How a Major Utility Company Streamlined Exposure Management Across Dual Operations
by James Walta, VP of Product//6 min read/
When you're managing critical infrastructure for millions of customers, effective exposure management isn't a nice-to-have – it's everything. And when that infrastructure spans two entirely different operational domains with their own teams, tools, and regulatory requirements, cyber risk management becomes significantly more complex.
That was the reality facing a major utility company operating both gas and electric services. They came to us with what sounded like a straightforward request: help us manage cyber exposure across two different business units. But as is often the case with unified exposure management, the real challenge ran deeper than the initial ask.
The Challenge: Managing Cyber Risk Across Two Operational Domains
This organization essentially operated as two distinct entities under one roof. Gas operations on one side, electric on the other. Each with its own IT infrastructure, OT systems, security tools, and data streams. Each generating findings, alerts, and exposure intelligence specific to their domain.
Both sides had plenty of data. The problem was that mixing that data created confusion and risk. Gas teams didn't need to see electric-specific vulnerabilities cluttering their dashboards. Electric teams didn't need gas infrastructure findings obscuring their actual exposure picture. And neither side could afford to waste time sorting through irrelevant alerts or acting on information that didn't apply to their systems.
Without proper vulnerability prioritization, every finding seemed equally urgent. Without risk-based vulnerability management tailored to each business unit, remediation teams struggled to focus on what actually mattered to their specific infrastructure.
But there was another layer to this. Beyond the business unit separation, the organization needed to account for NERC certification status. Some users were NERC-certified and required access to certain data for compliance purposes. Others weren't, and legally shouldn't see that same information. The organization needed granular control over who could see what, when, and why.
This wasn't about building walls between teams. It was about enabling proactive security through precise data segmentation and continuous threat exposure management (CTEM) that worked for their unique operational structure.
Implementing Unified Exposure Management with Granular Controls
We implemented the Forescout connector to pull data from across both gas and electric operations into the Brinqa platform. That gave us a unified foundation to work from. All the exposure data, asset information, security findings, and threat intelligence flowing into one system.
Then came the critical part: customizing visibility based on role, business unit, and certification status. This included implementing cyber risk scoring tailored to each operational domain.
We built granular access controls that ensured gas teams only saw gas-relevant data. Electric teams only saw what mattered to their infrastructure. NERC-certified users got the compliance-specific views they needed. Non-NERC users didn't.
This wasn't just about filtering dashboards. It was about tailoring the entire cyber risk prioritization experience so that when someone logged into Brinqa, they saw their exposure landscape clearly, without the noise of irrelevant findings from systems they didn't own or manage.
The Results: Improved Vulnerability Prioritization and Cyber Resilience
The most immediate impact was workflow efficiency. Teams stopped wasting time sorting through data that didn't apply to them. When a vulnerability appeared in someone's dashboard, they knew it was theirs to address. No second-guessing. No manual filtering. No wondering if they should ignore it because it might belong to the other house.
Compliance improved as well. The organization could confidently show auditors that NERC-related data was being handled properly, with appropriate access controls in place and clear separation between certified and non-certified users. That's the kind of detail that matters when regulators come asking questions.
But perhaps the most significant shift was operational. Both business units could move faster because they were working with clean, relevant data tailored to their specific environments. Remediation teams could focus on what actually mattered to their systems. Security leaders could report on their domain's posture without manually extracting their subset of findings from a larger, noisier dataset. The result was improved cyber resilience across both operational domains.
Why Unified Exposure Management Matters for Complex Organizations
This story isn't unique to utilities. Any organization running multiple business units, operating in different regulatory environments, or managing distinct infrastructure domains faces some version of this challenge when implementing cyber exposure management. The data and tools exist, but without the right structure to organize and deliver that data to the right people, it becomes a burden instead of an asset.
The goal isn't just to ingest everything and hope teams can make sense of it. The goal is to make the data work for the people who need it, in the format they need it, with the context that makes it actionable. That's what effective vulnerability management looks like in practice.
For this utility company, that meant two houses operating independently, each with a clear view of their own exposure landscape, while still benefiting from a unified exposure management platform that scales across both. Clean data, clear ownership, better outcomes.
That's what good cyber risk management delivers.
Managing exposure across multiple business units or operational domains?
We've helped organizations in utilities, healthcare, financial services, and other complex environments build unified exposure management programs that work for their specific structure. Talk to our team about how Brinqa can help you bring clarity to your exposure landscape.
