Security Boulevard

With great power comes great responsibility.

The post Shadow downloads – How developers have become the new perimeter appeared first on Security Boulevard.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable CSO Robert Huber shares practical advice on using an exposure management program to focus on risks that have business impact. You can read the entire Exposure Management Academy series here.

There’s a trap security practitioners can often fall into. No, it’s not some tactic employed by the bad guys to trip us up. It’s a fairly simple trick of the mind: thinking that every risk deserves urgent attention. Maybe it’s human nature. If there’s a problem — no matter how big or small — some of us are just wired to want to fix it right away and get it off our punch list. 

But I’ve learned the hard way that not all risks are created equal. So treating each one as number-one priority is a surefire shortcut to burnout and inefficiency.

Like many of you, here at Tenable, we’ve been building our own internal exposure management program. On this journey, one of the most profound lessons I’ve learned is to prioritize risk based on business impact. 

Moving to that line of thinking has helped me bring clarity to chaos. It has reduced the noise and allowed me to focus myself and my team on what really matters, which is the key to a successful exposure management program.

Start with the right data

One of the big struggles for security professionals is context switching. 

When you meet with your business leaders to update them, you often have to scramble to pull together inputs from a dozen different tools and teams. 

That’s because the data is siloed, often incomplete and nearly impossible to compare. 

Our job in security is to provide these leaders — maybe your CEO or head of a business unit — with a clear, coherent picture of the most acute exposures. Try as we might, those pictures have been partly cloudy with a chance of inaccuracies.

So, as we started on the exposure management journey, our initial step was to assimilate the data. And I mean all of it. With help from Vulcan (now part of Tenable), we combed through tools, platforms and teams for every scrap of data. 

Believe me, until you do that, you can’t prioritize meaningfully. You’re just guessing.

Understand risk in context

OK, bringing all that data together was a huge task. You’ll probably think, “Mission accomplished!” But that’s just the start.

Once the data’s in one place, the real work begins. That’s when I ask: What does this risk mean in context?

You should look at it from a couple of angles: First, consider it in the context of other risks across your organization. Then, think about the risks in the context of the business itself. How could this risk affect your revenue, operations or reputation? 

If you don’t think this way right off the bat, you’ll just end up reacting to the loudest alert, not the most important one. And we know how that goes. As I heard often during officer candidate school in the military: focus on the important, not the urgent — which is especially helpful when you don’t have enough time in the day.

Identify the systemic issues

Exposure management isn’t about patching one vulnerability at a time. It’s about identifying what I call the big rocks. Whatever you call them, these are systemic issues that affect thousands of assets or users. Left unaddressed, they can truly put the business at risk.

Sometimes we don’t fix those big rocks right away. That might be because a patch broke a critical system or legacy infrastructure doesn’t support a specific control. When that happens, the exposure becomes a tracked business risk on our risk register. And it stays on the radar until we resolve it.

That’s a big shift from the old model, where issues could disappear into ticket queues with no clear owner and no resolution in sight. 

With exposure management platforms, leadership and even the board can have their eyes on these issues. That’s because we’re aligning security priorities with business priorities.

Clearly communicate risk 

Of course, none of this works unless you communicate clearly. 

And communication can be a big challenge. You could use simple traffic light charts (i.e., red, yellow, green) to represent control coverage. But how do you accurately assign those colors? It can be a subjective exercise based more on your gut than real data. 

With exposure management software, your eventual goal should be to make that process quantitative and, ideally, real-time so you don’t have to pull a team off their work every quarter to do manual updates. 

Soon, we’ll live in a world where the moment something changes, we’ll see it communicated immediately. With that instantaneous information at our disposal, we’ll decide whether to act, defer or escalate.

Manage change so it doesn’t manage you

Exposure management isn’t just a technical shift. It’s a change management exercise. 

You’re asking teams to work differently, respond to new priorities and trust a centralized system that makes decisions based on data that might be unfamiliar.

