Posted on Nov 25, 2020
You can’t manage what you can’t measure. That goes for vulnerability management as much as any other part of your organization.
Vulnerabilities can be overwhelming to manage. Unlike cyber threats, which come from outside your organization, vulnerabilities are often internal — they can include any flaw or weakness that a bad actor can exploit to get at your data or infrastructure. Anything from a poorly secured firewall to a software bug can be a vulnerability. Keeping track of it all can be exhausting, especially if your security team is trying to track every potential vulnerability in a spreadsheet.
The best, most efficient way to keep tabs on your organization’s vulnerabilities is to choose and apply metrics that will allow your organization to efficiently handle your company’s specific vulnerabilities and threats.
Unfortunately, many organizations aren’t using metrics when it comes to cybersecurity. A report by Thycotic found that 58 percent of the businesses it surveyed failed to adequately measure their cybersecurity performance against best practices, while a report by EY shows that 36 percent of organizations in the financial services sector are worried about “non-existent or very immature” metrics and reporting when it comes to cybersecurity.
If you’re looking for a ready-made list of vulnerability management metrics for your organization, we’re going to stop you right there. Vulnerability metrics can’t be one-size-fits-all. Instead, they need to be tailored to your specific organization's business goals and appetite for risk.
One way to find the metrics that apply to your organization is by using a threat modeling methodology.
Threat modeling is a process through which security experts identify potential threats and vulnerabilities, prioritize them, and identify the techniques that will mitigate those vulnerabilities. There are several processes and frameworks you can use to model models. The basics, according to software engineer Goran Aviani, is to answer certain questions:
Threat modeling, he writes, is composed of four parts. Each part answers one of the questions:
In decomposing the application, for example, your team looks at your application (or your business to determine entry points for attackers, or assets that attackers might want to target.
You might also want to ask yourself more specific questions about your organization and its assets:
These questions will help you understand your organization itself, what you have that others might want, and what systems you have set up to protect them.
Once you understand what your vulnerabilities are, you can choose metrics that will help you manage those risks.
To better understand your risk that you’ll have to ask some clarifying questions:
To understand these vulnerabilities, you should create a risk score for your organization that will help you monitor your risk.
No matter which metrics end up being important to your business, you’ll want to make sure the metrics you pick will be clear and understandable to anyone who looks at your reporting. You want your business-side colleagues and leadership to be able to read them without having to ask you for an explanation.
SecurityScorecard’s Ratings allow you and your organization’s business stakeholders to clearly understand and continuously monitor the most important cybersecurity KPIs for your company and your third parties. Our ratings continuously monitor metrics like endpoint security, network security, and application security, so you know what your vulnerabilities are, and can manage them in real-time.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.