Do you know your hackers’ window of opportunity? That’s the critical question that you need to be asking your own organization, third-party vendors, insurance applicants, and M&A targets.
Standards like NIST CSF and SIG can tell you which policies and processes you need to maintain organizational security, but they don’t tell you which controls you need to have in place. On top of that, it’s exceedingly difficult for an organization to know if its controls are not only working, but actually effective in implementing the NIST and the SIG recommendations.
To mitigate this ambiguity, we’re releasing a new module called Security Program Analytics. Located in the Reports section of your SecurityScorecard interface, you can review a couple of key outcome-driven metrics:
- Level of preparedness — How many (and what percentage of) endpoints are fully patched and up to date?
- Time to detection — When a new version of software is released (for example, Google Chrome), how many days does it take for a company to begin the update to the next version?
- Time to response — How many days does it take to achieve company-wide adoption?
These key indicators of organizational health — observable from outside the organization — measure the efficacy of its internal IT security control. Using Google Chrome as an example, Security Program Analytics will tell you what percentage of your browsers are up to date, as well as the average time it takes between initializing the update and achieving company-wide adoption — the window of opportunity for attackers to exploit any vulnerabilities.
You can also measure the maturity and evolution of your organization’s IT security program over the last 12 months, and monitor how quickly and effectively they respond to software updates when new vulnerabilities are discovered.