Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Why Business Risk Should be Your Guiding North Star for Remediation

Published 04/25/2024

Why Business Risk Should be Your Guiding North Star for Remediation

Originally published by Pentera.


We all know the culprits. Cloud adoption, remote and hybrid work arrangements and a long list of must-have technologies have led to an ever-expanding attack surface, compelling organizations to become more agile and responsive in their cyber defense.

Taming this unwieldy beast seems to be on everyone’s mind as global spending on security and risk management is expected to grow by more than 11% in 2023, up to $188 billion from just $158 billion in 2021.

But simply improving current security practices isn’t enough to handle today’s changing threatscape. According to the Gartner® Hype Cycle™ for Security Operations, 2023, “Security and risk management (SRM) leaders must develop strategies centered on business risk instead of just adopting new ways to do the same things better.”

In short, organizations need a new approach to securing their attack surfaces.


Why Securing the Attack Surface is So Complex

So, what’s changed?

First of all, the sheer size of the attack surface. Today, the attack surface includes everything from web applications to physical devices to cloud services and workloads. This means security and risk management leaders need to understand the nuances of all of these different types of attack surfaces and how to secure them. Many organizations may not have resources to fully monitor every nook and cranny, creating blind spots that are difficult to secure.

Furthermore, organizations are realizing that they need to continually manage exposure resulting from varied security gaps, not just software vulnerabilities. Misconfigured networks or security controls, leaked credentials, misused protocols, and poor security hygiene may all be missed, leaving the business exposed.

The writing is clearly on the wall, and the industry mindset and security solutions are shifting accordingly. As explained in this year’s Gartner Hype Cycle for Security Operations report, “an increasing number of technologies at the Innovation Trigger [signifies] the demand to overcome attack surface complexities.”


Defense-in-depth comes up short

At Pentera, earlier this year, we interviewed 300 senior security professionals about their security practices. Despite having an average of 44 tools in their security stack, the companies self-reported that over 88% had experienced a breach in the past 24 months at the time of the report.

What worked well with a smaller and more simple attack surface has become unmanageable in light of the size of today’s attack surface and growing security tool stack. Security teams have found themselves in a sea of alerts and vulnerabilities, but lack the time and capacity to review, verify and prioritize each and every one.

So what are organizations to do?


Make Your Intel Actionable: Use Business Risk As Your Guiding North Star For Remediation

The Gartner Hype Cycle report states that “SRM (Security Risk Management) leaders should adopt an exposure-based approach to operations, promoting business relevance.” By focusing on risk exposure, security teams align their efforts with their organizations’ priorities. Defenders are meant to protect the crown jewels, so what better than to use actual risk to the business as a means to measure security effectiveness?

Gartner has provided a new framework to help SRM leaders get there. Continuous Threat Exposure Management (CTEM), uses a variety of technologies as part of an ongoing process to scope, discover, validate and prioritize security gaps for remediation.

At the foundation of the CTEM approach is the concept of adopting the adversary’s perspective in order to strengthen defense. Organizations need to understand the most likely points where an attacker could compromise their environment and define action to most effectively reduce exposure.

The question is, what is the best way to get started?


Take your first step to CTEM with Automated Security Validation

Shifting to a new approach to cybersecurity operations can be a challenging – and daunting – process. But there is a pragmatic way to achieve quick impact by uncovering and fixing the security gaps that adversaries would be most likely to exploit – Automated Security Validation.

Security validation improves security readiness with an evidence-based approach – revealing where existing security controls and practices are effective at preventing real attacks, and where they fall short. This provides CISOs and security teams with an actionable roadmap to reduce security exposure and benchmark their security effectiveness over time.

Implementing an automated security validation solution that natively combines many of the core capabilities of an effective exposure management strategy – from attack surface discovery to validation and vulnerability prioritization – can be an easy first step to adopting a CTEM approach.