Vulnerability management metrics: How to measure success

Without the right metrics, vulnerability management is pretty pointless. If you’re not measuring, how do you know it’s working? So how do you know what to focus on? The list is potentially endless, and it can be hard to know what’s really important.

In this article, we’ll help you identify the key metrics that you need to track the state of your vulnerability management program and create audit-ready reports that:

• Prove your security posture
• Meet vulnerability remediation SLAs and benchmarks
• Help pass audits and compliance
• Demonstrate ROI on security tools
• Simplify risk analysis
• Prioritize resource allocation

Why vulnerability management needs metrics

Measuring how quickly you find, prioritize and fix flaws allows you to continuously monitor and optimize your security. With the right metrics you can determine which issues are critical, prioritize what to fix first, and measure your performance. Ultimately, the right metrics allow you to make properly informed decisions.

Intelligent prioritization

Without prioritization and advisories, where do you start? Prioritizing and fixing your most critical vulnerabilities are more important than simply finding every vulnerability.

Intelligent prioritization and filtering out noise are important because overlooking genuine security threats is too easy when you’re being overwhelmed by non-essential information. Intelligent results make your job easier by prioritizing issues that have real impact on your security, without burdening you with irrelevant findings.

Prioritizing issues that leave your internet-facing systems exposed minimizes your attack surface. Intruder makes vulnerability management easy by explaining the risks and providing actionable remediation advice.

Time to fix

You want to be able to fix issues as soon as possible. Especially as the average time between an attacker discovering and exploiting a vulnerability is just 12 days. Intruder interprets the output from various scanners and prioritizes results according to context, saving you time to focus on what really matters. How long it takes to fix issues is down to you, and this gives you a current snapshot of your ‘cyber hygiene’ – the scan coverage, the time taken to fix issues over a period of six months, and the average time to fix issues overall.

3 top metrics for every vulnerability management program

Scan coverage

What are you tracking and scanning? Scan coverage includes all the assets you’re covering and analytics of all business-critical assets and applications, and the type of authentication offered (e.g., username- and password-based, or unauthenticated).

Average time to fix

The time it takes your team to fix your critical vulnerabilities shows how responsive your team is when reacting to the results of any reported vulnerabilities. This should be consistently low since the security team is accountable for resolving issues and delivering the message and action plans for remediation to management.

Risk score

The severity of each issue is automatically calculated by your scanner, usually Critical, High or Medium. If you decide not to patch a specific or group of vulnerabilities within a specified time period, this is an acceptance of risk. With Intruder you can snooze an issue if you’re willing to accept the risk and there are mitigating factors.

What metrics do you need to show management?

What metrics you want to report depends on who you’re reporting to. If it’s the CTO or senior management, they will just want to know the business is protected and they’re getting ROI. For example, have there been any new critical issues, how quickly were they fixed, and how many are still open (and why).

Make sure everything is covered

Are you capturing everything from every asset in your IT environment? Modern scanners like Intruder provide automated, audit-ready reports, but it’s important to know where all your digital assets are to avoid blind spots, unpatched systems and inaccurate reporting – which is why asset discovery is integral to successful vulnerability management. By making sure all your digital estate is covered, you can validate what to prioritize in your remediation plans of your most critical systems.

Where are vulnerability management metrics heading?

Average (or mean) time to detect

This is the point from a vulnerability going public, to us having scanned all targets and detecting the vulnerability. Essentially, how quickly are you detecting vulnerabilities across your attack surface to reduce the window of opportunity for an attacker.

Attack surface visibility

Very few people are lucky enough to manage and see 100% of their attack surface. So that’s where attack surface discovery comes in. You’ll have a total number of assets that you know are exposed or that you’ve found, but how many of those are covered by the vulnerability management program? What you want to see is the percentage of assets that are protected by your vulnerability management program across your attack surface, discovered or undiscovered.

Mean time to inform

Prioritization – or intelligent results – is increasingly important to measure and help you decide what to fix first, because of their impact on the business.

Looking to the future: Time to fix 0

You want the right people – the people who will actually be fixing issues – to get the information they need as quickly as possible. This means including features like role-based access control (RBAC) which can reduce the time to fix from hours or days down to a matter of minutes.

Intruder’s analytics page

Intruder measures what matters most. It provides audit-ready reports for stakeholders and compliance auditors with vulnerabilities prioritized and integrations with your issue tracking tools. See what’s vulnerable and get the exact priorities, remedies, insights, and automation you need to manage your cyber risk.

Intruder offers a 14-day free trial of its vulnerability assessment platform. Visit their website today to take it for a spin!