorized personnel within the organization and allows you to get a broader set of insights that can make better decisions in your company.”
[Music begins]
Part three: Reframing enterprise risk
All the complexity, sprawl, blind spots … they require a shift away from traditional vulnerability management. The first step involves defining the organization’s risk framework and quantifying exposure.
[Music ends]
As companies transition to an exposure management approach, CISOs and CEOs will need to collaborate on developing a risk tolerance framework that balances current risk posture with organizational risk appetite.
Risk posture is a company’s current state of risk management, which reflects actual exposure and defenses.
Risk appetite is the level of risk an organization is willing to accept in pursuit of its objectives.
Too often, these two — posture and appetite — are out of alignment. Security leaders, understandably, tend to err on the side of safety. Business leaders, on the other hand, are often more willing to trade off some degree of safety if that greater openness drives higher growth and innovation.
There is no universal answer — just that which both CEOs and CISOs intentionally decide is the correct balance.
The large majority of companies (83%) report they have a framework for defining risk tolerance. A good start. Yet many admit they don’t strongly follow their risk tolerance framework.
Overall, 51% say they don’t follow their existing risk tolerance framework. Among enterprise companies, the situation is better, but still not ideal. Forty-three percent of companies with 10,000 or more employees say they don’t strongly follow their own risk tolerance framework.
Part of the problem may be that companies are struggling to measure their exposure.
Security professionals say they face significant barriers when measuring and managing risk exposure; nearly half (49%) say they can’t access the right data to measure and manage risk. These data blind spots mean critical threats may be overlooked or identified too late. Adding to the problem, 51% say they lack the talent to properly measure risk.
[Sting]
How can you take action?
Here’s what Mike Riemer, Ivanti’s Field CISO, has to say:
“Some specific steps to help organizations better follow their risk tolerance frameworks include. Getting as complete an inventory of the attack surface as possible. Assigning financial values to assets to calculate risk in monetary terms wherever possible. And if using a risk score to describe risk posture, define the risk thresholds in the risk assessment framework using the same scoring scheme. By aggregating data to ensure a comprehensive view of the organization's attack service, exposure management can help develop realistic metrics that align with the organization's risk appetite and business objectives.”
[Music begins]
Part four: Exposure management: a contextual approach to risk
Exposure management transforms cybersecurity from a technical exercise into a strategic business function by contextualizing vulnerabilities.
[Music ends]
Rather than separating security decisions from business objectives, exposure management creates a holistic framework where companies can evaluate their business opportunities and security requirements together.
Establishing a clear, objective risk overview — overarching guidelines with a comprehensive, contextualized view of an organization’s attack surface — can help companies understand the relative levels of risk for components within their tech ecosystems, as well as whether these conform to the organization’s preferred risk posture. By being able to evaluate risk in relation to risk appetite, companies can more readily pinpoint the highest-priority exposures to address.
Despite the promise of exposure management, we are still early in the adoption curve. Ivanti’s research shows that the concept of exposure management is well understood; for example, 49% of security professionals say their company leaders possess a high level of understanding of exposure management. Yet few organizations are taking practical steps to embrace the practice; just 22% of security professionals say their companies plan to increase exposure management investments in 2025.
Currently, 73% of security professionals say their companies quantify cyber risk so leaders can use that information to drive enterprise decision making — a good sign. Our research, however, shows some lack of alignment between security teams and business leaders about what factors are most important when calculating risk. Security professionals tend to cite “operational impact” as a high-priority factor when quantifying cyber risk, while business leaders focus on "financial impact.”
The problem is not simply a lack of alignment; it’s also a long-standing communication impasse. Enterprise cybersecurity is still primarily managed by security specialists, who struggle to communicate their needs to the C-suite. And executives, who are often very aware of the critical importance of cybersecurity, aren’t equipped to bridge the knowledge gap between them and their IT/security teams.
Currently just 40% of security professionals say their security leaders are “very effective” at communicating risk. Exposure management gives security leaders a rubric for more effective communication with executives who lack a security background.
[Sting]
How can you take action?
Here’s what Mike Riemer, Ivanti’s Field CISO, has to say:
“When an enterprise knows how much risk it is willing to accept, it can pursue opportunities that match its risk appetite while avoiding those that might expose it to undue risk. Typically, an organization accomplishes this by drafting a Risk Appetite Statement, or RAS. The first part of the RAS should outline the company's strategic objectives and the associated risks. The RAS should define the risks that would have the greatest impact on the organization, not everyday risks that are simply part of doing business. It should account for multiple risk scenarios. For example, a specific strategy may entail supply chain risk, such as the effects of being locked into a vendor or the dangers of regulatory exposure if a supplier mishandles customer data.
By focusing on a data-driven approach to risk management, leaders can objectively assess risk and reduce reliance on subjective judgment. By looking at the likelihood of a threat and its potential impact, security leaders can assess the cost of that risk using the language of business. Exposure management presents the opportunity for security to break down silos and be viewed as a business enabler by using data and analytics to communicate risk in business terms and facilitate better communication across the organization.”
[Sting]
If you enjoyed listening to this report and want even more Ivanti research, you can subscribe to this podcast to get the latest Ivanti research in your feed as soon as it’s released. You can read the report and see the rest of Ivanti’s research at ivanti, I-V-A-N-T-I.com/research.
You can follow Ivanti on social media at Go Ivanti, and you can visit us at ivanti.com to learn more about our products and solutions.
Thanks for listening!