In a recent fireside chat with security leaders from OneMain Financial and AAA National, NopSec’s Rob Johnson dug into how CTEM is evolving in the field and what it means for teams trying to keep up.

Here’s what stood out:

Vulnerability ≠ Exposure 

Traditional vulnerability management often feels like a game of patch-and-pray. But exposure management changes the frame: it’s not just about what’s vulnerable, it’s about what’s actually at risk.

As Andrew King, Managing Director at OneMain Financial, explained:

“You have to have people realize things are an issue and then be able to move and adapt as the whole scope of the landscape changes.” 

Changing culture is half the battle. The other half? Context. Without it, you’re just whack-a-moling CVEs. 

From Detection to Prevention

CTEM flips the script by focusing on prevention rather than just detection.

That means knowing which exposures matter before attackers exploit them. Then aligning that intelligence with your business priorities.

Richard Latayan, CISO at AAA National, emphasized the role of culture in this shift:

“Organizations that are quicker to react, maybe have a lower risk tolerance, are more adept to looking at this newer strategy around prevention.” 

It’s not just about faster scans, it’s about smarter workflows and more informed decisions across teams.

Breaking Down Silos

One surprising takeaway? Collaboration isn’t always the uphill battle people expect.

King noted that in his experience, cross-functional teams—from product to security—are eager to work together when the stakes are clear:

“When you have passionate people who really want to do the right thing, engagement is kind of a no-brainer.” 

That kind of alignment is critical when exposures span cloud, containers, and third-party dependencies. 

AI, Automation, and the Path Forward

Both leaders acknowledged that while AI and automation are promising, trust and validation still matter.

CTEM platforms can help analyze risk and prioritize actions… but decisions still need human oversight.

Latayan put it simply: 

“Automation is maybe more of the process in analytics—not so much the actual instructions or the code and the fixing quite yet.”

In other words, AI can tell you where all the fires are happening, but you still need to decide which one to put out first and how to go about it.

Why It Matters

CTEM isn’t a tech upgrade, it’s a mindset shift.  

One that integrates risk quantification, real-time visibility, and automation to give security leaders what they’ve always needed: clarity, control, and credibility at the executive table.

Looking for ways to bring CTEM into your own program? Schedule a demo with NopSec and see how we’re helping teams move from reactive to resilient.