Benjamin Franklin famously said, “An ounce of prevention is worth a pound of cure.” Unfortunately, no amount spent on prevention can guarantee 100% protection. Successful CISOs must make pragmatic decisions that balance risk and budget. To do this, it is critical to establish and trust the right metrics. This is challenging, to say the least, in today’s complex and dynamic cloud-era IT environments.
Total Vulnerabilities Can Be a Misleading Security Metric
It’s tempting to focus on total vulnerabilities. It’s an easy metric to count. If your scanner told you that last month you had 100 vulnerabilities and now you have 1000, you might conclude that your security program is faltering. Don’t be fooled – you might have just expanded your scan across more resources. This metric alone is rarely an effective indicator of your current security posture or security program effectiveness.
Total vulnerability counts don’t provide any context and don’t take into account the criticality of the vulnerability. If you prioritize low-level vulnerability remediation ahead of critical vulnerabilities – you are in for devastating results. It is best to prioritize remediation based on the level of risk combined with the potential impact to the business should it be exploited.
Additionally, a focus on total vulnerability counts could impact morale and even encourage bad behavior. We’ve heard a few horror stories at Tenable from people who gave up doing richer credentialed scans because they were finding too many vulnerabilities. Sure, non-credentialed scans have a purpose, and vulnerability counts will certainly be lower, but if you use only non-credentialed scans you will fail to protect your organization.
Two Security Metrics That You Can Bank On
So what should you look at if total vulnerability count isn’t a viable metric? You need to know how much of your environment is being scanned and to track how quickly vulnerabilities are being remediated. This gives visibility into both the overall security program effectiveness and the patch process efficiency. These two useful metrics will drive action across the organization:
1. Average patch rate - How long does it take, on average, to completely deploy application or operating system updates to a business system (by business unit)?
2. Scan coverage - What is the percentage of the organization's business systems that have not been scanned recently? While it’s great to know that you have, say 1000 vulnerabilities on scanned assets, if you’re only scanning 20% of your assets, you’re still missing quite a bit of information.
Security is a Journey, Not a Destination
Every CISO should start with these two core metrics—average patch rate and scan coverage—to best ensure security effectiveness and to minimize attack surfaces. These same two metrics can be used to communicate risk realities with business leaders and IT operations leaders, and to gain the attention and resources needed to minimize risk. Security programs will never reach nirvana; security is a journey, not a destination. Successful CISOs know this, but the key to job security is communicating this to the organization-at-large.
For additional information about security metrics that drive action, readers should reference the Top 20 Critical Security Controls, now maintained by The Center for Internet Security and the Council on CyberSecurity. Tenable Network Security also provides free research and content about the top 20 controls as well as Tenable solutions that will help you reduce risk and ensure compliance.