Which security metrics matter most?

istock 000069938535 full

Today’s powerful security vulnerability tools provide organizations with the ability to monitor an almost unlimited number of metrics. However, few organizations have the time or resources to give their full attention to all possible metrics. As a result, it’s important to assess which specific security metrics present the business with the most value. Understandably, the answer depends heavily on the audience.

What the IT Ops Team Wants

Knowing, for instance, that the IT team tasked with applying patches is constantly overworked, it makes sense to focus on the metrics that help them reduce the time necessary to address vulnerabilities. Specifically, while there may be a list of 500 active vulnerabilities, in reality, perhaps just 12 patches can effectively mitigate the majority of the vulnerabilities. As a result, IT is looking to security to go beyond telling it how many vulnerabilities are present and instead to shine a light on the path that addresses the greatest number of vulnerabilities with the least amount of work.

What Business Leaders Want

If business leaders are the primary audience, it’s important to present an entirely different security metric than the analytics collected for the IT team. Business leaders are most concerned about the overall state of organizational risk, and want information to help them determine what steps are needed to improve the organization’s security posture over time.

For business leaders, the concern isn’t with the actual number of vulnerabilities. Instead, business leaders need to know percentages and trends. For instance, what percent of non-patched vulnerabilities are critical, high, or medium grade threats? How is this percentage changing from quarter to quarter? Having this insight allows leadership to effectively address resource requirements, such as reallocating IT staff when needed.

Additionally, by monitoring the change in detected vulnerabilities, security teams can adjust their efforts as needed to reduce risk by eliminating the greatest vulnerabilities. Sharing data security trends empowers leadership teams to focus resource deployment on initiatives that best defend the network.

Metrics Importance Depends on Your Audience

When communicating about security metrics, the real key to success is knowing your audience first, and then addressing their individual needs by giving them security metrics that matter most to them and that present them with actionable insights. Taking this approach values everyone’s time.

Read more about security metrics that can help you Manage Business Risk, and learn about Tenable exclusive Assurance Report Cards.

Download the CIO October 2016 Digital Magazine
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies