USING SECURITY METRICS TO DRIVE ACTION
Benjamin Franklin famously said, “An ounce of prevention is worth a pound of cure.” Unfortunately, no amount spent on prevention can guarantee 100% protection. Successful CISOs must make pragmatic decisions that balance risk and budget. To do this, it is critical to establish and trust the right metrics. This is challenging, to say the least, in today’s complex and dynamic cloud-era IT environments.
Total Vulnerabilities Can Be a Misleading Security Metric
It’s tempting to focus on total vulnerabilities. It’s an easy metric to count. If your scanner told you that last month you had 100 vulnerabilities and now you have 1000, you might conclude that your security program is faltering. Don’t be fooled – you might have just expanded your scan across more resources. This metric alone is rarely an effective indicator of your current security posture or security program effectiveness.
Total vulnerability counts don’t provide any context and don’t take into account the criticality of the vulnerability. If you prioritize low-level vulnerability remediation ahead of critical vulnerabilities – you are in for devastating results. It is best to prioritize remediation based on the level of risk combined with the potential impact to the business should it be exploited.
Additionally, a focus on total vulnerability counts could impact morale and even encourage bad behavior. We’ve heard a few horror stories at Tenable from people who gave up doing richer credentialed scans because they were finding too many vulnerabilities. Sure, non-credentialed scans have a purpose, and vulnerability counts will certainly be lower, but if you use only non-credentialed scans you will fail to protect your organization.