CSPM ≠ Posture Management.
Posture Management = All of your security-relevant posture data — of which CSPM is a part, but not the whole — aggregated together, and operationalised into a dedicated, proactive, preventative security function.
The ALL in “all” is important. It’s the relevant security posture data from across the 6 pillars (identity, endpoint, network, apps, data, infrastructure), but also posture-critical functions like vulnerability management, attack surface, CIEM, CTEM, and asset management.
Why am I so bullish on the “all”? Because they are highly interdependent. We must be able to answer the question “how secure are we, right now?”, and without an aggregated, comprehensive view of this information, we cannot know our current state security posture…which means we cannot know our risk position. Knowing our security posture in vertical slices is simply not good enough. It’s not how attackers think and operate, despite what the structure of MITRE ATT&CK implies.
To be clear, *no one* is doing this well yet. How could we? The detect & respond hamster wheel we’ve been running on for the last 20 years has engineered security organisations that only know how to drive by looking in the rear-view mirror. We’re reactive and event-driven. We know it’s not good enough, but we’re experts at it.
You’ll know you’re on the right path when the security org is more focused on Prevention Engineering than on Detection (and Response) Engineering.