Virtually all cyber exposure programs today are directed at addressing the cyber exposures an organization faces from its own resources and activities and from outside sources. This is necessary but not sufficient.
Why? Because most organizations also face secondary cyber exposures that they are neither aware of nor prepared to address. For example, many organizations do not manage, or own their own properties but inhabit facility space managed by someone else. That someone, generally a building