Paradigm shift

An organization’s attack surface is constantly changing. The traditional parameters that once defined the attack surface — mostly software and hardware — no longer take into account all the complexity and considerations for a modern security strategy: the cloud, third-party vendors, IoT, social networks and even human vulnerabilities.

Measuring, monitoring and protecting an organization's attack surface requires a wholly new approach to match the complexity and sophistication of such threats.

Enter exposure management.

Exposure management is a comprehensive, highly contextual view of cybersecurity risk. Rather than viewing security as a singular, isolated objective, organizations weigh vulnerabilities and risks across a broad set of objectives — including business objectives — to intentionally balance risk and reward.

Cybersecurity and business leaders view exposure management as a more evolved approach to managing cybersecurity risk given the wide spectrum of threats organizations face — a landscape so large and complex that defending against all threats at all times is simply neither realistic nor sustainable.

Ivanti’s research shows that security professionals worry about a wide array of security risks and attack vectors — from ransomware and phishing to software vulnerabilities and supply chain threats.

These findings also reveal significant gaps in current levels of preparedness. (Gaps are areas where threat levels exceed preparedness.) For example, preparedness for ransomware attacks and API-related vulnerabilities is especially low in comparison to the threat level.

These shortcomings are especially concerning given that all of these threats are likely to be amplified by gen AI. For example, more than 1 in 3 (38%) say ransomware will become even more dangerous when powered by AI.

The good news: Viewing cybersecurity as a business priority — a key principle of exposure management — appears to be well understood and widely supported in concept among both security professionals and business leaders, even if it’s not yet consistently practiced.

And cybersecurity has a high degree of C-level support, as well as broad visibility at the board level.

• 89% of security professionals and organizational leaders say cybersecurity is discussed at the board-of-directors level.
• 81% say their board of directors includes someone with cybersecurity expertise.
• 88% say their organization’s CISO is invited to high-level strategic meetings about business decision making and organizational planning.
• Nearly 3 in 4 say their cybersecurity budgets are growing. Even more impressive, 81% say their security budgets for 2025 are sufficient to achieve their 2025 security goals.

The less-good news: While leaders say they understand and value exposure management, they often approach it in a piecemeal fashion via disparate point products, rather than using an integrated strategy that can provide a comprehensive view of the organization’s total risk posture. The research points to this uneven approach.

Exposure management ranks last as a key area of investment, even though components of exposure management, such as cyber asset attack surface management (CAASM) and external attack surface management (EASM), are considered priorities by many. More mature companies – those that describe themselves as having an advanced ability to fend off threats – are significantly more likely (1.6x more likely) to invest in exposure management.

Ivanti’s research shows that organizations with a more advanced level of cybersecurity maturity (i.e., a self-reported, proven ability to fend off advanced threats) are significantly more likely to say they are increasing investments in exposure management.

26% of advanced Level 4 organizations are increasing investments compared to just 16% of the least mature (i.e., Level 1) organizations. (Ivanti’s Maturity Model is described in more detail in section 4: Tackling tech debt.)

Overall, the industry appears to be supportive of the principles of exposure management, even if many have not taken actionable steps toward adopting and executing it.

Organizations should consider a different approach to cybersecurity — bridging the gap between the need for exposure management and effectively implementing it. By fully committing to exposure management, organizations can use reliable data to assess and prioritize risks, focusing the team’s effort on the exposures that pose the greatest risk. Exposure management aligns cybersecurity operations with overall business priorities, ensuring cybersecurity supports broader business objectives rather than being considered only as a technical function.

Mike Riemer
Senior Vice President, Network Security Group (NSG) and Field CISO, Ivanti

Exposure management represents a disruptive paradigm shift for the industry.

It requires a comprehensive, integrated view of cybersecurity risk, including the myriad pressures that lie outside of IT and cybersecurity. And it requires a highly integrated, contextual view of an organization’s security posture and risk / reward tradeoffs.

Adopting exposure management means learning and executing new ways of measuring, managing and talking about risk — and it will force security leaders to rethink existing teams, processes and solutions in ways that are both disruptive and highly impactful.

Data silos limit visibility into threats, impede incident response, and create inconsistencies in security policies and practices across the enterprise. Progress has been made year over year, but the majority of organizations (55%) still report security and IT data silos, as well as the massive challenges associated with them.

