Exposure Management Looks To Usurp Vulnerability Management, But Is The New Emperor Wearing Any Clothes?
Hans Christian Anderson’s classic tale of the emperor that gets duped into a fancy, new, and invisible wardrobe provides lessons in swindling, pride, and truth. It’s only when the emperor struts in front of the commoners that a child finally states, “Wait a minute — there’s nothing to this outfit. He’s not wearing anything.”
As security vendors parade out exposure management from their portfolios through sales pitches and product marketing, garbed in the similar style of vulnerability risk management (VRM), we must be that child who stops and asks: What exactly comprises the exposure management’s outfit? (And since vendor definitions vary from platform to category to solution, we still need to ask what the outfit even is.) Furthermore, is this a new category, the same packaging in the same old outfit, or is this product as naked as the exposed assets it claims to cover?
I spend a lot of time being briefed by vendors and even more time talking to organizations about their security programs. In the past six months, many of my vendor briefings have been about the vendor’s shift toward exposure management. And if you look up “exposure” in any thesaurus, you’ll find that it’s just another synonym for “vulnerability.” So while security vendors have their sights on usurping VRM products, and VRM vendors are shifting toward exposure management, teams adopting it will still need to deal with all the same old security problems such as prioritization, process, remediation ownership, and obtaining cultural buy-in. Vendors continue to create new categories, while users of their products continue to just need their long-lived problems fully dressed.
Exposure Management Won’t Do Everything, But It Will Help You Prioritize
We do not see exposure management as a magic bullet for solving a VRM team’s common challenges. There is one challenge, however, that exposure management is uniquely positioned to address: prioritization. That’s why it’s the focal point of Forrester’s definition of exposure management, which states that:
Exposure management is a platform that consolidates vulnerabilities and exposures with an organizational perspective, maps them on an attack path, and identifies choke points for remediation teams to prioritize.
In theory, identifying the most critical choke points is an interesting approach to the prioritization problem. As a CISO in a large financial services organization recently told me, “Measuring the ROI of a proactive security program is practically difficult. It’s much easier to measure whether a breach occurred — so why not focus on the vulnerabilities and exposures closest to what would have led to the breach?”
The challenge is that exposure management still runs the risk of snowballing into the same challenges around volume, workflow, and analyst experience (AX) that we have with VRM today.
Attack Path Modeling Is Exposure Management’s Flashy Jewelry: Looks Cool But Low Utility
The most common feature in exposure management is attack path modeling. This is a fancy-looking screen that maps assets to a graph, shows how these assets are connected, and showcases exposures that an attacker could potentially leverage (along with how far they could get).
For most proactive security team members, like vulnerability risk analysts, leveraging the attack path requires a lot of clicking to identify exposures and remediations that may need escalating when the reality is that they need better up-front information, risk calculations, and remediation workflows.
Due to its current AX, attack path modeling is unlikely to replace the tidier tactical dashboards common in VRM products. And while the attack path optics are visually interesting, they can be black holes that lead to misguided escalations or inconclusive information. It simply does not currently fit into the workflow of a vulnerability risk analyst, though the delivery of prioritization insights could be improved through technologies such as generative AI. If anything, the current iteration is better suited to assist security operations center roles, like threat hunters, red teamers, and incident responders.
Exposure Management Is Here To Stay
Given the breadth of inputs required for exposure management, such as asset inventories and vulnerability and security validation assessments, and the depth of insight it’s aiming to provide, exposure management is unlikely to become a feature in other products. Instead, it will remain a standalone platform and integrate into larger portfolios from vendors like CrowdStrike or Microsoft. This means more licenses and more of your wallet dedicated to your existing vendors. We expect all major security portfolio and SecOps vendors to have an exposure management offering within the next 12 months alongside standalone exposure management platforms, like XM Cyber, and existing VRM vendors that are shifting toward exposure management, such as Tenable.
What should you do when your vendor wants to demo its newest exposure management solution? Hear them out, but take a lesson from that child from “The Emperor’s New Clothes” or perhaps your fashionable teenager side-eyeing the drip you plan to wear to that concert. Scrutinize how they address key use cases around visibility, prioritization, and remediation response and how their specific solution could play into your vendor consolidation strategy. The biggest differentiators for exposure management as a market category will be how it addresses the long-lived challenges for proactive security teams, how it improves analyst experience, and what breadth of inputs can provide visibility and context for users.
Schedule a guidance session or inquiry with me to discuss exposure management and ways to cut through the noise. Better yet, join me at the Forrester Security & Risk event in November. I’ll be speaking on proactive security in the session, “Activate Proactive Security.”