Events , Fraud Management & Cybercrime , Ransomware
2023 Is the Year of Exposure Management
Cyentia Institute Partner Wade Baker Shares Insights on Exposure Management2023 is the year of exposure, said Cyentia Institute's Wade Baker. Exposure dominated Cyentia research this year, and many breaches were linked to mistakes in vulnerability management and poorly managed identities. CISOs are under the misconception that vulnerability management, one of the older domains of security, is a "problem solved."
See Also: Preparing for New Cybersecurity Reporting Requirements
But a lot of organizations are struggling with prioritizing hardware and software vulnerabilities. Cyentia's research shows that the typical organization patches only about 10% to 15% of the vulnerabilities that exist in their environment in any given month. About 85% to 90% of vulnerabilities go unpatched. "CISOs need to know that and figure out that if we can't patch all vulnerabilities, how do we narrow down the list and fix the ones that matter?" Baker says.
"If you look at vulnerabilities, everyone has them, but which ones are going to be exploited? For instance, if a vulnerability has exploit code available, proof-of-concept code, there's evidence that attackers are interested in exploiting that vulnerability," Baker said. "That increases the likelihood that it will be exploited for a malicious purpose by a lot. So you have to pay attention to any kind of information or intelligence."
In this video interview with Information Security Media Group at RSA Conference 2023, Baker discusses:
- Takeaways for CISOs from Cyentia research on exposure management;
- The techniques and tactics adversaries are using;
- Where CISOs are struggling with managing identities.
Baker is co-founder of Cyentia Institute, which focuses on improving cybersecurity knowledge and practice through data-driven research. He also is a professor at Virginia Tech's College of Business, working to prepare the next generation of industry leaders.