How to Manage Cybersecurity Threats, Not Episodes

By Kasey Panetta | 4-minute read | August 21, 2023

Big Picture

A growing need for continuous threat exposure management

Today’s cybersecurity attackers pivot fast, leaving organizations scrambling to automate controls and deploy security patches to keep up, but such tactics don’t reduce future exposure. What’s needed is a continuous threat exposure management (CTEM) program that surfaces and actively prioritizes whatever most threatens your business. Creating any such program requires a five-step process.

Step No. 1: Scope for cybersecurity exposure, first for external and SaaS threats

Start by scoping your organization’s “attack surface” — vulnerable entry points and assets — which extends beyond the focus of typical vulnerability management programs. Include not just traditional devices, apps and applications but also less tangible elements such as corporate social media accounts, online code repositories and integrated supply chain systems. 

Organizations looking to pilot their first CTEM initiative could consider one of the following two areas:

  • External attack surface, which combines a relatively narrow scope with a growing ecosystem of tools.

  • SaaS security posture, which has become an increasingly important area of focus as more remote workers have resulted in more critical business data being hosted on SaaS.

Step No. 2: Develop a discovery process for assets and their risk profiles

While many discovery processes initially focus on areas of the business that were identified during scoping (Step No. 1), they should proceed to identify visible and hidden assets, vulnerabilities, misconfiguration and other risks.

Confusion between scoping and discovery is often the first failure when building a CTEM program. The volume of discovered assets and vulnerabilities is not success in and of itself; it’s far more valuable to accurately scope based on business risk and potential impact.

Step No. 3: Prioritize the threats most likely to be exploited

The goal of this process is not to fix every single security issue. Prioritization should factor in: 

  • Urgency

  • Security

  • Availability of compensating controls

  • Tolerance for residual attack surface 

  • Level of risk posed to the organization

The key is to identify the high-value assets of the business and focus on a plan of treatment that addresses them. 

Step No. 4: Validate how attacks might work and how systems might react

First, confirm attackers could actually exploit a vulnerability, analyze all potential attack pathways to the asset, and identify if the current response plan is fast and substantial enough to protect the business. 

Also key is convincing all the business stakeholders to agree on what triggers lead to remediation. 

By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach.

Step No. 5: Mobilize people and processes

You can’t wholly rely on the promise of automated remediation (though it might make sense for some obvious and unobtrusive issues). Rather, communicate your CTEM plan to the security team and to business stakeholders, and make sure it’s well understood. 

The objective of the “mobilization” effort is to ensure teams operationalize the CTEM findings by reducing any obstacles to approvals, implementation processes or mitigation deployments. In particular, document cross-team approval workflows. 

The story behind the research

  • From the desk of Jeremy D’Hoinne, Gartner VP Analyst

    “Continuous threat exposure management is a pragmatic and effective systemic approach to continuously refine priorities and walk the tightrope between two modern security realities. Organizations can’t fix everything, nor can they be completely sure what vulnerability remediation they can safely postpone.”

  • icon for audio

    Podcast: Debunking cybersecurity myths and delivering value

    Listen to Leigh McMullen, Gartner Distinguished VP Analyst, and Henrique Teixeira, Gartner Senior Director Analyst, address the Gartner Security & Risk Management Summit, explaining the mindset and operational shifts needed for security leaders to deliver maximum impact for their enterprise.

    0:00 / 0:00

  • Webinar: Treating cybersecurity as a business investment

    Cybersecurity is a business issue, not a technical one, according to 88% of boards of directors surveyed. Join Distinguished VP Analyst Paul Proctor as he explains how to communicate outcome-driven metrics to your business stakeholders and ensure those outcomes drive key success metrics.

1 3

3 things to tell your peers


Enterprise management of cybersecurity threats currently focuses on tackling certain events, but this isn’t the best long-term solution. 


Tactical approaches to security rarely reduce future exposure to threats.


Continuous threat exposure management prioritizes threats most material to your business.

Share this article

As a Research VP for security operations and infrastructure protection, Jeremy D'Hoinne assists chief information security officers and their teams to develop strategies to protect against advanced threats. Mr. D'Hoinne's research includes exposure management and how to run a continuous threat exposure management (CTEM) programme, but also how covers the related technologies, such as cybersecurity validation technologies,including breach and attack simulation (BAS). He also studies the intersection of artificial intelligence and cybersecurity with a focus on the disruptions caused by large language models and generative AI. Mr D'Hoinne continue to advise organization on infrastructure protection, especially network detection and response, remote access, and network and micro-segmentation.

Drive stronger performance on your mission-critical priorities.