As previously described, your digital footprint is a collection of assets in your own zone of control (i.e. developed and hosted within your company) or outside of your zone of control (i.e. developed and/or hosted outside your company). Managing the risks and exposure of either a controlled or an uncontrolled asset is completely different.
A tried and true formula for measuring the risk and exposure of your assets is to run vulnerability scans, security assessments, configuration reviews, and other manual (or semi-automated) activities that delve quite deep and provide you with an elaborate and technical view on your asset's risks. While these activities provide you with a wealth of information there are a couple of drawbacks to it;
Counteracting the drawbacks enumerated above isn't as easy as it sounds. Ideally you set up a cost-efficient, highly automated, low impact assessment system that is capable of generating an objective metric that represents your risk exposure. but at the same time allows you to delve into the technical details. Think of it this way, with a low cost and highly automated system running every week or so, you get the full overview of your scope and an initial risk metric to help you determine where to spend your costly penetration test resources.
Furthermore, the assessment you set up should be able to provide you with this metric for both controlled, as well as uncontrolled assets (i.e. those linked to your company, yet owned by a supplier or third party). You now have the right tool to open that discussion with not only your internal IT (Security & Risk) department but also with your third parties about those potential external risks. It's not uncommon that these discussions then lead to the execution of manual security assessments or penetration tests on your uncontrolled assets. Or might lead to onboard your suppliers into a more controlled vendor due diligence process opening a two way communication channel where you can regularly send underperforming vendors self assessment questionnaires. A topic I'd like to delve deeper in next week.