The CTEM Conversation We All Need
I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn’t have asked for a better kickoff panel: three cybersecurity leaders who don’t just talk security, they live it.
Let me introduce them.
Alex Delay, CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead, Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity’s targeted RNA therapeutics. Last but not least, Michael Francess, Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments.
Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here’s the kicker – only if it’s operationalized.
Speaking with these seasoned defenders, we unpacked the realities and challenges behind the hype of implementing and operationalizing an effective Exposure Management strategy, addressing the following tough questions:
- What does a good CTEM program look like and what are the typical challenges that need to be overcome?
- How do you optimize cyber and risk reporting to influence board-level decisions?
- And ultimately, how do you measure the success of your CTEM program?
Challenges, Priorities, and Best Practices
CTEM isn’t plug-and-play. The panelists’ prescription was clear: start with asset inventory and identity management; weak service accounts, over-permissioned users, legacy logins. None of these are small gaps, they’re wide-open doors that need to be checked frequently. And for all of our panelists, frequency matters – a lot. Because guess what? Adversaries are constantly challenging defenses too. For internal assets, weekly validation is the rule of thumb. For external-facing assets? Daily. As they see it, it’s the only way to maintain a constant handle over their constantly changing environments.
Surprisingly, Michael pointed to threat intelligence as the backbone of any security testing program. “You need to understand your adversaries, simulate their TTPs, and test your defenses against real-world scenarios, not just patching CVEs.” That’s the key difference between CTEM and vulnerability management. Vulnerability management is about patching. Exposure management is about figuring out whether your controls actually work to block threats.
Reporting: Translating Cyber to Risk Terms
In the banking industry, like many other highly regulated industries, Alex couldn’t emphasize enough the need to be prepared to answer hard questions asked from regulators. “You will get challenged on your exposure, your remediation timelines, and your risk treatment. And that’s a good thing. It forces clarity and accountability”.
But even outside regulated industries, the conversation is changing. Boards do not want to hear about CVSS scores. They want to understand risk – and that’s a completely different discussion. Is the company’s risk profile going up or down? Where is it concentrated? And what are we doing about it?
Measuring Progress
Success in CTEM isn’t about counting vulnerabilities; Ben pinned it down when he said he measures the number of exploited attack paths his team has closed. He shared how validating attack paths revealed risky security gaps, like over-permissioned accounts and forgotten assets. Suddenly, risk becomes visible.
Others took it in another direction with tabletop exercises that walk leadership through real
attack scenarios. It’s not about metrics, it’s about explaining the risk and the consequences. A shift that moves the discussion from noise to signal, and gives the business clarity on what matters: where we’re exposed, and what we’re doing about it.
From Concept to Action
Want to hear how these defenders are putting CTEM into action without drowning in noise?
This episode dives deep into the real questions: where do you start, how do you stay focused on what’s exploitable, and how do you connect it all to business risk? You’ll hear first-hand how security leaders like Alex, Ben, and Michael are tackling these challenges head-on, with a few surprises along the way…
Make sure to catch the full conversation on Apple Podcast and Spotify
