Q&A
Breaking Down Continuous Threat Exposure Management
Being proactive is key to keeping your enterprise safe and your data secure. Learn more about Continuous Threat Exposure Management, and what it can do for your network.
New cybersecurity methodologies and frameworks are constantly being developed to tackle the sophisticated threats that organizations face. One such approach gaining traction in 2024 is Continuous Threat Exposure Management (CTEM), introduced by Gartner. Unlike traditional threat management strategies, CTEM offers a comprehensive, process-driven approach that integrates various security practices into a unified program.
In this Q&A, Redmond sits down with Alton Crossley, security engineer extraordinaire, to explore the intricacies of CTEM, examine the latest trends in the security landscape and discuss how organizations can successfully navigate the complexities of modern vulnerability management.
And to hear more of Crossley's unique perspective on the subject, join him for his upcoming Live!360 session, "Fast Focus: Give Your Security Program Traction," taking place this November at Universal Orlando.
Redmond: Without giving too much away about your session, how new is "Continuous Threat Exposure Management" and what makes it different from traditional threat management approaches?
Crossley: Continuous Threat Exposure Management (CTEM) was introduced by Gartner in the last couple of years. People have started to take notice in 2024 because it is not a tool domain. CTEM is a process, an umbrella program that crosscuts security practice silos. This includes traditional Vulnerability Management, Threat Management and even Application Security. It defines an iterative approach which aligns with the business and delivers practical, actionable tasks that immediately reduce the probability of material impact. Traditional threat management lacks this additional context and alignment to provide the same level of value.
What interesting trends have you seen in the security landscape lately, and how do these challenge the way organizations have typically approached threat management?
It seems like there is always a new tool domain for vendors to chase. I think anyone in security would agree that there is no shortage of findings. AI brings with it a promise of commoditizing the code behind those vulnerabilities. This brings with it opportunities to stand out in the way we act as security professionals. These opportunities will be captured by those willing to refine their approach to operationalizing security findings to provide quantifiable value.
You note in your abstract that nowadays "vulnerability management is like juggling sand." How did we get to this point? Are attackers getting more sophisticated or is IT getting overloaded?
As a software engineer, I know that at the core is the deemphasis of engineering and architecture in a misguided attempt to be more agile. The poor folks doing vulnerability management are subject to the whim of software vendors. In the last few years, many businesses have been forced to digitize all their processes to accommodate the remote workforce. We are simply running more software packages that are lower quality than ever before. This is why it seems impossible to make progress. The key is doing the things that matter most.
How do you recommend IT leaders cultivate support for any improvements they make to their organization's security strategies, from the C-suite to the end user?
This is exactly why we recommend the CTEM process. C-suite alignment is built into the process so that you don’t act on anything without business priority. Mobilization partners have the confidence that tasks are valid and valuable. I like to say, "Friends don’t let friends Shovel Left." Reduce the number of impractical, unactionable, false-positive tasks being emitted from security, and you will quickly garner additional support. That is the difference between noise and actionable value.
Are there any trends in the enterprise security landscape that you think IT teams should start preparing for now? What do you think we'll be talking about this time next year?
Over the next year or so GenAI is going to make a lot of people drunk with the power of software creation, and it will take them some time to reach the realization that they do not know how to architect for change and faults. This is going to make it important to have high confidence in your vendors.