The research also underlines the impacts of silos: 62% say silos slow security response times, and 53% claim silos weaken their organization’s security posture.

Security professionals also report many areas in which data and insights are missing or insufficient, such as detecting shadow IT (45%), confidently identifying specific vulnerabilities based on existing data (41%), and determining patch compliance and meeting patch SLAs (37%). All of these create serious security blind spots related to understanding the company’s attack surface, identifying exposures and complying with regulations.

The data silo problem is particularly visible in the relationship between IT and security. 44% say they struggle to manage security risks due to a challenging security / IT relationship, and 40% point out that IT and security teams use different tools, amplifying the problem.

Security professionals also worry about IT teams’ mindsets and training. 46% of security professionals say IT teams lack urgency when it comes to cybersecurity issues, and 40% say IT teams don’t understand the organization’s risk tolerance.

Fixing these problems won’t be easy.

Leaders and security professionals estimate it would take six years on average to break down existing silos within their organizations.

Silos are the enemy of effective exposure management — and here we’re talking about more than just data silos. Organizational silos are forms of isolation within a company’s overall management/structure — whether divisions between IT and security, or other manifestations of difference or separation across the organization. And they can be just as damaging. For example:

Leadership silos:

Conflicting approaches to management and operations lead to lack of focus and an inefficient use of resources. For IT and security, leadership silos create roadblocks and slow down each team’s ability to deliver on objectives. They also strain budgets due to duplicated efforts, overlapping tech investments and inefficient use of talent.

 

Business process & workflow silos:

Departments such as IT and cybersecurity often work independently of one another with limited collaboration, which can lead to competing priorities, lower productivity and even lower employee satisfaction.

 

Technology silos:

Technology decisions within organizations are made at the department level and/or on an ad hoc basis to solve a singular problem. For the IT/sec relationship, the impacts are enormous: reduced visibility and efficiency, as well as higher levels of tech debt.

Ultimately, security must be a business enabler; this is the foundation of an exposure management strategy. Beyond the expected areas of responsibility, such as minimizing downtime and making the organization resilient in the face of threats, security teams must also be responsible for broader, business-wide priorities like:

• Driving revenue by building trust, supporting innovation, and helping the organization enter new markets with new regulations.
• Supporting remote work and flexibility for organizations that have made this a priority.
• Driving digital transformation by allowing an organization to take on new digital initiatives, knowing that security measures are in place to protect against potential risks.

To break down silos between security teams and other departments, each team must help identify and manage risks in their area, sharing knowledge to increase visibility. A wall often exists between the CISO and the CIO. The CIO typically focuses on business productivity, while the CISO centers on security, which can lead to conflicts. They need a unified view of security risks to see across silos and present a comprehensive picture of assets, risks and actions to mitigate those risks. Exposure management offers greater opportunity to align these operations with business strategy by helping enhance visibility.

Karl Triebes
Chief Product Officer, Ivanti

Exposure management relies on a highly sophisticated approach to assessing risk, including:

• Taking a holistic view of an organization's entire attack surface… including how to mitigate third-party risk and how to secure IoT devices. (51% of our survey group report the number of IoT devices they manage will rise in 2025 compared to 2024.)
• Continuously identifying exploitable vulnerabilities, attack vectors and breach pathways.
• Proactively anticipating the potential consequences of a wide range of cyber-attack types — and prioritizing actions based on real-time data and analysis.
• Aligning cybersecurity efforts with business objectives, meaning that risk-reduction decisions are not wholly owned by security leaders, but shared across both security and business stakeholders — and crucially, based on a shared understanding of organizational risk appetite.

Ivanti’s research shows that security professionals have a high degree of confidence about their ability to measure risk exposure, but it also suggests these high marks may be unwarranted. 80% rate themselves as “good” or “excellent” in their ability to measure risk exposure.

Truly defining and quantifying business risk, however, remains a challenge. Even though 83% say they have a documented framework for identifying risk tolerance, just over half (51%) of those say their current risk tolerance framework is not followed closely — which is about as effective as not having a framework at all.

When organizations don’t follow their risk tolerance framework closely, the impacts can be far-reaching — from financial losses and reputational damage to regulatory fines.

Ivanti’s research shows that leaders and security professionals alike struggle to measure and communicate risk exposure. They cite:

Measurement challenges: Organizations struggle to quantify and measure risk clearly and objectively.

