When I joined Forrester in 2022 to cover vulnerability management, I was fortunate to have a front-row seat to the multiple changes happening in this market. These changes included:
Large SecOps and technology companies such as CrowdStrike and Microsoft entering the vulnerability management market to compete with incumbents like Qualys, Rapid7, and Tenable.
Vulnerability risk management solutions incorporating external attack surface discovery and attack path mapping to enhance vulnerability risk scores.
Attack surface management solutions emerging to provide more comprehensive visibility to round out vulnerability management strategies.
Adoption of continuous security testing solutions, such as breach and attack simulation and penetration testing as a service, remaining tepid and trending toward more mature enterprises, with siloed results not tying directly back into the vulnerability management program.
The introduction of the exposure management category in late 2022 with Tenable’s announcement of exposure management.
As I tried to make sense of these shifts, I saw that the future for these markets was ripe with opportunity. But instead of trying to jam all these changes into some new category, I found more utility in breaking them up into their specific applications and use cases. These use cases became core to what I now call modern proactive security programs.
Proactive security can be boiled down to three principles: visibility, prioritization, and remediation. These were the three principles 10 and 20 years ago as well as the principles of today, and they will always be the principles of future programs. So while other analyst firms watching these changes preferred to tie them to new categories, acronyms, and hype cycles (such as continuous threat exposure management, or CTEM), I thought it was much more helpful to address what is happening in the market and how these proactive principles of visibility, prioritization, and remediation can be applied to specific use cases.
And although CTEM, proactive security, and continuous security testing were everywhere at Black Hat last week, some newly created category could dominate the show floor next year.
The Quiet Crisis In Remediation
Only one of these three principles ruled the Black Hat show floor last week: prioritization, with dozens of vendors highlighting continuous security testing and exposure management and unicorns such as Wiz announcing their exposure management solution. While solutions like these are helpful for organizations looking to fine-tune their prioritization strategy, the terms “AI-infused,” “continuous,” “autonomous,” and “automation” have a massive, hushed implication: the potential for prioritization to further bog down the neglected proactive principle of remediation.
If we’re going to leverage AI to mature prioritization strategies in exposure management and continuous security testing, then it’s also necessary to leverage AI to help us remediate so that we can actually address these prioritizations. We also need to prepare for more widespread attack surfaces due to AI and the lower barrier of entry that it has.
If we’re ever going to truly be proactive, we must get faster at remediation. Agentic AI presents opportunities here but is not a silver bullet. We’re still several months, or years, away from full-blown remediation automation, but AI does present some opportunities to help augment the remediation response process by identifying optimal remediations that accumulate through exorbitant vulnerability findings, recommending more tactical response actions, and identifying appropriate remediation owners.
Proactive Security Will Live On
Visibility, prioritization, and remediation will always be the foundation of your proactive program, but orgs still struggle to optimize all three principles in an integrated fashion. Now is the time to prepare your security teams for the future of proactive security by:
Future-proofing budgeting cycles by renaming your vulnerability management budget to proactive security. Proactive security is not just your vulnerability management budget. It encompasses attack surface management, cloud-native application protection platform, and all the offensive security testing you do throughout the year. Rename your budget to align future products and services with what is needed for your visibility, prioritization, and remediation.
Planning for AI to finally make a difference in the most neglected principle: remediation. Security teams are good at finding problems. We’re better than we give ourselves credit for. And our prioritization strategies are much better today than they were three years ago. We’re not just using Common Vulnerability Scoring System anymore; we’re finding better ways to use vectors, threat intelligence, attack paths, and validation through testing. All of these improved prioritizations make no difference if we don’t fix the identified and validated exposures. This is why remediation was a core focus of our recently published Forrester Wave™ on unified vulnerability management.
Learn More At Security & Risk Summit
Want to learn more? I’ll be unpacking a lot more about proactive security during my keynote, “Proactive Security From Fantasy To Framework,” at Forrester’s upcoming Security & Risk Summit in November in Austin. We’ll dissect proactive myths vs. realities and dive deeper into the next frontier of proactive security: proactive response. Check out the full agenda, and hope to see you in Austin!
