March 9, 2023 By Ayman Hammoudeh 3 min read

The modern threat landscape presents serious challenges to businesses struggling to build their security programs.

While these businesses modernize IT and security programs, the attack surface is proliferating. Security leaders must realize that perimeter defenses no longer cope with the expanded attack surface, leaving gaps in security programs. Only by implementing a new systemic approach can security scale up at a similar pace to ever-growing threats.

For cybersecurity, visibility is critical: security teams must be aware of all risks before they can find a way to reduce them. However, visibility requires a defined strategy and a programmatic approach. That approach should include continuous threat exposure management (CTEM).

What is continuous threat exposure management?

Gartner defines CTEM as a set of processes and capabilities that enable enterprises to continually evaluate the accessibility, exposure and exploitability of their digital and physical assets.

In short, CTEM is the center that informs governance, risk and compliance (GRC) mandates. Using CTEM, you can build mature, strategic security controls with detection and response capabilities that are always aligned with the business’s risk appetite.

 Figure 1: Continuous Threat Exposure Management (Source: IBM)

The five stages of a CTEM program

A CTEM program is governed by five cyclic stages, where every outcome then repeats the iteration.

Figure 2: Continuous Exposure Management Process Stages (Source: IBM)

1. Scoping

As with any other security program, scoping is the first step. Security teams need to align with different stakeholders on business requirements as well as ultimate impact.

Scoping must address the enterprise’s entire attack surface, both internal and external. Security teams should look beyond vulnerability management programs and consider factors such as external attack surface, digital risk, supply chain, cloud and deep and dark web.

2. Discovery

This step is where security teams inventory assets and risk profiles based on the previous scoping process. During the discovery phase, security teams map assets, vulnerabilities, misconfigurations, technology, logic and risk.

3. Prioritization

The goal of the prioritization is to identify the threats that are most likely to be exploited by adversaries and the level of risk to the enterprise. Security teams should evolve from looking at severity scores to examining exploitability, security controls, topology, risk appetite and overall risk to the enterprise.

4. Validation

During this step, security teams assess exposure by launching controlled simulated or emulated attacks to validate exposure, existing security controls and response and remediation. Testing initial foothold gains, different attack paths and lateral movements are essential.

5. Mobilization

The goal of mobilization is not to find a way to automate remediation but to build a defined process so that teams can operationalize findings with low to no friction. Mobilization also requires merging security automation with IT process automation to maximize efficiency.

In the end, the ultimate goal of the CTEM program stages is to have a clear set of security and risk management programs aligned with business objectives to continuously minimize risk, improve resilience and accelerate collaboration.

CTEM for the modern threat landscape

CTEM is a program that manages increasing threat exposure while considering business priorities. Its iterations allow the enterprise to continuously monitor, prioritize, validate, remediate and optimize its security exposure.

Security teams should take a phased approach to CTEM, leveraging existing and new technology to support it. Ultimately, the ability to mobilize different stakeholders will ensure success.

Looking ahead, Gartner predicts that by 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach.

More from Risk Management

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

6 Principles of Operational Technology Cybersecurity released by joint NSA initiative

4 min read - Today’s critical infrastructure organizations rely on operational technology (OT) to help control and manage the systems and processes required to keep critical services to the public running. However, due to the highly integrated nature of OT deployments, cybersecurity has become a primary concern.On October 2, 2024, the NSA (National Security Agency) released a new CSI titled “Principles of Operational Technology Cybersecurity.” This new guide was created in collaboration with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD SCSC) to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today