The rising cadence of automated attacks means that security teams need to strive to make their own practices as precise and metric-driven as possible. Pouring through spreadsheets and creating 500-page PDFs is no longer enough to ensure that critical vulnerabilities are remediated in time. But what's the best way to ensure that the right metrics are applied to the practice of vulnerability management-a security function that has occasionally been seen as directionless in the past?
Here are 5 key areas where you'll need to apply Must-Haves Metrics for Vulnerability Management:
Know Your Assets: Do you know where all your assets and applications are? What is your current assessment coverage? How do you discover new assets?
Know Your Business: Are you performing threat modeling? What threats exist to your business? Are you a target?
Know Your Risk: Where are your security weaknesses and vulnerabilities, and which ones are the most likely to be exploited? How do you determine likelihood and impact?
Know Your Resources: What can you get done with the resources you have? Are you accounting for budget, time, and people?
Know Your Direction: Are you getting better or worse over time? Given the other "must haves" above, what is an achievable goal for risk reduction?