You can’t manage what you can’t measure. That goes for vulnerability management as much as any other part of your organization.
Vulnerabilities can be overwhelming to manage. Unlike cyber threats, which come from outside your organization, vulnerabilities are often internal — they can include any flaw or weakness that a bad actor can exploit to get at your data or infrastructure. Anything from a poorly secured firewall to a software bug can be a vulnerability. Keeping track of it all can be exhausting, especially if your security team is trying to track every potential vulnerability in a spreadsheet.
The best, most efficient way to keep tabs on your organization’s vulnerabilities is to choose and apply metrics that will allow your organization to efficiently handle your company’s specific vulnerabilities and threats.
Unfortunately, many organizations aren’t using metrics when it comes to cybersecurity. A report by Thycotic found that 58 percent of the businesses it surveyed failed to adequately measure their cybersecurity performance against best practices, while a report by EY shows that 36 percent of organizations in the financial services sector are worried about “non-existent or very immature” metrics and reporting when it comes to cybersecurity.
Finding the right metrics for your organization
If you’re looking for a ready-made list of vulnerability management metrics for your organization, we’re going to stop you right there. Vulnerability metrics can’t be one-size-fits-all. Instead, they need to be tailored to your specific organization’s business goals and appetite for risk.
One way to find the metrics that apply to your organization is by using a threat modeling methodology.
Threat modeling is a process through which security experts identify potential threats and vulnerabilities, prioritize them, and identify the techniques that will mitigate those vulnerabilities. There are several processes and frameworks you can use to model models. The basics, according to software engineer Goran Aviani, is to answer certain questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
Threat modeling, he writes, is composed of four parts. Each part answers one of the questions:
- Decomposing the application
- Determining the threats
- Determine countermeasures and mitigations (reducing the danger)
- Rank threats
In decomposing the application, for example, your team looks at your application (or your business to determine entry points for attackers, or assets that attackers might want to target.
In determining the threat, you may wish to use a threat categorization system like STRIDE, or NIST’s threat categorization model.
You might also want to ask yourself more specific questions about your organization and its assets:
- What is your industry vertical, your organization size, and location? What other important data about the organization do you have?
- What information is processed by your application or assets? What regulations govern that data?
- How many people use the application?
- What are your business’s key assets? What controls protect them?
- Who might want access to your assets and data? Do they have the skillset to actually access them?
These questions will help you understand your organization itself, what you have that others might want, and what systems you have set up to protect them.
Understanding your vulnerabilities
Once you understand what your vulnerabilities are, you can choose metrics that will help you manage those risks.
To better understand your risk that you’ll have to ask some clarifying questions:
- Who owns the asset? What is the function of the asset? What would be the impact to your organization if the asset were compromised?
- What vulnerabilities are related to this asset? How easy is it to exploit these vulnerabilities?
- What threats are associated with these vulnerabilities? Do bad actors who want to target you have the skills to exploit these weaknesses? Are similar vulnerabilities being exploited at other organizations?
To understand these vulnerabilities, you should create a risk score for your organization that will help you monitor your risk.
How SecurityScorecard can help
No matter which metrics end up being important to your business, you’ll want to make sure the metrics you pick will be clear and understandable to anyone who looks at your reporting. You want your business-side colleagues and leadership to be able to read them without having to ask you for an explanation.
SecurityScorecard’s Ratings allow you and your organization’s business stakeholders to clearly understand and continuously monitor the most important cybersecurity KPIs for your company and your third parties. Our ratings continuously monitor metrics like endpoint security, network security, and application security, so you know what your vulnerabilities are, and can manage them in real-time.
