Many vulnerability risk management (VRM) solutions are limited and fail to provide meaningful metrics about the health of your VRM program. One example is the use of counting metrics such as the number of vulnerabilities identified in your organization. Counting stats don’t have any real value because they fail to provide context. These vulnerabilities could very well be on a single system air-gapped in a basement, protected by sharks with laser beams. Say you do have 50,000 high and critical vulnerabilities — without understanding the number of systems these are spread across, you may be in great shape or should spend the weekend getting caught up on patching. In my upcoming Forrester Wave™ evaluation on the VRM space, I challenged each vendor to demonstrate the ability to provide the following metrics, and you should, too! Ideally, a solution should not only generate these metrics for you but should also be viewable and organized by line of business or remediation responsibility so you can identify specific areas within your organization that need improvement.
How good are you at patching systems within service-level agreements (SLAs)? This is by far my favorite metric for tracking the health of a VRM capability because it is the truest measure of the health of your VRM program. Start simple and track this for high and critical vulnerabilities within your organization. Large organizations should consider tracking this regionally or based on organizational responsibility to quickly identify areas that may need attention.
Organizational Risk Rating
If SLA adherence gives you the effectiveness of your VRM program, a risk rating provides you an indication of your organization’s exposure to attack. This metric must factor items such as vulnerability severity, network exposure, and asset criticality into a simple score that you can report and measure against on a weekly basis. PRO TIP: When reviewing solutions that provide this capability, ask how to factor in SLA adherence so you don’t look bad in front of your boss the day after Patch Tuesday.
The No. 1 inquiry I get from clients regarding vulnerability risk management pertains to peer performance. One benefit of cloud VRM solutions is that these vendors can run analysis against your peers and report how you measure up. This is frequently reported in conjunction with your organizational risk rating, following the same logic that you don’t have to outrun Fancy Bear, just your peers. Beyond helping you potentially make a case for more investment into the program, it can also help you show that your program follows best practices. This last piece is critical because, if your organization gets compromised, you’re going to need to show that your program meets industry standards. If your current VRM solution does not offer this capability, demand it. In the meantime, consider the value of joining an industry Information Sharing and Analysis Organization (ISAO) to build relationships with your peers and help facilitate these discussions.
See our upcoming October reports “The Forrester Wave™: Vulnerability Risk Management, Q4 2019” and “Maximize The Benefit Of Cybersecurity Information Sharing Organizations.”