{"id":15916,"date":"2026-03-07T00:40:53","date_gmt":"2026-03-07T00:40:53","guid":{"rendered":"https:\/\/newestek.com\/?p=15916"},"modified":"2026-03-07T00:40:53","modified_gmt":"2026-03-07T00:40:53","slug":"from-visibility-to-action-where-the-leverage-lives-in-modern-security-operations","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15916","title":{"rendered":"From Visibility to Action: Where the Leverage Lives in Modern Security Operations"},"content":{"rendered":"
\n

\n

Ivan Dwyer, a Senior Product Marketing Strategist at Axonius<\/a>, examines where the leverage lives in modern security operations. <\/span><\/strong><\/em>This article originally appeared in Insight Jam<\/a>, an enterprise IT community that enables human conversation on AI.<\/span><\/strong><\/em><\/p>\n

Proactive security is having a moment, rightfully so. Organizations have built impressive security stacks, each tool serving controls for a specific domain: endpoint protection, identity management, cloud security, vulnerability scanning, and network monitoring. These investments are working. The coverage is broad, the telemetry is rich, and the compensating controls are doing their jobs. But here\u2019s the catch: exposures don\u2019t respect domain boundaries.<\/p>\n

A misconfigured identity grants access to an unpatched server running end-of-life software in a business-critical environment \u2013 that\u2019s four domains with four control planes, and zero of them see the full picture on their own. To be truly proactive, you have to elevate above any single tool to gain total visibility and take the right action.<\/p>\n

You have the tools. You have the data. Every control plane in your IT stack\u2014an MDM agent, an IdP, a vulnerability scanner, a SaaS app\u2014when effectively aggregated, reveals the full picture of your environment. Somewhere in your stack, every asset leaves a signal. When that data comes together, it unlocks true visibility and actionability.<\/p>\n

Axonius is an asset intelligence platform that connects with all of your security and IT tools to bring assets and exposures of all kinds into one place. We see a lot of assets\u2013over 7 billion interactions annually across over 1,400 tools, last we looked\u2013and recently studied patterns across a selection of enterprise environments to understand how teams bridge that gap between visibility and action. Three themes emerged: coverage, context, and coordination. Each represents a lever that, when pulled, turns the data you already have into actionable insights.<\/p>\n

CYA: Cover Your 298K Agents<\/strong><\/h3>\n

Every cybersecurity team has the same mandate: make sure every device, across every operating system, is covered by the monitoring agents it\u2019s supposed to have. Sounds straightforward. Then you look at what that actually involves.<\/p>\n

Across large-scale environments, the average organization we see manages roughly 298,000 devices. That\u2019s workstations, appliances, mobile devices, cloud instances, and more\u2013each running different operating systems, hosted in different places, subject to different compliance requirements, and following their own lifecycle. There\u2019s no single agent or policy to rule them all. Different devices need different agents for different functions: endpoint security agents for threat detection, endpoint management agents for patching and configuration, and network agents for traffic visibility and segmentation.<\/p>\n

When we looked at real-world coverage data, about 12 percent of devices, on average, weren\u2019t reporting via an agent. Given the scope, that\u2019s impressive\u2013most compliance frameworks are written for 80 percent coverage, so teams are clearing that bar. But the remaining 12 percent is worth paying attention to because it hides\u2013no tool can report its own lack of coverage. It requires elevating above the stack and looking across signals.<\/p>\n

The opportunity is to treat agent coverage less like a periodic audit and more like a continuous feedback loop. Define which agents belong on which devices under which conditions. Monitor for deviations. Decide if they matter. Deliver actions to restore the desired state. It\u2019s a self-healing model, and the data suggests the organizations doing this well don\u2019t necessarily have more monitoring; they\u2019ve just moved verification above the individual tool level.<\/p>\n

5.6 Tools Walk Into a Prioritization Meeting<\/strong><\/h3>\n

Not every vulnerability is an exposure, and not every exposure is a vulnerability. They come in many forms from all angles \u2013 vulnerabilities, misconfigurations, and inefficiencies that impact risk, performance, and cost measures. Context is king, but it\u2019s fragmented across tools.<\/p>\n

On average, we found that organizations rely on 5.6 tools to provide context for known exposures. These break into three categories: security context from vulnerability scanners, EDR, and cloud security platforms; business context from inventories, collaboration tools, and cloud platforms supplying ownership data, compliance tags, and criticality; and asset context from identity providers, management systems, and directories supplying device metadata, EOL\/EOS status, and configuration state.<\/p>\n

