With this in mind, CTEM emphasizes “proactive security that relates to either vulnerability management, attack surface management or exposure management,” he says.
It’s important to note that CTEM “is really like a process, not a product,” says Adam Ford, CTO for state and local government and education at Zscaler. Specifically, “it’s a continuing process of identifying and prioritizing exposed vulnerabilities.”
Why Traditional Vulnerability Management Falls Short for Higher Ed
Traditional vulnerability management can fall short in higher education, often for structural reasons. “The bigger universities really have a lot of historical separation in IT functions between the different colleges, the different schools and departments,” says Ford, who is also a former state CISO for Illinois.
“There is often autonomy within the different colleges or the different departments on purpose, because they’re serving students in a different way,” he says. Against this backdrop, “getting to a centralized view has, in the past, been something that wasn’t seen as a priority.”
With rising cyber risk, that visibility is essential. “Universities and colleges now are looking at this trying to say, ‘How do we get a common inventory of these things?’” he says.
LEARN MORE: CDW tackles common misconceptions about CTEM.
The CTEM Framework: Five Stages Explained
CTEM calls for a five-stage approach to iterative improvement.
- Scoping: Define the assets you’re aiming to protect and how you’ll measure success.
- Discovery: Build continuous visibility into assets and exposures within that scope.
- Prioritization: Determine which exposures need to be addressed first, based on organizational risk.
- Validation: Confirm those high-risk exposures are actually exploitable and that controls perform as expected.
- Mobilization: Convert those validated findings into executed remediation and measurable risk reduction.
The Higher Ed Attack Surface: Open Networks, BYOD and Decentralized IT
Higher education has a sprawling attack surface. Among the factors complicating cybersecurity here, open networks and BYOD “are the ones that leap to mind for me most immediately,” Sheldon says. In addition, “there are some design constraints within the space.”
CHECKLIST: Assess your institution’s readiness to adopt CTEM.
Concerns about academic freedom, for example, produce reticence about locking down certain parts of the IT stack and lead to a decentralized approach to IT. “University systems have had to make some of these trades to comport with their mission,” he says, “and threat actors have understood this.”
As AI rises as a weapon of attack, the need for more effective attack surface management takes on added urgency.
Attack Surface Management: How CTEM Builds Continuous Asset Visibility
“AI is surfacing all sorts of vulnerabilities. That’s changed the character of what security teams need to do,” Sheldon says. With its focus on scoping and discovery, CTEM helps by elevating asset visibility.
“It’s finding straightforward ways to continuously identify and surface different risks or threats, and doing that in a way that’s integrated with the rest of the security team’s workflows,” he says.
DISCOVER: AI threats require new cybersecurity investments.
“Because of how complex security teams are at this point, there’s a need to monitor various different risks and threats,” he says. With CTEM, “those activities can be integrated in a way that’s manageable for security teams — for them to be able to rank and prioritize what they should be doing to most meaningfully reduce risks.”
Breach and Attack Simulation: Remediating Exposure Before Attackers Strike
Hand in hand with CTEM, many organizations will implement breach and attack simulation in order to spot the gaps that attackers are most likely to exploit.
“Sometimes in cyber, we can get caught up in practicing the ‘nerd knob’ thing,” Ford says. “We have ransomware, so we do our SOC incident procedure, but that’s not even the point of this. The point of this is to keep the university operating.”
Simulations can help to cyber teams to identify and remediate the actual risks to operations.
The threat model may point to the likelihood of a certain risk — say, for example, an e-crime group that’s been targeting higher ed. Cyber teams can emulate that with simulations “to make sure that we’re prioritizing whatever tradecraft they’re using,” he says. That way, defensive efforts are targeting real risks.
UP NEXT: Make the case for investing in cybersecurity tools.
Simulations also help to make the risk more tangible. “You can bring business stakeholders in to demonstrate the practical outputs,” Ford says. “It’s not just, ‘Hey, something got hacked,’ abstractly. You can say: This system was breached, and the entire alumni directory and contributions list was published on the internet.”
This, in turn, helps build institutional support for the cyber effort.
Building a CTEM Program at Your College or University: Where to Start
Because CTEM is an iterative process, “you can start with where you are. Start with the information that you have available to you,” Ford says. “You don’t have to have perfect information to get started. In fact, the process is designed to help your information get better.”
It’s important too to organize your people in a way that enables them to take best advantage of CTEM’s capabilities. “The question to ask is, are you still proceeding with a legacy team organization?” Sheldon says. That can lead to teams paying insufficient attention to real and imminent risks.
While it probably doesn’t make sense to reorganize the whole team every time a new product or approach comes along, he says, IT leaders should at least be thinking about “how to orchestrate their teams,” in light of what CTEM has to offer.
