Breaking Down Continuous Exposure Management

Questions & Answers

Being proactive is key to keeping your business and data safe. Learn more about managing your continuous threat exposure and what it can do for your network. sher

By Gladys Rama, Chris Paoli
08.06.2024

New cybersecurity methodologies and frameworks are constantly being developed to address the sophisticated threats organizations face. One such approach gaining popularity in 2024 is Continuous Threat Exposure Management (CTEM), introduced by Gartner. Unlike traditional threat management strategies, CTEM offers a comprehensive, process-oriented approach that integrates various security practices into a unified program.

In this question and answer, Redmond sits down with Alton Crossley, a leading security engineer, to discuss the intricacies of CTEM, the latest trends in security, and how organizations can effectively navigate the complexities of modern vulnerability management.
To hear more of Crossley’s unique perspective on this topic, join him at an upcoming Live!360 session titled “Fast Focus: Jumpstart Your Safety Program,” taking place at Universal Orlando in November.

Redmond: Without giving away too many details about your session, how new is “Continuous Threat Exposure Management” and how does it differ from traditional threat management approaches?
Crossley: Continuous Threat Management (CTEM) was introduced by Gartner over the last few years. People started paying attention to it in 2024 because it’s not a tool domain. CTEM is a process, an umbrella program that cuts through the silos of security practices. This includes traditional vulnerability management, threat management, and even application security. It defines an iterative approach that aligns with the business and provides actionable, actionable tasks that immediately reduce the probability of significant impact. Traditional threat management doesn’t have that additional context and alignment to provide the same level of value.

What interesting trends have you noticed recently in the security space, and how do they challenge organizations’ current approach to threat management?
Vendors always seem to have a new tool domain to pursue. I think anyone in the security industry would agree that there is no shortage of discoveries. AI brings with it the promise of commoditizing the code behind these vulnerabilities. This brings with it opportunities to differentiate ourselves in the way we operate as security professionals. These opportunities will be seized by those who want to refine their approach to operationalizing security discoveries to deliver measurable value.

In your executive summary, you note that “vulnerability management is like juggling sand” these days. How did we get to this point? Are attackers becoming more sophisticated, or is IT overwhelmed?
As a software engineer, I know that the bottom line is the devaluation of engineering and architecture in a misguided attempt to be more agile. The poor folks in vulnerability management are subject to the whims of software vendors. Over the past few years, many companies have been forced to digitize their entire processes to accommodate remote workers. We are simply running more and worse software packages than ever before. It seems impossible to make progress because of this. The key is to do the things that matter most.

How do you think IT leaders should build buy-in for any improvements to their organization’s security strategies, from C-suite to end users?
That’s why we recommend the CTEM process. Executive alignment is built into the process, so you don’t take action without a business priority. Mobilization partners know that the tasks are important and valuable. I like to say, “Friends don’t let friends shovel.” Reduce the number of impractical, impossible, false positive tasks emitted by security, and you’ll quickly gain additional support. That’s the difference between noise and actionable value.

Are there any trends in the enterprise security landscape that you think IT teams should start preparing for now? What do you think we’ll be talking about this time next year?
Over the next year, GenAI will intoxicate many people with the power of software development, and it will take them a while to realize that they do not know how to design for changes and errors. This will make it important to have a lot of trust in your suppliers.