Attack Surface Management (ASM) tools often focus on asset discovery rather than actual risk reduction, leading to busy dashboards but unclear improvements in security. Effective ROI in ASM is better measured by outcome metrics like faster asset ownership, reduced risky endpoints, and quicker decommissioning, which show real risk mitigation. #TopherLyons #SprocketSecurity
Keypoints
- ASM often emphasizes asset discovery and coverage over actual risk reduction.
- Outcome metrics such as time to asset ownership and reduction of risky endpoints provide clearer security improvements.
- More assets discovered doesnβt necessarily mean the organization is safer without measurable risk decline.
- Visibility should focus on ownership gaps, exposure duration, and unresolved risks rather than just asset counts.
- Operationalizing outcome-based metrics across teams can accelerate risk mitigation and justify ASM investments.
Read More: https://thehackernews.com/2026/01/the-roi-problem-in-attack-surface.html