Share with Your Network
How can you tell if your vulnerability management strategy is effective? Many organizations assume that a low vulnerability risk score means their cybersecurity strategy is optimized, or at least sufficient. But a risk score doesn’t tell the whole story. A high-risk vuln could spike your score at any moment, but that upswing isn’t a reflection on your team’s ability to mitigate risk. Neither does a steady risk score indicate that a mature organization is as resilient as it could be. Risk scores are vital to vulnerability management but using them as a metric for success leaves gaps in performance–and protection.
To close those gaps, many organizations attempt to patch all vulnerabilities. But it turns out, driving the number of vulns to zero as fast as possible is a waste of time and resources. Can all new vulnerabilities in an environment be remediated? Not even close. Organizations can address about one out of every seven vulnerabilities in their environment, and 16% remain open over a year. The volume of new and existing vulnerabilities will always surpass a team’s capacity to mitigate them.
But don’t lose hope: your security team can achieve remediation nirvana. Your team can learn to operationalize detailed intelligence on your business’s security operations and build resilience with efficiency.
Four key pillars of remediation performance
To drive down organizational risk, you need to quantify how well your organization is executing against a risk-based prioritization strategy. Kenna.VM Premier (now part of Cisco Vulnerability Management) quantifies performance quality with a Remediation Score. This composite score encompasses four key measurements which can be viewed separately as sub-scores to identify areas for optimization (if you’re keeping track, that’s five total):
- Coverage. Coverage measures the completeness of your remediation. What percentage of all vulnerabilities that should be remediated were correctly identified for remediation? For example, if your team remediates only 20 out of 100 vulnerabilities with existing exploits, the coverage of your strategy is a mere 20%. The other 80% pose a risk.
- Efficiency. An efficiency score measures the percentage of high-risk vulnerabilities out of all identified for remediation. This helps gauge if you’re deploying resources on the right targets. Continuing on the previous example, if a total of 40 vulnerabilities were remediated, the efficiency would be 50% due to only 20 of the 40 known to have exploits.
- Capacity. The average proportion of open vulns closed in a timeframe is your remediation capacity. A typical organization has the capacity to remediate 15% of vulnerabilities per month. The good news is that capacity is not a fixed number and can be improved. Top-performing security teams achieve two-and-a-half times the remediation capacity than other organizations, demonstrating that the norm can be exceeded with the right intelligence and efficient operations.
- Velocity: What is your team’s speed and progress of remediation? This metric measures the speed and progress of remediation: how quickly issues are addressed and how long they persist within and or across assets. You’d think having a higher velocity and lower vulnerability survival rate would be key, but firms with a higher remediation velocity tend to have lower efficiency due to the shorter duration of mitigating low-risk vulnerabilities. Velocity is important to calculate to understand your team’s remediation speed, but all metrics need to be considered when assessing remediation performance.
Perform better, build resilience
More nuanced and granular data helps teams make informed decisions faster, utilize resources to their full potential, and build even greater resilience for your organization’s infrastructure. We know you’d love to see these metrics all at 100s across the board, but the reality is that direct trade-offs exist. If you’re mitigating threats at high velocity, it’s likely those kills aren’t efficient and bigger threats are still lurking.
Manually calculating these metrics and trying to identify where those trade-offs exist can look mind-numbing on spreadsheets. But if you’re reading this blog post, you’re probably trying to make your cybersecurity strategy more efficient—and manual operations just won’t get you there.
Risk-based vulnerability management programs that utilize remediation scores can perform these calculations for you and provide constant access to real-time metrics on remediation performance to help your team become stronger, smarter, and make the most of your resources to protect your most valuable assets. With a remediation score, organizations can upgrade to a far more meaningful metric than a risk score to assess and optimize remediation team performance.
Mature your remediation strategy
Ready to learn how to operationalize these metrics within your business? Watch the webinar on remediation analytics, hosted by Kenna Security at Cisco’s CTO and Co-founder Ed Bellis and Chief Data Scientist Michael Roytman. In this 50-minute webinar, you’ll learn:
- How to calculate these metrics for remediation efficiency
- Why these metrics are important and how they work
- What gaps they fill in understanding security performance
This blog was originally written for Kenna Security, which has been acquired by Cisco Systems. Learn more about Cisco Vulnerability Management.
