Last updated at Mon, 02 Jun 2025 19:44:55 GMT
At the Take Command 2025 Virtual Cybersecurity Summit, a standout session titled Risk Revolution brought together Rapid7 product leaders and ESG analyst Tyler Shields to unpack the evolution of exposure management — and how organizations can build more context-driven, proactive risk strategies.
Hosted by Ryan Blanchard, Senior Manager, Product Marketing at Rapid7, the panel featured:
- Jane Man, Senior Director of Product Management, Rapid7
- Jamie Douglas, Specialist, Rapid7
- Tyler Shields, Principal Analyst, Risk and Vulnerability Management, ESG
Here are the key takeaways from the discussion, along with supporting insights from the post-event attendee survey.
From vulnerability management to exposure management
The session opened by distinguishing exposure management from traditional vulnerability management. Tyler Shields explained:
“Exposure management is the maturation of vulnerability management… It's understanding risk, business context, and prioritizing accordingly.”
Rather than focusing solely on patching, exposure management is about knowing what to fix, why it matters, and who owns it and doing it continuously.
Visibility gaps are slowing teams down
Visibility was a central theme throughout the session. Jane Man noted:
“A lot of the customers we talk to still struggle with just identifying what they have.”
This challenge was echoed in the post-event survey, where 53% of respondents cited identifying unknown assets as the top challenge in their exposure management programs.
Tyler added:
“You can’t protect what you don’t know about. And you certainly can’t prioritize it.”
Prioritization must be contextual
Prioritization remains a major hurdle for many organizations. Jamie Douglas stressed that severity alone isn’t enough:
“You can have a critical vulnerability on a printer, but if it’s segmented and not internet-facing, is it really a priority?”
The team emphasized the importance of integrating business impact, asset criticality, exploitability, and ownership into the prioritization process.
“If you don’t tie risk to business context, you’re just chasing numbers,” Tyler noted.
It’s time to break down silos
A powerful moment in the session came when the panel discussed collaboration across functions. Jane shared:
“Security doesn’t operate in a vacuum. You need buy-in from engineering, cloud, compliance - everyone has a role in risk reduction.”
Without shared language and unified dashboards, visibility doesn’t translate into action. The speakers urged teams to build bridges with IT and DevOps to ensure findings are actually resolved, not just reported.
Survey: risk prioritization is lagging behind
In the survey, only 18% of respondents said their organizations integrate threat intelligence into exposure management “very effectively”, highlighting a clear opportunity to improve how teams prioritize risk with real-time context.
This stat reinforces the panel’s broader message: that exposure management isn’t a point-in-time project — it’s a continuous, evolving practice.
Watch the full session on demand
For a deeper dive into the frameworks, real-world examples, and exposure strategies discussed in this session, watch Risk Revolution on demand.
