general🌐InternationalThe Hacker News
Rethinking Attack Surface Management ROI: Focus on Risk Reduction
Friday, January 2, 2026
What
Attack Surface Management (ASM) programs frequently struggle to prove their value, often generating more information and alerts without clearly demonstrating a reduction in security incidents. The core issue is a measurement gap, where success is typically gauged by asset counts and discovery rates rather than tangible improvements in risk posture and response efficiency.
Where
Organizations globally implementing or evaluating Attack Surface Management solutions.
When
Ongoing discussion and evaluation of cybersecurity program effectiveness.
Key Factors
- •Traditional ASM metrics primarily track discovery and asset counts, which are inputs, not direct indicators of reduced risk or improved security outcomes.
- •Meaningful ASM ROI should focus on outcome-oriented metrics such as Mean Time to Asset Ownership, reduction in unauthenticated state-changing endpoints, and Time to Decommission After Ownership Loss.
- •Improving ASM effectiveness requires shifting from mere visibility to response quality and exposure duration, making asset ownership and risk resolution transparent across teams.
Takeaways
- →Organizations should redefine ASM success metrics to prioritize risk reduction and response efficiency over simple asset discovery counts.
- →Implement outcome-based metrics like Mean Time to Asset Ownership and reduction in high-risk endpoints to accurately measure and improve ASM program ROI.
Read Full Article
Opens original article on The Hacker News
