Executive Roundtable: Enterprise-Wide Exposure Management Strategies Require Active Multi-Disciplinary Participation

By Lane F. Cooper, Editorial Director, BizTechReports and Contributing Editor to CIO.com

More progress is needed to engage the participation of executives across a range of organizational disciplines to implement effective -- and comprehensive -- exposure management strategies. While interest in -- and executive attention on -- information security continues to rise, the main focus of activity to reduce risk still revolves around finding the right tools to address threat management. Instead, an enterprise-wide approach to exposure management is needed, which takes a comprehensive approach to internal evaluations of vulnerabilities and asset prioritization along with external assessments of threats and attack surfaces.

These were among the central conclusions of a CIO.com executive roundtable co-hosted by Alex Reid and John Velisaris from IBM. The event, which included participation from executives in the manufacturing, clinical research, healthcare, non-profit and transportation sectors, offered an opportunity to reassess how strategic, operational, financial and technological issues should be managed as the threat landscape evolves in the context of an increasingly uncertain economic environment.

Key points that emerged throughout the conversation:

* Reducing Attack Surface -- The complexity of enterprise computing has exploded over the past decade as organizations modernize their infrastructures, applications and user interfaces by adopting a range of cloud-based and on-prem solutions. The trend accelerated through the pandemic to support the shelter-in-place workforce. As a result, the attack surface available to bad actors expanded exponentially.

A comprehensive rationalization process that takes inventory of devices, ports, applications, tools and services must take place against strict "needs assessments" to remove and consolidate resources to reduce the attack surface. This should be implemented with outside-in and inside-out perspectives in mind. While internal assessments stress test and assess deployed resources, persistent attack surface scans should be performed to identify ongoing opportunities for penetration presented to bad actors.

* Managing Supply Chain Risk -- Roundtable participants also acknowledged the importance of developing strategies to analyze the risks and threats posed by the growing number of third-party supply-chain participants. These include suppliers, partners, contractors and providers of cloud-based services. Integrating these participants into exposure management strategies will be increasingly important over the months and years as perpetrators of cybercrimes explore novel methods for penetrating targets.

It is, however, an objective that is easier said than done. Securing meaningful participation in supply-chain exposure management is much more than a technical exercise. It requires a level of digital diplomacy, inter-organizational collaboration and joint execution that is not currently in place across most ecosystems. Multiple disciplines -- including security, risk management, procurement, client management and even sales -- must come together to determine how to maximize the value of supply chains while reducing exposure to threats and mitigating risks.

* Multi-Cloud Risk Management -- Most participants in the roundtable discussion stated that they were operating in hybrid multi-cloud environments, with one global player admitting engagement with nearly every major hyper scaler on the market. All executives expressed concern with managing the growing mix of cloud-based resources at the Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service levels. An alarming level of opacity is created because cloud service providers share information about risk and security management differently.

* Eliminating the "Sin Eater" Syndrome -- While a tremendous amount of progress has been made in elevating the role of IT and cybersecurity to deliver business value to the organizations represented in the roundtable, there was still a nearly universal consensus that discussions about risk management remain siloed. As a result, there are still too many occasions when business leaders should have informed those responsible for IT and risk management before making decisions about technology resources.

This line of discussion raised the gap that exists between technologists and business leaders about "who owns" risk. While the technology executives in the roundtable understand their role as "stewards" of risk management, they struggle to explain to their business counterparts that they do not "own" the risk. It is a message that the most senior levels of leadership must clarify if we are to have a properly balanced discussion about threats, risks and consequences.