Benjamin Franklin famously said, \u201cAn ounce of prevention is worth a pound of cure.\u201d Unfortunately, no amount spent on prevention can guarantee 100% protection. Successful CISOs must make pragmatic decisions that balance risk and budget. To do this, it is critical to establish and trust the right metrics. This is challenging, to say the least, in today\u2019s complex and dynamic cloud-era IT environments.\nTotal Vulnerabilities Can Be a Misleading Security Metric\nIt\u2019s tempting to focus on total vulnerabilities. It\u2019s an easy metric to count. If your scanner told you that last month you had 100 vulnerabilities and now you have 1000, you might conclude that your security program is faltering. Don\u2019t be fooled \u2013 you might have just expanded your scan across more resources. This metric alone is rarely an effective indicator of your current security posture or security program effectiveness.\nTotal vulnerability counts don\u2019t provide any context and don\u2019t take into account the criticality of the vulnerability. If you prioritize low-level vulnerability remediation ahead of critical vulnerabilities \u2013 you are in for devastating results. It is best to prioritize remediation based on the level of risk combined with the potential impact to the business should it be exploited.\nAdditionally, a focus on total vulnerability counts could impact morale and even encourage bad behavior. We\u2019ve heard a few horror stories at Tenable from people who gave up doing richer credentialed scans because they were finding too many vulnerabilities. Sure, non-credentialed scans have a purpose, and vulnerability counts will certainly be lower, but if you use only non-credentialed scans you will fail to protect your organization.\nTwo Security Metrics That You Can Bank On\nSo what should you look at if total vulnerability count isn\u2019t a viable metric? You need to know how much of your environment is being scanned and to track how quickly vulnerabilities are being remediated. This gives visibility into both the overall security program effectiveness and the patch process efficiency. These two useful metrics will drive action across the organization:\n1.\u00a0\u00a0 Average patch rate - How long does it take, on average, to completely deploy application or operating system updates to a business system (by business unit)?\n2.\u00a0\u00a0 Scan coverage - What is the percentage of the organization's business systems that have not been scanned recently? While it\u2019s great to know that you have, say 1000 vulnerabilities on scanned assets, if you\u2019re only scanning 20% of your assets, you\u2019re still missing quite a bit of information.\nSecurity is a Journey, Not a Destination\nEvery CISO should start with these two core metrics\u2014average patch rate and scan coverage\u2014to best ensure security effectiveness and to minimize attack surfaces. These same two metrics can be used to communicate risk realities with business leaders and IT operations leaders, and to gain the attention and resources needed to minimize risk. Security programs will never reach nirvana; security is a journey, not a destination. Successful CISOs know this, but the key to job security is communicating this to the organization-at-large.\nFor additional information about security metrics that drive action, readers should reference the Top 20 Critical Security Controls, now maintained by The Center for Internet Security and the Council on CyberSecurity. Tenable Network Security also provides free research and content about the top 20 controls as well as Tenable solutions that will help you reduce risk and ensure compliance.