5.6 tools aren\u2019t alarming\u2014identity providers, vulnerability scanners, business systems, and cloud providers all contribute important signals. The challenge is that they mostly operate in silos. Business context in one place, security context in another, asset metadata somewhere else. Getting all the context is one thing. Connecting the dots across deployment models\u2013cloud, on-prem, remote\u2013is another entirely.<\/p>\n

This is where prioritization quietly breaks down. A vulnerability scanner assigns severity scores based on CVSS and possibly exploit intelligence. Fair enough. But it doesn\u2019t know whether the affected asset is internet-facing, whether it runs a business-critical workload, who owns it, or whether compensating controls exist. That context lives across the other tools in the stack. When a risk score appears authoritative but is built on a partial picture, teams invest remediation effort in the wrong places, while the exposures that threaten the business remain open.<\/p>\n

The opportunity is to treat context as something that\u2019s engineered, not assembled on the fly. The data already exists in security tools, asset inventories, and business systems. What\u2019s often missing is the layer that brings it together and keeps it fresh. Organizations that invest in a unified context across all three lenses\u2013asset, business, and security\u2013consistently report smaller remediation queues, fewer false priorities, and faster time to meaningful risk reduction. Fresh context, already attached, already trusted. That\u2019s what turns prioritization into a decision instead of a debate.<\/p>\n

Setting the Actionable Table<\/strong><\/h3>\n

The whole point of actionability is, well, taking action. But when we examined how organizations mobilize using our library of actions, an interesting pattern emerged across three modes.<\/p>\n

The most prevalent is coordination: notifications, ticket creation, ownership assignment, escalation\u2013the work of routing issues to the right people and making sure nothing falls through the cracks remains supreme. Next is management: continuous lifecycle actions, such as tagging, enrichment, and ownership updates, triggered by asset events. The most targeted mode is direct remediation: running commands, deploying software, changing policies, and disabling accounts.<\/p>\n

Most activity today is focused on setting the table for action, not the action itself. That\u2019s not a flaw. It reflects how security work gets done in complex environments. Before you touch a production system, you want confidence in ownership, impact, and timing.<\/p>\n

But it also reveals why remediation cycles stay stubbornly slow. A vulnerability on a server doesn\u2019t get fixed by the security team that found it. It gets fixed by the infrastructure team that owns the server, using a patching process managed by IT operations, tracked in a ticketing system maintained by yet another group. Each handoff introduces latency, and if the team responsible for the fix doesn\u2019t trust the data behind the request, the ticket stalls. We\u2019ve all been in the \u201cthat\u2019s not ours\u201d meeting.<\/p>\n

The opportunity is less about automating everything overnight and more about bringing enough confidence to each handoff that issues move from \u201cassigned and waiting\u201d to \u201chandled and closed\u201d with fewer roundtrips. Ownership isn\u2019t one thing \u2013 owning an asset isn\u2019t the same as owning the fix, and owning the fix isn\u2019t the same as owning the outcome. When those distinctions are explicit, and the underlying data is shared, coordination becomes the default rather than a burden layered on top.<\/p>\n

The Connective Tissue<\/strong><\/h3>\n

Every one of these patterns\u2013coverage across a sprawl of assets, context scattered across systems, many mobilization modes\u2013traces back to the same root: the spaces between tools are where actionability breaks down.<\/p>\n

The encouraging part is that teams are doing a lot right. Achieving high agent coverage at massive scale, stitching together context from a wide mix of sources, and mobilizing action through coordination and lifecycle management\u2013that\u2019s no small feat. The data suggests the next leap doesn\u2019t come from adding more tools or more dashboards. It comes from investing in the connective tissue that lets everything you already have work together.<\/p>\n

Reconcile conflicting data into a single source of truth and a central operational model. Layer meaningful context onto every asset and every exposure. Orchestrate fixes through the systems and processes teams already use. That\u2019s where the leverage lives.<\/p>\n

\n

\n

The post From Visibility to Action: Where the Leverage Lives in Modern Security Operations<\/a> appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Ivan Dwyer, a Senior Product Marketing Strategist at Axonius, examines where the leverage lives in modern security operations. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI. Proactive security is having a moment, rightfully so. Organizations have built impressive security stacks, each tool serving controls for a specific domain: endpoint protection, identity management, cloud security, vulnerability scanning,… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15916","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15916"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15916\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}