Jason Merrick, Senior VP of Product at Tenable, chats about AI’s role in cybersecurity, exposure management for mitigating security risks, security risks around cloud strategies, and more in this Q&A:
——–
Hi Jason, with your background and experience of leading successful companies, share your career milestones and your role at Tenable.
I lead the strategic planning and execution of Tenableโs product line, specifically Tenableโs exposure management platform. We focus on helping organisations cope with the ever-growing attack surface by providing visibility into their entire attack surface, from cloud environments to operational technology (OT) and everything in between.
With over 25 years in the IT security industry, Iโve held key product leadership roles at Symantec, Oracle, and other major technology companies. Throughout my career, Iโve been focused on pioneering solution deployments and driving innovation in cybersecurity.
Also Read:ย CIO Influence Interview with Richard Bird, Chief Security Officer of Traceable
Cyber threats are evolving rapidly, with AI playing both an offensive and defensive role in cybersecurity. How do you see AI reshaping the cybersecurity landscape in the next 3-5 years?
AI holds a lot of promise but it is reasonable to expect that adversaries will use AI to more rapidly identify vulnerabilities and develop exploit code, making cyber threats more sophisticated and scalable. At the same time, security teams will use AI to analyse misconfigurations, risky entitlements, and unaddressed vulnerabilities, helping them focus on the risks that matter most.
As AI becomes more accessible and relies on vast amounts of cloud-stored data, organisations must navigate an unprecedented level of data sensitivity. Securing the cloud is far more complex than traditional on-premises security. Without a defined perimeter, data is constantly moving across multiple locations and formats. In multi-cloud environments, this complexity is further amplified by inconsistent security controls across providers, making it easier for misconfigurations to slip through unnoticed.
Periodic security audits are no longer sufficient in an ephemeral cloud environment. Instead, organisations need continuous, automated monitoring to identify sensitive data, detect vulnerabilities, and alert on potential risks in real time. While many cloud security solutions provide valuable protection, they often fall short in helping organisations understand which threats to prioritise. Given the evolving risk landscape, businesses need solutions that not only secure cloud environments but also safeguard the data and AI resources within them.
Tenable positions itself as an exposure management company. How does the exposure management platform help organisations mitigate security risks more effectively?
The Tenable exposure management platform goes beyond traditional vulnerability management by providing a comprehensive view of an organisationโs security risk. It identifies and assesses all types of risk, including misconfigurations, entitlement flaws, and software weaknesses, giving security teams a complete picture of their attack surface.
What sets Tenable apart is its ability to incorporate both technical and business context into remediation decisions. By leveraging attack path analysis, asset criticality, and toxic combinations, security teams can prioritise the threats that pose the greatest risk to businesses. This ensures that remediation efforts focus on the most critical risks rather than just fixing vulnerabilities and misconfigurations in isolation.
The platform also translates cyber risk into measurable metrics and KPIs to help organisations effectively manage risk at an executive level. These insights allow business leaders to make informed decisions about their security posture and align cybersecurity priorities with broader business objectives. By providing clear visibility into business exposure, Tenable empowers organisations to take a proactive approach to cybersecurity.
With organisations accelerating cloud adoption, securing cloud environments remains a major challenge. What are the biggest security risks enterprises tend to overlook in their cloud strategies?
Multi-cloud adoption has introduced several critical cyber risks that are often overlooked, leading to the โToxic Cloud Trilogyโ โ a combination of critically vulnerable, overly privileged and publicly exposed cloud assets. In the rush to deploy cloud services, organisations often lack complete visibility into all of these cloud assets as traditional security measures struggle to keep up with the dynamic nature of the cloud. Itโs challenging to keep track of all cloud assets, blinding them to business-critical vulnerabilities and misconfigurations. Without comprehensive visibility into the cloud infrastructure, identifying risks becomes nearly impossible.
Also Read:ย CIO Influence Interview With Karthik Ranganathan, co-founder and co-CEO of Yugabyte
Ermeticโs integration into Tenable marks a significant expansion in cloud security. Can you share how this acquisition has enhanced Tenableโs capabilities and what it means for organizations looking to secure their cloud environments?
Identity-based threats are the top cloud security concern. The growing complexity of cloud infrastructures, driven by identity sprawl, shifting policies, and multiple layers of access, makes it difficult for security teams to understand and manage access risks effectively.
Ermeticโs solutions directly address these challenges with deep contextual analysis and visibility into toxic combinations of risk, such as privileged access to publicly exposed, vulnerable workloads. By integrating Ermeticโs Cloud-Native Application Protection Platform (CNAPP) and Cloud Infrastructure Entitlement Management (CIEM) capabilities into Tenable One, we will deliver a more robust solution for hybrid environments.
This acquisition not only expands Tenableโs presence in the cloud security market but also advances our Exposure Management strategy by providing greater visibility and insights across cloud resources. By incorporating identity-based risk into exposure management, security teams will gain a more complete understanding of true business risk, ensuring they can proactively mitigate threats before they are exploited.
Looking ahead, what innovations or advancements can we expect from Tenable in the coming years?
Tenableโs acquisition of Vulcan will expand the breadth of capabilities within the Tenable One Exposure Management Platform, with broader visibility on exposures, led by more than 100 third-party integrations that will create consolidated risk visibility, prioritisation, and streamlined remediation operations.
The acquisition reinforces Tenableโs Exposure Management leadership, empowering organisations to address risks across their entire attack surface with unparalleled efficiency and confidence.ย
[To share your insights with us as part of editorial or sponsored content, please write toย psen@itechseries.com]
Jason Merrick, Senior VP of Product, Tenable
Tenable is the exposure management company, exposing and closing the cybersecurity gaps that erode business value, reputation, and trust. The companyโs AI-powered exposure management platform radically unifies security visibility, insight, and action across the attack surface, equipping modern organizations to protect against attacks from IT infrastructure to cloud environments to critical infrastructure and everywhere in between.
