A major advantage, that falls under the "supportability" umbrella, is that with the previous technologies, they didn't have a great way to create highly customized or tailored baselines. With Tenable all the baselines we have are tailored to what we want to see in the environment, and that's what we attest to. It's a little different now, but when we were doing an RFP, the other players would allow you to do CIS, but they wouldn't really allow you customize them or create your own custom checks, and that's something we do extensively.

The nice thing about Tenable's Predictive Prioritization features is that, while our SOPs haven't been updated yet, with Predictive Prioritization it effectively allows us to scale out our tailored risk calculations in the environment.

With Tenable's ability to do highly customized and tailored baselines, it has allowed us to much more accurately measure our adherence to a tailored baseline, versus something like base CIS. With that greater visibility, it allows us to better manage our actual platforms. Every week, at least for our major platforms, we're partnering with them to continuously drive adherence to our tailored baselines. Previously, we were unable to do that effectively.

The level of visibility Tenable provides us, compared to our previous solutions is night and day. For traditional, network-based vulnerability scanning, Tenable is at the top. It's that simple.

SecurityCenter enables us to find all the vulnerabilities, export that data, prioritize it, and address the highest-risk vulnerabilities. That is definitely the main goal of the tool and it wouldn't be possible without the scanning technology accurately assessing the environment. 

It helps to limit our cyber exposure because every time we identify one of the exposed or high-risk vulnerabilities and enclose that, or address it, it reduces the overall exposure. This solution is just one tool in the whole chain that helps accomplish that. It is a very critical component, but it's not doing it in a vacuum.

The scanning helps us focus resources on the vulnerabilities that are most likely to be exploited. We're just starting to look into doing the compliance policies. That will be the next step. Right now, we're reactive, addressing vulnerabilities that are detected. We'd like to identify misconfigurations upfront, address those to speed things up, and reduce the resource cost. If you let a bad image go out to production, and deploy it on 50 systems, you have 50 tickets instead of a single place to fix it. That's what we're looking to leverage next.

In terms of financial value, within PCI compliance especially, if you don't have a scanner in place or you're not conducting PCI scans, you can't participate in the credit industry and accept credit cards. That's a requirement and a role that Tenable fills, one that must be addressed through regulation. We are also subject to GRC and a couple of others which are directly addressed, or a component of them is addressed, through Tenable and scans that it runs.