Jun 24, 2025Ravie LakshmananThreat Publicity Administration
I had the consideration of internet hosting the primary episode of the Xposure Podcast dwell from Xposure Summit 2025. And I could not have requested for a greater kickoff panel: three cybersecurity leaders who do not simply discuss safety, they dwell it.
Let me introduce them.
Alex Delay, CISO at IDB Financial institution, is aware of what it means to defend a extremely regulated atmosphere. Ben Mead, Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking safety perspective that displays the innovation behind Avidity’s focused RNA therapeutics. Final however not least, Michael Francess, Director of Cybersecurity Superior Menace at Wyndham Accommodations and Resorts, leads the cost in defending the franchise. Every introduced a novel vantage level to a standard problem: making use of Steady Menace Publicity Administration (CTEM) to complicated manufacturing environments.
Gartner made waves in 2023 with a daring prediction: organizations that prioritize CTEM might be thrice much less prone to be breached by 2026. However here is the kicker – provided that it is operationalized.
Talking with these seasoned defenders, we unpacked the realities and challenges behind the hype of implementing and operationalizing an efficient Publicity Administration technique, addressing the next powerful questions:
What does an excellent CTEM program appear to be and what are the everyday challenges that should be overcome?
How do you optimize cyber and threat reporting to affect board-level choices?
And in the end, how do you measure the success of your CTEM program?
Challenges, Priorities, and Greatest Practices
CTEM is not plug-and-play. The panelists’ prescription was clear: begin with asset stock and id administration; weak service accounts, over-permissioned customers, legacy logins. None of those are small gaps, they’re wide-open doorways that should be checked incessantly. And for all of our panelists, frequency issues – quite a bit. As a result of guess what? Adversaries are consistently difficult defenses too. For inside belongings, weekly validation is the rule of thumb. For external-facing belongings? Every day. As they see it, it is the one approach to preserve a continuing deal with over their consistently altering environments.
Surprisingly, Michael pointed to risk intelligence because the spine of any safety testing program. “It is advisable perceive your adversaries, simulate their TTPs, and check your defenses in opposition to real-world situations, not simply patching CVEs.” That is the important thing distinction between CTEM and vulnerability administration. Vulnerability administration is about patching. Publicity administration is about determining whether or not your controls truly work to dam threats.
Reporting: Translating Cyber to Danger Phrases
Within the banking business, like many different extremely regulated industries, Alex could not emphasize sufficient the should be ready to reply exhausting questions requested from regulators. “You’ll get challenged in your publicity, your remediation timelines, and your threat remedy. And that is an excellent factor. It forces readability and accountability”.
However even outdoors regulated industries, the dialog is altering. Boards don’t wish to hear about CVSS scores. They wish to perceive threat – and that is a very totally different dialogue. Is the corporate’s threat profile going up or down? The place is it concentrated? And what are we doing about it?
Measuring Progress
Success in CTEM is not about counting vulnerabilities; Ben pinned it down when he mentioned he measures the variety of exploited assault paths his workforce has closed. He shared how validating assault paths revealed dangerous safety gaps, like over-permissioned accounts and forgotten belongings. Immediately, threat turns into seen.
Others took it in one other course with tabletop workout routines that stroll management by way of actual
assault situations. It isn’t about metrics, it is about explaining the chance and the implications. A shift that strikes the dialogue from noise to sign, and provides the enterprise readability on what issues: the place we’re uncovered, and what we’re doing about it.
From Idea to Motion
Wish to hear how these defenders are placing CTEM into motion with out drowning in noise?
This episode dives deep into the true questions: the place do you begin, how do you keep centered on what’s exploitable, and the way do you join all of it to enterprise threat? You may hear first-hand how safety leaders like Alex, Ben, and Michael are tackling these challenges head-on, with a couple of surprises alongside the way in which…
🎧Make sure that to catch the complete dialog on Apple Podcast and Spotify
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
