Security Leaders are Rethinking Their Cyber Risk Strategies, New Research from Tenable and Enterprise Strategy Group Shows

Get a firsthand look at how 400 security and IT leaders are tackling today’s cyber risk challenges in this latest study from Tenable and Enterprise Strategy Group.

From budget allocation and prioritization methods to team structure, organizations are fundamentally rethinking how they manage cyber risk.

Why? Because threats, exposures and assets are multiplying at a pace that traditional methods simply can't match, leaving organizations exposed to growing risk.

Tenable partnered with Enterprise Strategy Group on a new research study, “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management,” to uncover the real-world challenges security teams face in reducing cyber risk in the modern era.

This study surveyed 400 IT and cybersecurity leaders across North America to uncover the biggest challenges, and the most promising opportunities, in today's threat and exposure management landscape.

The bottom line: The old playbook no longer works. It's time to shift from reactive, siloed efforts to a more unified, proactive approach that delivers real, measurable risk reduction.

According to the report, “Organizations are seeking threat and exposure management tools that enhance their prioritization and risk reduction capabilities through automated remediation and deeper analysis. What matters most to security teams is fixing the most important issues first and doing it as quickly as possible at scale.”

“Organizations are seeking threat and exposure management tools that enhance their prioritization and risk reduction capabilities through automated remediation and deeper analysis. What matters most to security teams is fixing the most important issues first and doing it as quickly as possible at scale.”

— The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management, Enterprise Strategy Group, August 2025

Key findings

Cyber risk reduction is harder than ever

Nearly three-quarters of organizations (71%) say reducing risk is as hard or harder than it was two years ago, driven by cloud complexity (45%), manual processes (40%) and disconnected tools (40%).

Crucial context is overlooked

Nearly half of organizations still rely on basic exploitability (26%) and severity scores (21%), neglecting business context and asset-specific data, which leads to inefficient prioritization and higher risk exposure.
 

Organizations are moving beyond simply 'showing issues'

Organizations are shifting their focus from simply finding weaknesses to effectively remediating them. Success is now measured by incidents prevented (59%), vulnerabilities eliminated (55%) and reduction in total risk (51%), demanding platforms that drive effective risk reduction.

Exposure management budgets are growing

Organizations recognize the growing difficulty of risk reduction and are allocating more budget to tackle the challenge head-on. The vast majority of organizations (88%) are increasing their exposure management budgets year over year, with 59% noting a slight increase and 29% reporting significant increases.

Organizational silos create friction

Organizational silos create significant friction, with 27% of respondents citing the use of different tools by different teams as the primary challenge to effective collaboration. Responsibility for exposure management is often fragmented, falling to the general IT operations team (76%) more often than a dedicated vulnerability or exposure management team (41%).

Get the full story

Download “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management” for a deeper look at the challenges your peers are facing, and the future vision they’re building as they move from siloed, manual processes to a unified, automated exposure management program.

Download the full report