Communication challenges: Organizations also face challenges conveying a clear sense of risk exposure to the organization’s broader leadership.

While 48% of leaders say security leaders communicate risk exposure to broader leadership very effectively, only 40% of security professionals say the same.

Organizations are increasingly looking to their CISOs for strategic business advice, including guidance about AI adoption and managing supply chain risk. And boards are becoming increasingly involved. Our research shows cybersecurity is already a topic at the board level. 89% say cyber risk is discussed at the board level, and 88% say CISOs are invited to high-level strategic meetings about business decision making, organizational planning, etc.

And yet, many CISOs operate with a primary focus on downtime risk rather than seeing the bigger picture.

To evolve into strategic players, security leaders must learn to speak the same language as their CEOs and boards — translating technical know-how into business priorities, such as the financial and reputational impacts of attacks, as well as the legal and regulatory ramifications of data breaches.

Currently, organizational leaders and security teams are not on the same page. For example, when we asked which are the most important/impactful areas of cyber risk, leaders were most likely to choose financial impacts like loss of revenue or higher expenses, while security professionals chose operational impacts such as downtime or loss of productivity.

Bridging this divide requires security organizations to undergo a mindset shift — from protecting the company from the latest threat to supporting company growth, innovation and sustainability. Adopting an exposure management approach — combined with strong data management practices — will allow security teams to:

• Right-size the management of risk — effectively matching the size/impact of the threat with the size/urgency of the response.
• Layer on a business context to ensure non-security decision-makers understand how cyber risks impact the organization's objectives — including financial, regulatory and reputational risk — and allocate resources accordingly.

To truly integrate cybersecurity into the business framework, CISOs must bridge the gap between technical expertise and business strategy. This means translating cyber risks into tangible business impacts, fostering cross-departmental collaboration and aligning security measures with organizational objectives. Only then can cybersecurity be seen not as a cost, but as an enabler of innovation and growth.

Brooke Johnson
Chief Legal Counsel, Senior Vice President of Security and Human Resources, Ivanti

Among security and leadership professionals Ivanti surveyed, 1 in 3 say tech debt is a serious concern. The level of concern varies tremendously by industry. Those in the healthcare industry report the highest degree of concern (40% report “very serious” or “extremely serious” levels of debt), followed by those in manufacturing and tech.

The causes of tech debt vary, but most commonly, security professionals point to two primary drivers: the high interdependence of their existing systems, and the need to secure systems that have rapidly evolving requirements. (Not surprising to industry insiders: Half of organizations surveyed — 51% — say they use software that has reached end of life.)

The impacts of tech debt are far-reaching:

• Impacts for cybersecurity: Across all respondents, at least 1 in 3 agree: Their security position is seriously compromised by legacy systems. Fully 37% say their tech infrastructure is so complex that they can’t uphold basic security practices, and 43% say accumulated tech debt makes their systems more susceptible to security breaches.


• Impacts for business: Overall, 39% say tech debt significantly slows growth. Among those who name tech debt an “extremely serious” concern within their organization, 71% report slowed growth. And 43% say tech debt slows innovation. (This number jumps to 56% for those with the highest levels of tech debt.)


• Impacts for user experience: Perhaps most surprising of all is the impact of serious tech debt on the work life of security professionals: 35% say tech complexity makes them feel burned out at work, and the same proportion say tech complexity is a workplace hazard for IT and security professionals.

Both security and business leaders must align their budgets and goals to ensure secure and strategic management of their investments, thus avoiding the negative impacts of tech debt. A significant challenge arises when organizations fail to consistently review and manage their tech stack, leading to reliance on outdated solutions with unpatched security vulnerabilities.

Dennis Kozak
Chief Executive Officer, Ivanti

Managing the software supply chain

When organizations adopt third-party solutions and components, these investments can introduce tech debt if not properly managed. That’s because, as supply chain components age, they can add to technical debt if they’re not updated and patched regularly.

Vendor sprawl exacerbates the problem. With so many disparate tools to stay on top of — and given that third-party components in an organization’s software supply chain are an extension of its attack surface — it's just one more way that tech debt negatively impacts security posture.

The vast majority of security professionals (84%) say it’s “very important” to monitor the software supply chain, and 73% say they’re “very effective” at monitoring the software supply chain. Yet nearly half (48%) have not yet identified the most vulnerable components in their supply chain.

