Exposure Management Council urges new cyber risk frameworks for boards
Tenable has announced the formation of the Exposure Management Leadership Council, a working group aimed at advancing best practices and frameworks for exposure management in cyber security.
The council comprises Chief Information Security Officers (CISOs) and cyber security leaders from global organisations representing sectors such as insurance, technology, transportation, legal, and consumer packaged foods. The council's mission is to develop exposure management into a common, proactive security discipline that demonstrates an ability to reduce organisational cyber risk.
Report findings
As part of its launch, the council released a new report titled "Board meetings and the dreaded cyber risk update: a use case for exposure management." The report draws on highlights and insights from the council's inaugural meeting and analyses the ongoing communication challenges between security leaders and company boards.
The report finds that a disconnect in the boardroom continues to undermine organisations' efforts to manage and mitigate cyber risk, particularly as exposure and regulatory requirements increase. The difficulty often arises from reliance on technical security operations metrics during board meetings - metrics which, according to the findings, do not always convey an accurate picture of organisational cyber exposure, often because they are compiled from unrelated and siloed security tools.
Calls for strategic discussion
"Exposure management is a strategic driver of organisational success," said Bob Huber, Chief Security Officer at Tenable and Chair of the Exposure Management Leadership Council. "Our goal is to shift the conversation from endless technical metrics to a strategic discussion focused on risk reduction. A standardised exposure management framework would help CISOs pinpoint their organisation's most pressing exposures and articulate their potential business impact."
The council maintains that standardised frameworks for exposure management will be instrumental in closing the communication gap and aligning cyber security strategies with wider business objectives.
Boardroom communication
"Exposure management can help CISOs bridge the boardroom communication gap," said Joanna Burkey, a corporate director, former CISO at HP and Siemens Americas and member of the Exposure Management Leadership Council. "While the fundamental objectives of exposure management are proactive breach prevention and risk mitigation, an added benefit is its potential to transform the quarterly cyber update into a strategic discussion that drives action and outcomes."
Stakeholders highlighted that effective exposure management not only targets risk prevention and mitigation but also supports productive boardroom engagement, ultimately informing business decisions related to cyber security.
The findings of the report emphasise that a clearer focus on exposure management can help translate complex cyber security topics into business language that board members can use to make informed decisions regarding risk and resilience.
Industry collaboration
Members of the council represent a cross-section of industries, bringing together perspectives on the current challenges and future needs of exposure management. The new working group aims to set out policies, principles, and best practices that can be adopted across sectors to support proactive and coherent risk management practices.
The report, "Board meetings and the dreaded cyber risk update: a use case for exposure management," marks the first official output of the council's efforts to address the evolving landscape of cyber risk oversight at the highest levels of management.
The council is expected to play a role in shaping how businesses approach exposure management, particularly in the context of regulatory scrutiny and increasing threats, by offering frameworks that can be applied to bridge gaps between technical and strategic leadership.
