Technology, however, isn’t the sole answer. Companies must modernize their planning and processes too.

“Organizations need to be much more proactive and programmatic in addressing security vulnerabilities before they become issues,” says Convery.

Companies should establish organizational policies that clearly spell out acceptable responses to particular security vulnerabilities. For instance, a company might decide that vulnerabilities above a certain risk threshold must be patched within 48 hours. Tying patches to real business risk helps educate everyone in the organization about the consequences of exposure. It also helps drive the point that attack surfaces are everyone’s responsibility, not just IT’s.

Companies can also streamline their technology purchases in order to keep attack surfaces under control. They should focus on forming strategic relationships with a smaller number of hardware and software vendors, and standardizing on fewer systems that are well understood. As part of that initiative, they should demand that vendors show a commitment to security.

“The onus has to be on the seller to prove that their technology is secure,” says Pescatore. “If a company is buying networked medical devices or fleet vehicles with internet connections, that technology better be more secure than it has been in the past.”

The payoffs for a well‑managed attack surface are considerable: fewer security breaches and faster responses when problems do occur. Smart threat surface management can also help transform IT and security teams from crisis managers into true security analysts whose insights protect the bottom line.

“Reducing the attack surface and the damage from routine attacks gives your analysts more time to hunt for the interesting stuff,” says Convery. “Instead of focusing on the latest threat, they can address the issues that have a much greater downstream impact.”