Exposure Management:From Subjective toObjective Cybersecurity

Modern attack surfaces now encompass a massive, growing ecosystem of assets — from cloud infrastructure and IoT devices to supply chains, identities and permissions. To stay protected, organizations must first make sense of this scale and complexity.

Managing the vast breadth of modern IT ecosystems is increasingly overwhelming for IT and security teams alike. In addition to keeping up with the constantly evolving array of cyberthreats and attack types, IT and security teams must contend with the shelf life and complexity of their organizations’ software.

Nearly half (48%) of security professionals say their organization uses software that has reached “end of life” (EOL). Software that no longer receives security patches, technical support and updates can leave devices vulnerable to cyberattacks and data breaches.

And 43% have not identified the third-party systems/components that are most vulnerable in their software supply chains — in other words, those that would cause the largest organizational impact if compromised.

The situation is particularly alarming in highly regulated industries. In healthcare, for example — where disruptions in critical systems have higher stakes and can directly affect patient care and treatment outcomes — 54% use software that has already reached end of life.

It’s no wonder 40% of security professionals globally say their tech infrastructure is so complex that they can’t uphold basic security practices.

When data is inaccessible, it erodes the value of new tech investments, makes security vulnerabilities harder to detect and manage, and impairs data-driven decision making.

Our research shows many companies struggle to access and leverage their vast troves of data. Security professionals report many areas with missing or incomplete data and insights — making it difficult, for example, to detect shadow IT (45%) or confidently identify specific vulnerabilities based on existing data (41%). All of these gaps add to an organization's security blind spots.

Making matters worse, more than half (55%) of IT professionals say their companies’ security and IT data are siloed. The situation is improving (this number is down 14 points from last year), but significant work remains.

The modern enterprise is data-rich, but information-poor. Organizations accumulate vast quantities of raw data but struggle to convert it into meaningful insights. Even when data is accessible to some, silos prevent a comprehensive approach to threat detection and incident response. For example:

• 53% of security professionals say data silos weaken their organization’s security posture.
• 62% of security professionals say siloed data slows down security response times.

Fixing the problem won’t be easy. IT professionals estimate that breaking down data silos inside their organizations would take five years on average — an eternity for companies hoping to leverage data-hungry gen AI and automation solutions for mission-critical work like automated vulnerability management or proactive threat intelligence.

Even so, improving data accessibility and visibility is essential for companies looking to turn data into insight and action. When properly harnessed, enterprise data becomes the lifeblood of AI systems and automated workflows, powering intelligent decision making and operational efficiencies — all of which are critical steps toward a more strategic approach to security.

All the complexity, sprawl, blind spots … they require a shift away from traditional vulnerability management. The first step involves defining the organization’s risk framework and quantifying exposure.

As companies transition to an exposure management approach, CISOs and CEOs will need to collaborate on developing a risk tolerance framework that balances current risk posture with organizational risk appetite.

Risk posture:

A company’s current state of risk management, which reflects actual exposure and defenses.

Risk appetite:

The level of risk an organization is willing to accept in pursuit of its objectives.

Too often, these two — posture and appetite — are out of alignment. Security leaders, understandably, tend to err on the side of safety. Business leaders, on the other hand, are often more willing to trade off some degree of safety if that greater openness drives higher growth and innovation.

There is no universal answer — just that which both CEOs and CISOs intentionally decide is the correct balance.

The large majority of companies (83%) report they have a framework for defining risk tolerance. A good start. Yet many admit they don’t strongly follow their risk tolerance framework.

Overall, 51% say they don’t follow their existing risk tolerance framework. Among enterprise companies, the situation is better, but still not ideal. Forty-three percent of companies with 10,000 or more employees say they don’t strongly follow their own risk tolerance framework.

Part of the problem may be that companies are struggling to measure their exposure.

Security professionals say they face significant barriers when measuring and managing risk exposure. 49% of security professionals say they can’t access the right data to measure and manage risk. And 51% of security professionals say they lack the talent to properly measure risk.

Exposure management transforms cybersecurity from a technical exercise into a strategic business function by contextualizing vulnerabilities.

Rather than separating security decisions from business objectives, exposure management creates a holistic framework where companies can evaluate their business opportunities and security requirements together.

Establishing a clear, objective risk overview — overarching guidelines with a comprehensive, contextualized view of an organization’s attack surface — can help companies understand the relative levels of risk for components within their tech ecosystems, as well as whether these conform to the organization’s preferred risk posture. By being able to evaluate risk in relation to risk appetite, companies can more readily pinpoint the highest-priority exposures to address.

Despite the promise of exposure management, we are still early in the adoption curve. Ivanti’s research shows that the concept of exposure management is well understood; for example, 49% of security professionals say their company leaders possess a high level of understanding of exposure management.

Yet few organizations are taking practical steps to embrace the practice; just 22% of security professionals say their companies plan to increase exposure management investments in 2025.

Currently, 73% of security professionals say their companies quantify cyber risk so leaders can use that information to drive enterprise decision making — a good sign. Our research, however, shows some lack of alignment between security teams and business leaders about what factors are most important when calculating risk. Security professionals tend to cite “operational impact” as a high-priority factor when quantifying cyber risk, while business leaders focus on "financial impact.”

The problem is not simply a lack of alignment; it’s also a long-standing communication impasse. Enterprise cybersecurity is still primarily managed by security specialists, who struggle to communicate their needs to the C-suite. And executives, who are often very aware of the critical importance of cybersecurity, aren’t equipped to bridge the knowledge gap between them and their IT/security teams.

Currently, just 40% of security professionals say their security leaders are “very effective” at communicating risk. Exposure management gives security leaders a rubric for more effective communication with executives who lack a security background.

This report is based on Ivanti’s 2025 State of Cybersecurity: Paradigm shift. The study surveyed over 2,400 executive leaders and cybersecurity professionals in October 2024. This research was administered by Ravn Research, and panelists were recruited by MSI Advanced Customer Insights. Survey results are unweighted.