What do software supply chain best practices look like? We asked survey-takers who work in cybersecurity to rate their organization’s level of cybersecurity preparedness — from basic (Level 1) to best-in-class (Level 4) — to develop a Cybersecurity Maturity Model.

Using this model, we can understand what the most advanced organizations are doing differently to secure their software supply chains compared to less mature organizations.

• 71% of Level 4 (the most mature) organizations review all software vendors for security, more than 2x the rate of Level 2 organizations.


• 43% of Level 4s require vendors to provide evidence of internal pen testing. Just 24% of Level 2s require this.


• 49% of Level 4s complete a vendor security assessment questionnaire for new purchases, compared to 27% of Level 2s.

Organizations responding to the Ivanti survey have different approaches to who “owns” software security, though Level 4 organizations are most likely to say it’s a shared responsibility between the software vendor and customer.

Less mature organizations (Level 2s) are significantly more likely than mature organizations to say the vendor wholly owns security responsibility. This point of view may be driven by resource constraints, a lack of technical expertise to address specific responsibilities or even a false sense of security that cyberattacks only target large corporations with sensitive data.

No matter the reason, believing security should be upheld fully by vendors can lead to a false sense of security. What’s more, these organizations can become overly reliant on vendor-provided solutions, neglecting to implement layered security measures and best practices.

Software security should be a shared responsibility.

Vendors are responsible for implementing secure development practices, including regular code reviews, vulnerability scanning, and penetration testing throughout the software development lifecycle. And they must provide timely security updates and patches to address newly discovered vulnerabilities.

Additionally, buyers must commit to promptly applying security updates and patches and implementing a systematic process for tracking and deploying them across the organization. They must also implement and maintain strong access controls, including role-based access and regular review of user privileges. And they should conduct regular security assessments, including vulnerability scans and penetration tests, to identify potential security flaws on a consistent, ongoing basis.

As organizations' digital footprints continue to grow — encompassing a complex web of on-premises infrastructure and cloud-based services — their attack surfaces are expanding at an unprecedented rate. But the problem is not just the size and scale of the attack surface.

Organizations simply cannot realistically mitigate all risks in our current environment. The threat landscape is continually evolving, complex tech systems are inherently vulnerable, and organizations must work within resource constraints.

The situation demands a more sophisticated and adaptive approach to cybersecurity, one that views security as a complex balancing act — trading off business risk and reward — rather than a protect-at-all-costs strategy.

Exposure management promises a more intelligent approach to managing risk.

Ivanti’s research shows that the concept of exposure management is well understood; for example, 49% of security professionals say their company leaders possess a high level of understanding of exposure management. Yet few organizations are taking steps to embrace the practice; just 22% say they are increasing investments in exposure management in 2025.

Exposure management offers organizations a more nuanced – and effective – approach to managing risk. It does this by taking into account the full spectrum of business risk rather than a narrower view of cyber risk.

Yet to embrace exposure management, an organization must undertake a challenging process: Aggregate its data so that it is truly inclusive of all aspects of the organization’s attack surface, conduct data-backed risk assessments that include the organization’s risk appetite, and direct its limited resources to mitigating the vulnerabilities that pose the greatest risk to the organization.

And to operationalize exposure management, organizations must finally break down silos — not simply those within the security realm, but across the organization. Doing this will empower security teams to identify, assess and categorize potential threats for the entire organization based on severity, likelihood and impact.

Most organizations continue to operate business-as-usual when it comes to breaking down data and organizational silos. For example:

• 88% of security professionals report significant data blind spots — areas with insufficient data to make informed security decisions — such as shadow IT, patch compliance, vendor risk-management information and dependency mapping.
• 44% say they struggle to manage security risks due to a challenging security/IT relationship.
• 40% say IT and security teams use diverging tools for the same activities

The extreme degree of complexity in today’s threat landscape requires new ideas and approaches — and security leaders must lead this charge.

It’s time for cybersecurity teams to take on a more strategic role: securing critical assets, safeguarding customer trust, maintaining global compliance, sustaining business continuity … in other words, driving an organization’s resilience and competitive edge. This will require a new level of collaboration and communication between security leaders and business leaders — a true mindset change, and even cultural change for many organizations.