That kind of shift takes time. It requires building relationships, clarifying expectations and iterating on the program until it works for everyone. 

As my colleague Arnie Cabral wrote in What it Takes to Start the Exposure Management Journey, we’ve started by rebuilding our policies, defining roles and responsibilities and ensuring that the people doing the work know exactly what’s expected — and why.

Takeaways: This is the path forward

We’re in the early days of this exposure management journey. And some of our industry certifications and policies still require us to fix everything above a certain CVSS score, whether or not it truly poses a threat. So there will be a level of reconciliation ahead between traditional compliance models and this more pragmatic, business-aligned approach.

But I believe exposure management, when done right, can bridge that gap. It will give you the ability to say, “These are the risks that matter most — and here’s why.”

That’s how you’ll make better decisions in the long run. You’ll better protect your business. And you’ll move security from reactive to strategic.

Have a question about exposure management you’d like us to tackle?

We’re all ears. Share your question and maybe we’ll feature it in a future post.

 MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);

The post Turn to Exposure Management to Prioritize Risks Based on Business Impact appeared first on Security Boulevard.

Early Cloud Monitor adopter uses real-time insights to stop VPN abuse, detect threats, and protect learning As the Technology Director for Burlington School District RE-6J in rural eastern Colorado, Russell Lindenschmidt is responsible for overseeing all things tech-related for the district’s three schools. With approximately 700 students and an IT team of one, managing cybersecurity ...

The post Cloud Monitor Gives Burlington School District a Big Cybersecurity and Safety Boost appeared first on ManagedMethods Cybersecurity, Safety & Compliance for K-12.

The post Cloud Monitor Gives Burlington School District a Big Cybersecurity and Safety Boost appeared first on Security Boulevard.

The successful implementation of CTEM for Exposure Management in Legacy Enterprise Environments in legacy systems is crucial, as these systems are the hidden backbone of many large enterprises, comprising more...

The post Implementing Exposure Management in Legacy Enterprise Environments appeared first on Strobes Security.

The post Implementing Exposure Management in Legacy Enterprise Environments appeared first on Security Boulevard.

Company Profile Command Zero was founded in 2022 and is headquartered in Austin, Texas, USA[1]. The company was co-founded by three seasoned cybersecurity experts—Dov Yoran, Dean De Beer, and Alfred Huger—who have held senior technical positions at renowned companies such as Cisco, IBM, and McAfee. They have also successfully established and sold multiple cybersecurity startups. […]

The post RSAC 2025 Innovation Sandbox | Command Zero: The Human-Machine Collaboration Engine Redefining Security Investigations appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post RSAC 2025 Innovation Sandbox | Command Zero: The Human-Machine Collaboration Engine Redefining Security Investigations appeared first on Security Boulevard.

Exploring the implementation of a data classification model in order to enable a data-driven approach to managing risk and cost.

The post Don’t Lock Up Peanut Butter in Fort Knox: The Smart Approach to Data Classification  appeared first on Security Boulevard.

Security tools can also be vulnerable and so cybersecurity teams must put a premium on ensuring tools are used as intended for defense. 

The post Security Tools: First, They’re Good, Then They’re Bad appeared first on Security Boulevard.

Why Is Least Privilege Fundamental to Creating Safe Environments? Data is the new gold. If data volumes surge, so do cyber threats, making data protection a top priority. The principle of least privilege (POLP) crucially comes to play here. But what is least privilege, and how does it contribute to creating safer environments? Least privilege […]

The post Ensuring a Safe Environment with Least Privilege appeared first on Entro.

The post Ensuring a Safe Environment with Least Privilege appeared first on Security Boulevard.

Why is Management of Protected NHIs Essential? Protected Non-Human Identities (NHIs) have become a crucial factor for organizations looking to strengthen their cybersecurity framework. Given the surge in hacking attempts and data breaches, it is pertinent to ask, “How crucial are protected NHIs in ensuring cyber resilience?” Let’s delve deeper into this topic. NHIs, as […]

The post Protected NHIs: Key to Cyber Resilience appeared first on Entro.

