Value of Using Trending Metrics in Vulnerability Management
My work as Senior Product Designer here at NopSec has given me a unique view of the industry landscape, as I have the opportunity to speak to all our clients and industry experts about their biggest challenges growing and maturing vulnerability management processes. Almost everyone of them has said that communicating the effectiveness of vulnerability management is their most important and hardest responsibility.
NopSec centralizes vulnerability data, prioritizes it and helps organizations understand their true risk health. Along with that we are working on an initiative that will also help communicate it to C-Suites and counterparts. We are looking to help you answer the question that I keep hearing from all our clients: “Are we going up or down?”
Trending Metrics vs Static Reports
We are all familiar with tracking the progress of vulnerability management via compliance reports. A few times a year you run a scan, create a report of current vulnerabilities and maybe compare that back to the last scan. I have seen some impressive summaries, spreadsheets and reports that come out of that process and they do a good job of reporting on current risk health. However, they simply aren’t telling the whole vulnerability management story. And most importantly, they can’t answer the question: “Are we going up or down?”
Static reports on the current state of an organization’s vulnerabilities simply aren’t going to demonstrate the core value of the vulnerability management or the improvements that they have implemented. Only a historical, before and after will tell that story. In other words: trending metrics.
Using Trends: Are we going up or down?
Using trends metrics that include historical data is the easiest and simplest and most engaging way to demonstrate the value that the vulnerability management team is bringing to the organization. Every one can understand a trend line going up or down in only a few seconds.
Using trend metrics will also help you, your C-Suite and your IT team make data-driven decisions in real time and with confidence. Having confidence in your decision making becomes much easier when you have a few real-time trend lines for reference.
Lastly, trending metrics is incredibly effective at illustrating both the working processes and the broken processes in the organization. As your vulnerability management process grows and matures it will be very simple to see how it has improved the overall risk health and also, find the gaps that still need to be filled.
When clients talk to me about the challenges of answering this “Are we going up or down?” question to their counterparts, I always have to ask a follow up question: “up or down of what exactly?” Before you can truly answer those questions you need to understand a few best practices that will set you up for success:
Set Smart Goals: A successful vulnerability management program starts with clear goals related to business objectives, agreed upon by all stakeholders. These goals will vary from organization to organization so be sure to collaborate with departments, such as IT, who will be instrumental in helping you protect the assets. From there, you can start establishing baseline metrics to measure improvement.
Focus on the right metrics: Using agreed upon baseline metrics will allow you to easily demonstrate the progress that a well executed vulnerability management process can bring to securing any organization.
Emphasize the Focus on Impact, Not Count: Vulnerability management has been historically treated as a numbers game, tracking progress by counting the number of closed vulnerabilities. However, the real life vulnerability process is more complicated than just a count of vulnerabilities. Rather, it should be emphasized that the VM team is focusing on the most critical vulnerabilities that affect the most crucial assets, and will have the greatest impact on the business if exposed.
Communicating an organization’s true progress is one of the most vital roles for the vulnerability management leaders and I’m glad that we were able to share what we have learned from our clients with the security industry. NopSec is working to make the question: “Are we going up or down” much easier and I will be happy to share more about our upcoming launch of trending metrics soon. In the meantime, you can read more from our white paper here, Watch our on demand webinar here or sign up to be part of our Trending Metrics Beta Testing Program by emailing us directly at firstname.lastname@example.org.