There was honor of hosting the first episode of Xposure Podcast Live from Xposure Summit 2025. And we couldn’t ask for a better kickoff panel.
Let me introduce them.
Alex Delay, CISO at IDB Bank, knows what it means to advocate for a highly regulated environment. Ben Mead, director of cybersecurity at Avidity Biosciences, brings a pioneering security perspective that reflects the innovations behind Avidity’s target RNA therapies. Lastly, Michael Fransess, director of cybersecurity advanced threats at Wyndham Hotels and Resorts, is leading the responsibility to protect the franchise. Each of them brought a unique perspective to a common challenge. Apply continuous threat exposure management (CTEM) to complex production environments.
Gartner made waves in 2023 with bold predictions. Organizations that prioritize CTEM are three times less likely to violate by 2026.
Speaking to these veteran defenders, we unraveled the reality and challenges behind the hype of implementing and operating effective exposure management strategies.
What does a good CTEM program look like and what are the typical challenges you need to overcome? How can I optimize cyber and risk reporting to influence board-level decisions? And ultimately, how do you measure the success of your CTEM program?
Issues, priorities, and best practices
CTEM is not plug and play. The panelist’s prescription was clear. Start with asset inventory and identity management. Weak service accounts, authorized users, legacy logins. None of these are small gaps, they are wide open doors that need to be checked frequently. And for all of our panelists, frequency is important. What do you think it is? The enemies are always trying. For internal assets, weekly verification is a rule of thumb. What about external assets? every day. As they see it, it is the only way to maintain a constant handle over their ever-changing environment.
Surprisingly, Michael pointed out threat intelligence as the backbone of his security testing program. “We need to understand the enemy, simulate TTPS and patch CVEs as well as test defenses against real scenarios.” This is the key difference between CTEM and vulnerability management. Vulnerability management is about patching. Exposure management is about understanding whether your control actually works to block threats.
Report: Translate Cyber into risk terminology
In the banking industry, like many other highly regulated industries, Alex couldn’t fully emphasize the need to prepare to answer the harsh questions asked by regulators. “You’re going to be challenging exposure, repair timelines, risk treatment. That’s good. It enforces clarity and accountability.”
But even outside of regulated industries, the conversation is changing. The board doesn’t want to hear about the CVSS score. They want to understand the risks – that’s a completely different argument. Is the company’s risk profile rising? Where are you focused? And what are we doing about it?
Measure progress
Success in CTEM is not about counting vulnerabilities. Ben pinned it when he said he would measure the number of abused attack passes that his team closed. He shared how validation of the attack path revealed dangerous security gaps, such as permitted accounts and forgotten assets. Suddenly, you start to see the risk.
Others took it in a different direction with a tabletop exercise walking real leadership
Attack scenario. It’s not about metrics, it’s about explaining risks and outcomes. Move the discussion from noise to signal and give business clarity about what’s important.
From concept to action
Want to hear how these defenders are running CTEM without being owned by noise?
This episode dives deep into the real questions. Where do you start, how do you stay focused on what is exploitable, and how do you tie it all to business risk? We hear firsthand how security leaders like Alex, Ben and Michael are tackling these challenges head on, and how they tackle some surprises along the way…
Make sure you fully catch conversations on Apple Podcasts and Spotify
Source link
