Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

2022 RSAC takeaways: Risk management vs compliance

By Rob Gurzeev
business-solution-freepik1170x658.jpg

Image by rawpixel.com via Freepik

July 1, 2022

I attended the 2022 RSA Conference (RSAC) last month and am pleased to see that our industry remains robust and innovative and continues to percolate new ideas to solve persistent challenges. RSA picked “Transform” as a theme this year, reflecting the quickening pace of the digitization of business processes and the zero-day and supply-chain threats posed against them.


These evolving trends in modern business are important, but so is risk. 


At the RSAC, I started to see strong evidence that the industry is finally shifting away from a compliance mindset and talking more about external risk management, risk detection and risk reduction. Make no mistake, compliance is an industry imperative, but far from a silver bullet. 


The Risk Catalyst for Change

I’m not advocating against compliance but rather the adoption of risk management as a new major component in an organization’s cybersecurity arsenal.    


Today’s IT stack is better described as an ecosystem rather than a single entity. Subsidiaries, supply chains and third parties have expanded an organization’s external attack surface exponentially. The consequence is that security teams are asked to do the seemingly impossible: manage an amorphous attack surface that changes with every merger, acquisition and new cloud-based asset.


Chief information security officers (CISOs), chief executive officers (CEOs) and board members I talked to at RSA said that risk management is now a priority for them. When I asked them how they plan to tackle top challenges in this area tied to asset visibility, scanning coverage and remediation prioritization - most said they’re still seeking the best solution. They added that current vendors had tried fruitlessly to solve these challenges for the past decade. From their point of view, solutions that come the closest are built for compliance, not risk management. This is the problem. 


When asked about their external attack surface and security risks, CISOs shared five areas they need to improve:    

  1. Attack surface visibility is limited and lacks business context.
  2. Discovery evidence is nearly non-existent.
  3. Security testing coverage is partial and full of false positives.
  4. Attributing subsidiary or third-party ownership of a vulnerable digital asset is inadequate.  
  5. Prioritizing what needs to be fixed first is too hard. Why? IT operations can resolve just a small portion of the thousands of “severe issues” their scanners deem today as such.

You can map a direct course from these bullet points to reduce the mean time to remediation (MTTR) of open and high-risk vulnerabilities. Two months is the average MTTR for organizations that handle thousands of alleged critical issues. CyCognito studies have revealed many organizations are unable to handle more than 10-50 critical issues per month. This creates enormous mitigation debt and highlights the need to identify and prioritize efforts around fixing an organization’s highest-severity issues.  


When risk is a determining factor in mitigating vulnerabilities, it helps organizations prioritize a security team’s resources on critical assets first. Prioritization opens new doors for an organization to see digital assets in the context of their business and not as ancillary issues. When risk is the priority, security teams shift their attack-surface perspective and more heavily weigh mitigation efforts based on whether a vulnerability is being exploited in the wild by a relevant threat group. 


Compliance Is Important, But Risk Management Is Paramount 

Adversaries know how daily compliance-driven cybersecurity works. They leverage the burnout security teams face via alert fatigue. It only takes one attack surface weak spot, exposing a critical high-risk asset, to increase risk exponentially. 


If Log4j taught us anything, it was that we don’t have the type of visibility into our external attack surface we need. Taking an outside-looking-in approach allows you to see your attack surface the way an adversary does. From a risk management perspective, this allows for quick surgically-precise fixes to just the digital assets exposing the most valuable crown jewels of your business. This can supercharge MTTR efforts. 


The roadmap for compliance is arduous, but familiar. The road to risk management has not yet been clearly mapped for many companies. CISOs at RSA shared that vulnerability scanners and dynamic application security testing (DAST) tools can’t get the job done. They are either too expensive, too noisy, have limited external attack surface visibility, don’t understand where the sensitive data exposure is and can’t untangle who owns each asset.


Emphasizing risk needs to be a differentiator within the external attack surface management space. The best approach includes honing in on identifying the attacker’s path of least resistance into the entire network. And when we also consider risk first and foremost in that approach, it helps an organization juggle potentially vulnerable digital assets with attackers who are tirelessly looking for external attack surface weak spots.


Intelligence agencies, where many of us come from, do not prioritize IT compliance over an attacker’s “path of least resistance.” We didn’t receive gold medals for earning a certificate. To be successful, the goal is to move the fastest (and safest). A risk management approach is the most useful to enterprise cybersecurity teams and the most interesting, relevant and differentiated.


Compliance is vital. But when it justifies the status quo, in a rapidly evolving threat landscape, a compliance-only approach to cybersecurity can be counterproductive.

KEYWORDS: compliance cyber security risk management security vulnerability

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • risk-management-freepik

    Elevating governance, risk and compliance throughout the software development life cycle with digital risk management

    See More
  • cyber attacker hacking computer

    Cybersecurity, risk and compliance: What’s in store for 2022?

    See More
  • Empty conference room

    Cyber risk is a business risk

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!