Measuring the Performance of Vulnerability Management: Which Metrics Matter, Which Don’t?
A Vulnerability Management (VM) program is more than just ticking off a box in the compliance checklist, it is central to any holistic security strategy. Organizations may think that their VM programs are strong. But are they effective in the increasingly complex, and sophisticated threat landscape? This is where vulnerability management KPIs and metrics play a critical role.
KPIs and metrics for vulnerability management help quantify the risks associated with vulnerabilities and effectively measure the health of vulnerability management programs. If an organization or a CISO chooses the wrong/ redundant metrics, they will not get the right picture, and this will reflect in their security strategies.
Read on as we delve into the VM metrics that matter most.
Vulnerability Management KPIs that Matter
1. Time to Detect
This vulnerability management KPI measures the average time gap between the creation and detection of vulnerabilities across the organization. For instance, a vulnerability was introduced into the application during an update that took place in the previous month and the organization has managed to detect the vulnerability only after an attack that had happened last week.
The CISO and the IT security team should work continuously to reduce detection time to days, minutes, and seconds. It is also recommended to conduct regular pen-tests and security audits along with the use of automated scanning tools for better results.
2. Time to Resolve/ Mitigate Vulnerabilities
This KPI shows the average time taken by the IT security team to resolve the vulnerability and mitigate attacks. If this takes longer, the risks intensify, and attackers find an open ground to attack.
This metric would look at the following:
- The meantime to resolve/ mitigate,
- The percentage of users impacted by a breach/ incident
- Does the meantime meet the organization’s targeted time based on its risk appetite?
- How soon does the IT security team resolve the issue?
3. Average Window of Exposure
This vulnerability management metric throws light on the average time gap between the public disclosure of the vulnerability and the time taken to patch all the affected systems/ applications/ networks. The larger this window, the higher the risk.
4. Number of Open High/ Critical Vulnerabilities
This vulnerability management KPI tells you how many high-risk and critical vulnerabilities remain unpatched and for how long. Choosing to ignore this metric could result in massive damages.
5. Average Time to Turnaround Patches
Highlighting the effectiveness of your patch management processes, this KPI tells you the average time taken to patch unknown/ undetected vulnerabilities.
6. Number of Exceptions Granted
Organizations often choose to exempt some vulnerabilities from scanning and/or remediation owing to different reasons. However, these exceptions need to be tracked for auditing purposes and for taking future actions based on the changing risk posture.
7. Comprehensive of Scan Coverage
- What assets, applications, systems, third-party services, etc. get included in the scanning process for vulnerability identification?
- Are the business-critical assets and applications included?
- What types of scanning are conducted?
These are some questions that this metric provides answers to. The more inventory you cover, the greater the control you exercise through your security program.
8. Vulnerability Re-Open Rate
This KPI tells you if your vulnerability remediation and patch management processes are effective. If a resolved vulnerability re-opens frequently, it indicates that your remediation process is deeply flawed.
9. Average Risk Per Asset Group/ Business Unit
This vulnerability management KPI enables you to understand the risks faced by asset groups/ business units and thus, re-focus your priorities in the VM program.
Find the vulnerabilities that put you at risk
VM Metrics that You Can Ignore
1. The Number of Vulnerabilities
This vulnerability management KPI does not say anything about severity, priority, exploitability, impact, or risks associated with the vulnerabilities. So, if a CISO is to tell the board that they found 10000 vulnerabilities and remediated them all, the board may be unwilling to allocate more funds. However, if you tell them that you found a vulnerability that could cripple the business completely, they may see the business case.
2. The Number of Scans, Attacks, Patches Applied, etc.
These metrics may be important from a technical standpoint, but do not add value as such to the improvement of the VM program. But considering them may provide a false sense of security to the business stakeholders.
3. Average CVSS Scores
This standardized VM metric does not reflect the specificity of the vulnerabilities or the risk posture.
The Way Forward
Security is a shared business responsibility, not just the CISO’s prerogative. Instead of simply stating the technical jargon and numbers, vulnerability management KPIs and reporting must tell the top management how vulnerabilities affect the business and everyday operations.
With a trusted security partner like Indusface, you can design a robust VM program and effectively track the right KPIs and metrics for vulnerability management.