Tenable has announced the creation of the Exposure Management Leadership Council, a new working group of Chief Information Security Officers (CISOs) and cybersecurity leaders tasked with developing frameworks, principles and best practices for exposure management. The council aims to establish exposure management as a proactive security discipline that reduces cyber risks across industries.
Addressing the boardroom communication gap
The council has released its first report, “Board meetings and the dreaded cyber risk update: a use case for exposure management,” which highlights challenges faced by CISOs when communicating with boards of directors. According to the findings, security leaders often present technical metrics from disconnected and siloed tools that fail to provide a full picture of an organisation’s exposure. This communication gap hinders effective decision-making and risk management at a time when cyber threats and regulatory scrutiny are intensifying.
The report suggests that exposure management can serve as a bridge between technical teams and business leaders by reframing discussions around risk reduction and business impact. It emphasises the need for a standardised framework to help CISOs prioritise the most pressing exposures and present them in a way that resonates with board-level concerns.
Industry perspectives on exposure management
Bob Huber, Chief Security Officer at Tenable and Chair of the Exposure Management Leadership Council, said the initiative seeks to transform how risk is discussed at the highest levels of business. “Exposure management is a strategic driver of organisational success. Our goal is to shift the conversation from endless technical metrics to a strategic discussion focused on risk reduction. A standardised exposure management framework would help CISOs pinpoint their organisation’s most pressing exposures and articulate their potential business impact.”
Council member Joanna Burkey, a corporate director and former CISO at HP and Siemens Americas, highlighted the role exposure management could play in reshaping board updates. “Exposure management can help CISOs bridge the boardroom communication gap. While the fundamental objectives of exposure management are proactive breach prevention and risk mitigation, an added benefit is its potential to transform the quarterly cyber update into a strategic discussion that drives action and outcomes,” she said.
Building a proactive security discipline
The Exposure Management Leadership Council brings together CISOs from leading organisations in insurance, technology, transportation, legal and consumer packaged goods. Its mission is to establish exposure management as a widely adopted, proactive approach that reduces organisational vulnerabilities before they can be exploited.
By providing a shared framework and language for communicating cyber risk, the council hopes to support both security leaders and boards in aligning strategies for protection and resilience. The initiative reflects growing recognition across industries that cyber risk is not only a technical challenge but also a strategic business concern that demands clarity and collaboration.
