Defensible Tech TeamDecember 20
Every business needs a vulnerability management program. Such a program provides crucial information for organizations to understand and manage their cybersecurity, including the systems and services on the network and the known security issues in those systems and services. A vulnerability management program gives you the information and tools necessary to assess your security posture and your level of risk.
But, collecting that data is only the beginning. Every business also needs vulnerability management metrics in order to understand their data.
As Peter Drucker once said: “what gets measured, gets managed.” Security controls are important, but implementing them cannot stop at marking them on a checklist. Your business needs to gather and monitor metrics about how well those security controls are actually working.
Many businesses are not using or expanding cybersecurity metrics enough. Companies of all sizes often do not adopt new metrics as part of expanding or strengthening their cybersecurity programs. According to a 2021 CompTIA report, most companies are not planning to use new metrics as part of their plan to improve their program: only 37% of large firms, 31% of mid-sized companies, and 26% of small businesses have it on their roadmap. However, metrics are crucial; they are what tell you how your vulnerability management program is working, show you where you can improve, and help you build business cases for security investment.
Deciding which metrics to use requires thought and care; not just any numbers will do. For example, many companies track things like numbers of patches applied or number of vulnerabilities found, but those kinds of numbers can be misleading because they fail to take into account broader factors like growth or changes in the environment. Good metrics are useful and trackable measures that shed light on how your security program is actually working, from both a security perspective and a business perspective. Good metrics also connect with your security priorities and your threat model, giving you valuable insight into how to better equip yourself to improve your posture.
The right metrics can help you see your security posture and know the way forward to improve it. Here are five vulnerability management metrics that every business should incorporate.
Knowing how long it takes your security team to detect a vulnerability is crucial for determining how well your team works. Mean time to detect shows, on average, the time that has elapsed from finding out that a vulnerability exists to identifying the instances of that vulnerability in the environment. Knowing and minimizing this time is particularly important when critical-severity vulnerabilities that are actively being exploited in the wild are identified.
From a security perspective, a lower mean time to detect vulnerabilities suggests a more streamlined vulnerability detection capability and allows the team to go more quickly to remediation. This matters from a business perspective not only because of the decreased risk of repercussions from compromise, but also in the sense of measuring the efficiency of those IT functions in the environment.
Detection is only the beginning: it is also crucial to know how long it takes, on average, from discovering security vulnerabilities in the environment to when they are remediated. Like mean time to detect vulnerabilities, mean time to remediate vulnerabilities is important to track and minimize, especially in light of exploitable vulnerabilities in the environment.
Businesses should monitor mean time to remediate from a security perspective because the less time a vulnerability is present in the environment, the less time there is for it to be exploited. In business terms, as with mean time to detect vulnerabilities, this metric helps track both the time during which the business is more vulnerable to compromise, as well as in terms of efficiency.
When running a vulnerability management program, you have to know how much of the environment is actually subject to its processes: scanning, tracking, and remediation. Instead of doing it as a raw percentage of the environment — percentage of the systems or size of the IP space for devices, or number of applications for web applications — overall vulnerability management coverage should also be tracked in light of data classification, with systems and applications with access to higher-sensitivity data prioritized for coverage, and metrics designed to track coverage based on data classification levels.
Tracking vulnerability management program coverage helps make sure that as many issues are being identified as possible, and also helps prioritize expansions of vulnerability management coverage to more critical applications and environments. In business terms, this decreases the risk of repercussions of compromise, including financial loss, intellectual property loss, and lost trust.
A list of vulnerabilities that exist in the environment is a start, but it does not provide a full, meaningful picture of your level of risk. Monitoring the weighted rate of risk takes you one step further by summarizing the identified issues in the environment and weighing them based on the level of risk and the criticality of data connected to those issues. Adding in those factors of actual risk makes for a meaningful metric to help you prioritize your security initiatives.
From a security perspective, this helps the team identify hot spots to prioritize remediation, as well as track the success of vulnerability management and remediation over time. In business terms, giving the security team what it needs to focus its remediation efforts on means they can more efficiently target the issues most likely to lead to financial and reputational losses and make the most of a limited security budget.
Vulnerability management is important, but how do you know whether the things you detect and fix at one point in time continue to be addressed effectively in the future? Tracking the rate of issue recurrence lets you know how often issues that have been addressed return in certain logical units or environments. This concept applies to both web applications, considering individual applications or codebases, as well as network issues.
Tracking issue recurrence in logical units over time, from a security perspective, helps teams identify faults in their processes and improve the long-term success of their processes. From a business perspective, tracking the rate of issue recurrence is a staffing and financial matter: avoiding repeated issues and increasing the efficiency of security and IT teams saves money and streamlines staffing needs.
These five metrics can help your business build a strong security foundation. Collecting vulnerability management data matters, but it is only the beginning. Tracking these metrics will help bring your information security program into clearer focus and allow you to understand how your risk changes over time. Then, as your security program evolves, you can begin to refine your existing metrics and expand what you use as a part of your regular monitoring procedures.
As you build your vulnerability management program, Defensible can help your business understand and minimize the risk to your confidential information, intellectual property, and trade secrets. To learn more, contact us today.