Must-Have Metrics for Vulnerability Management: Part 3

Ed Bellis    March 30, 2016

This is part 3 of a 3-part series on Must-Haves for Vulnerability Management. Read Part 1 here and Part 2 here.

Must Have #4: Know Your Resources

Once you have a good handle on your business, your assets, and what security risks are currently affecting your environment, you’ll need to understand your resources. What do you have at your disposal to eliminate risks going forward—including people, money, time or a combination thereof?

If you have identified what resources you have at your disposal, you can set reasonable or stretch goals to eliminate security risk targeting the environments and processes that matter most. You, of course, could turn this approach on its head and use the first 3 “must haves” to identify and budget the appropriate resources to manage risk down to an acceptable level for your business.

What areas are most crucial for risk reduction within your business? What security risks are you carrying within those areas? What types and how many resources do you need to remove risk?

“Risk” here should be thought of as uncertainty, specifically within a security context. By knowing your resources and targeting the greatest “bang for your buck” risks, you’ll be able to reduce risk in a very efficient manner.

Some useful metrics here include:

  1. Budget spent on security remediation
  2. Risk carried above tolerance level
  3. Hours per security solution

Keep in mind: When you’re tracking your progress in reducing risk, it’s important not to fall into the trap of simply counting vulnerabilities. While closed vulnerabilities is a metric that all teams will want to continue to track, what’s more important is the ability to reduce overall risk and how to effectively do that with the resources at hand. It may even be possible that as the most critical vulnerabilities are closed—but a relatively small number—the trend line of overall vulnerabilities may rise while the risk line goes down.

Must Have #5: Know Your Direction

You’re now in a state where you understand where your assets are, how to discover new assets as they pop up, what risk these assets carry based on your business and your security weaknesses, and what resources you have at your disposal to reduce that risk in an efficient manner.

It’s now time to continuously measure these metrics to understand your direction and set meaningful goals to reduce risk over time while continuing to support business objectives. As baselines are established, you can then work with the organization to target the areas of risk that are not within an acceptable range.

With knowledge of the resources you have at your disposal, you can quantitatively demonstrate what a reasonable risk reduction goal could be or make a case for additional resources based on your organization’s risk tolerance.

Some useful metrics here include:

  1. Risk reduction by asset group over time
  2. Risk goal by asset group
  3. Cumulative risk accepted over time

And finally, it should be possible to preview how much your risk will be adjusted by any activity. This ensures that you are fixing the most critical issues first and spending your resources wisely.

Summin’ Up…

Vulnerability Management in a function that needs to be driven by the right metrics, with the goal of identifying and reducing the organization’s overall exposure to risk. Having the appropriate set of numbers, metrics, and measurements will facilitate that process.

The ultimate objective is to have an accurate overall picture of risk—both in terms of overall asset counts, the threats particular to the business, the resources you have available, and the trend line of your overall risk. In doing so, vulnerability management becomes as clear and precise as possible in an environment where the threats themselves are murky, ever-changing, and increasingly difficult to identify.

Leave a Reply

Your email address will not be published. Required fields are marked *