CISOs need better tools to turn risk into action

Many organizations are overwhelmed by the complexity of their IT systems, making it difficult to manage cybersecurity risks, according to a new Ivanti report.

The “Exposure Management: From Subjective to Objective Cybersecurity” report points out that as companies keep adding more cloud services and smart devices, they’re struggling to keep up with securing them all. With so much tech spread across different systems, it’s tough to see everything and know which risks to tackle first.

Key findings

• Outdated software: 48% of security professionals report using software that has reached its end of life, meaning it no longer receives security updates, leaving systems vulnerable to attacks.
• Third-party risks: 43% of organizations have not identified the most vulnerable components in their software supply chains, increasing the risk of breaches through third-party vendors.
• Data silos: 55% of IT professionals say their organizations’ security and IT data are siloed, hindering threat detection and response.
• Shadow IT: 45% of security professionals struggle to detect unauthorized devices and applications, known as shadow IT, which can introduce unmonitored vulnerabilities.

Exposure management aims to close the gap between security and business

Exposure management is a way to connect cybersecurity efforts with business goals. It helps companies look at risk in the bigger picture: what matters most to the business, what’s most at risk, and what to fix first.

Still, while many security professionals understand the idea behind exposure management, it hasn’t caught on in practice. Ivanti’s report shows that about half of security pros think their leadership has a solid grasp of what exposure management is. But only 22% say their companies are planning to invest more in it next year.

73% of companies do try to measure cyber risk so their leaders can make informed business decisions. That’s encouraging. But the report also shows a disconnect between security teams and executives about what matters when assessing risk.

This mismatch isn’t new. Security teams and business leaders have long struggled to speak the same language. Even when executives care about cybersecurity, they don’t always know how to have productive conversations with technical teams. Meanwhile, security leaders don’t always know how to explain their concerns in a way business leaders understand.

Only 40% of security professionals say their leaders are effective at communicating risk to executives. Exposure management can help here too. It gives security teams a framework they can use to explain risks and connect those risks to business outcomes, even for executives who don’t have a background in security.