The post Protected NHIs: Key to Cyber Resilience appeared first on Security Boulevard.

Author/Presenter: dade

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – Free Your Mind: Battling Our Biases appeared first on Security Boulevard.

AI has revolutionized search engine understanding of cybersecurity content. Industry leaders dominate rankings with expertise-driven content clusters, proprietary threat research, and technical depth that AI recognizes as authoritative. Discover proven strategies to transform your SEO approach.

The post AI-Powered Cybersecurity Content Strategy: Dominating B2B Search Rankings in 2025 appeared first on Security Boulevard.

Why is Value-Driven Secrets Management Essential in Today’s Cybersecurity Landscape? Where the importance of data has skyrocketed, making its protection paramount. This has brought the concept of Non-Human Identities (NHIs) and Secrets Management into the limelight. But how has the value-driven approach reshaped secrets management, and why is it vital? Unravelling the Concept of NHIs […]

The post Secrets Management that Delivers Real Value appeared first on Entro.

The post Secrets Management that Delivers Real Value appeared first on Security Boulevard.

Author/Presenter: James Ringold

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – Quantum Computing: When Will It Break Public Key Cryptography? appeared first on Security Boulevard.

Can Advanced NHIDR Keep Your Cloud Environment Secure? Enriched with advanced technologies, potential threats also grow in complexity. One such concern circulates around the concept of Non-Human Identities (NHIs) and Secrets Security Management. But, what if there was a way to feel reassured about your security in NHIs? In comes the role of advanced NHIDR— […]

The post Stay Reassured with Advanced NHIDR appeared first on Entro.

The post Stay Reassured with Advanced NHIDR appeared first on Security Boulevard.

Understanding the Vitality of Non-Human Identities in Healthcare Data Protection What if you could significantly diminish security risks in your healthcare organization while enhancing operational efficiency? Non-human identities (NHIs) and Secrets Security Management offer the answer to that pressing question. When the dynamics of securing sensitive data continue to evolve, the role of NHIs in […]

The post Maximizing Data Protection in Healthcare appeared first on Entro.

The post Maximizing Data Protection in Healthcare appeared first on Security Boulevard.

Why Is Secrets Security Essential in Today’s Digital Landscape? Is secrets security, also known as Non-Human Identities (NHIs) management, really that important? If you’re searching for a relaxed audit, the answer is a resounding ‘yes’. NHI management is an indispensable facet of modern cybersecurity strategies across various industries, from financial services and healthcare to DevOps […]

The post Securing Secrets: A Path to a Relaxed Audit appeared first on Entro.

The post Securing Secrets: A Path to a Relaxed Audit appeared first on Security Boulevard.

Why Should Organizations Prioritize Proactive Secrets Rotation? Where digital connectivity is ever-increasing, how can organizations stay one step ahead? One answer lies in proactive secrets rotation – a strategy that is pivotal to maintaining robust cybersecurity health. Not only does this strategy allow companies to prevent unauthorized access to their networks, but it also facilitates […]

The post Staying Ahead with Proactive Secrets Rotation appeared first on Entro.

The post Staying Ahead with Proactive Secrets Rotation appeared first on Security Boulevard.

Author/Presenter: Hubert Lin

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – One Port to Serve Them All – Google GCP Cloud Shell Abuse appeared first on Security Boulevard.

Here at Ignyte, we talk a lot about various overarching information security frameworks, like FedRAMP, CMMC, and ISO 27001. Within these overall frameworks exist a range of smaller and narrower standards, including COMSEC. If you’ve seen COMSEC as a term, you may be passingly familiar with what it is, but if you need to know […]

The post What is COMSEC? Training, Updates, Audits & More appeared first on Security Boulevard.

Join Grip Security on its mission to redefine identity security. Discover how innovation, empathy, and culture are shaping the future of digital protection.

The post Why I Joined Grip Security in Securing the Digital Future appeared first on Security Boulevard.