Tenable Lumin: Translating Vulnerability Management Into the Language of Business

With Tenable Lumin, we’re giving customers a bridge between the language of vulnerability management and the language of business. 

In our work here at Tenable, we often hear from our CISO customers about the dual challenges they face:

• How to help business executives and the board understand their organization’s cyber risk
• How to help their IT colleagues prioritize patching to address the vulnerabilities representing the greatest risk to the organization

CISOs are, essentially, expected to be multilingual. They need to transition seamlessly from the business language of the C-suite to the technical, process-led language of their IT colleagues. The challenge? Most of the data they’re able to access from common vulnerability management tools is available only in their native tongue: the language of vulnerabilities. 

Indeed, a survey of more than 2,400 cybersecurity and IT leaders conducted by Ponemon Institute reveals that 58 percent of respondents say traditional KPIs or metrics for evaluating business risks cannot be used to understand cyber risks. Further, less than a third of respondents (30 percent) report they can adequately prioritize their efforts.

At Tenable, we’re committed to helping CISOs and cybersecurity professionals communicate effectively across their organizations. And, with Tenable Lumin, we’re giving you a bridge between the language of vulnerability management and the language of business. 

Tenable.io and Tenable.sc customers can use Tenable Lumin to transform raw technical data into business insights by combining inputs such as threat intelligence, vulnerability data and asset criticality into a single platform to accurately measure and benchmark cyber risk. This risk-based approach to cybersecurity enables CISOs and their teams to prioritize remediation efforts, effectively communicate cyber risk to internal stakeholders and make data-driven decisions to reduce risk. 

Tenable Lumin enables organizations to effectively measure and benchmark their cyber exposure internally and externally against peer organizations. To accomplish this, vulnerability data is correlated with other risk indicators, such as threat intelligence and asset criticality, to automatically score, trend and benchmark an organization’s cyber risk. Lumin transforms technical data into business insights for better strategic decisions.

CISOs can use Tenable Lumin to quickly and accurately assess the organization’s cyber exposure risk and compare their health and remediation performance to that of other enterprises.

Tenable Lumin uses a variety of metrics to help users understand the following: 

• Where they are exposed
• Where to prioritize remediation
• How the organization is reducing risk
• How these efforts compare to others

With Tenable Lumin, users receive a Cyber Exposure Score for their own organization, an average score for peers within the same industry as well as the general population. This allows users to compare their organization to others and provides additional context around the score. The higher the score, the higher the risk. 

Users can use Tenable Lumin to access the data most relevant for a particular audience. For example:

• The Cyber Exposure Score trend view provides trending data about the organization’s score over time. Users can also see whether their peers and the greater population are improving over time.
• The Cyber Exposure Score by business context view allows users to map a group of assets to a Cyber Exposure Score.

Gathering current, accurate data is critical to assessing your risk. Learn more about what’s available in the Tenable Lumin dashboard here:

Gaining Fresh Insights Into Your Cyber Risk with Tenable Lumin

Lumin uses several metrics to help you assess your cyber risk:

• Vulnerability Priority Rating (VPR)
• Asset Criticality Rating (ACR)
• Cyber Exposure Score 

Here’s what each score reveals:

• Vulnerability Priority Rating. A dynamic companion to the static data provided by the vulnerability’s CVSS score and severity, the VPR is generated dynamically per vulnerability. Tenable’s algorithms update the VPR to reflect the current threat landscapes. Values range from .1 to 10. A higher value represents higher likelihood of exploit. 
• Asset Criticality Rating. Tenable assigns an ACR to each asset on your network to represent the asset’s relative risk as an integer from 1 to 10. A higher ACR value indicates higher risk. Tenable assesses scan output and measures asset risk based on the following: exposure due to the location on your network and proximity to the internet, device type and device capabilities.
• Cyber Exposure Score. The score is automatically generated through machine learning algorithms which combine the Tenable Vulnerability Priority Rating (VPR), for the likelihood of exploitability, with the Tenable Asset Criticality Rating (ACR), for the business criticality of the impacted asset. This score represents the organization’s overall cyber exposure risk as an integer between 0 and 1,000, based on asset exposure score values for assets scanned in the past 90 days. A higher CES value indicate higher risk.

Learn more about Tenable Lumin metrics here:

Additional resources

• Visit the Tenable.io Product Education channel on YouTube for more about Tenable Lumin