Reviewing business graphs and analytics

Discovery produces a list of what exists. An exposure assessment turns that list into something a business can actually prioritise and act on. The difference between the two is often where cryptographic risk programmes either gain momentum or stall.

Beyond “This Algorithm Is Weak”

A finding that says “this system uses RSA-2048” is a fact, not yet an assessment. A useful exposure assessment adds the context that turns a fact into a decision: what business service does this protect, how sensitive is the data involved, how long does that data need to stay confidential, and what would the actual consequence be if it were compromised.

The Core Components

  • Business context — which service, application or data store each cryptographic asset actually protects
  • Data sensitivity and longevity — how long the protected data needs to remain confidential
  • Algorithm and configuration risk — quantum-vulnerability, key length, known weaknesses
  • Exposure window — how reachable or exploitable the asset realistically is
  • Remediation effort — how disruptive a change would be, and what dependencies exist

Why Business Context Is the Hardest Part to Get Right

Technical findings are comparatively easy to automate. Mapping a certificate or algorithm to the specific business service it protects — and that service’s actual sensitivity — requires connecting cryptographic discovery data to asset inventories, data classification, and often institutional knowledge that isn’t written down anywhere. This is precisely the step that separates a genuinely useful exposure assessment from a long, undifferentiated list of technical findings.

Scoring Against Recognised Guidance

Aligning assessment criteria to recognised external guidance — NIST’s standards and transition guidance, the CNSA 2.0 timeline for relevant sectors — gives the resulting risk scores external credibility, rather than an internally invented scale nobody outside the security team can interpret or trust.

What a Good Assessment Enables

The test of a good exposure assessment isn’t how comprehensive the report looks. It’s whether a non-technical stakeholder can read the top ten findings and understand, immediately, why those ten and not a different ten. If it takes a security engineer to explain the prioritisation, the assessment hasn’t finished its job yet.

Scroll to Top