8 Ways to Speed Time to Value in Vulnerability Management 

This post originally ran on August 24, 2021 and has been updated. 

Every new Security and IT software investment comes with a brief honeymoon period — a few weeks where teams are learning the new system, and the application is rolled out to stakeholders. But before long, executives will be looking for a return on their investment. And that’s when one of the most important metrics in software comes into play. Time is the one resource we all are given in equal measure — 24 hours of it each day, in fact — and yet it is the most valuable resource of all. 

That’s why metrics like “time-to-value” are so important. Time-to-value (TTV) is a way to measure how rapidly your investment is producing the results you require to justify the initial and ongoing expense. It’s useful for demonstrating to those who signed off on the purchase that the money was well spent, and to all stakeholders that things are moving in the right direction without delay to achieve the desired outcomes.

But just waiting for value to appear isn’t a best practice. In fact, simply waiting around for results, without proactively taking consistent steps to ensure they materialize promptly, could land you in the trough of disillusionment, a dismal place of off-track deployments, unclear objectives, and impatient execs. 

Nobody wants to end up there.

Start by defining what value is to you

We’ve spent years working closely with customers to help them achieve value quickly — and to keep improving their vulnerability management ROI long after those first value deliverables. The TTV process begins first by establishing what value looks like; in other words, you need to define specifically how value will manifest in your environment. This starts with creating a success plan, in which the customer and solution provider work together to define success. TTV comes into play when you determine how you’ll measure that success.  

What value looks like depends on where your vulnerability maturity program stands. Have you just implemented a cloud-based vulnerability management solution? Or are you looking to extract further value from a risk-based vulnerability program you’ve had for years, but are now seeing threats multiply, your attack surface continues to expand, and the intel you base your strategy on isn’t keeping up?

Organizations moving from scanner or CVSS-based prioritization to risk-based prioritization might look for quick wins, such as establishing risk scores for individual asset groups, departments, remediation teams, or the enterprise at large. Risk scores can be assigned to virtually any object or group, from a single vulnerability to the entire infrastructure. Best of all, they’re the best, most intuitive way to demonstrate your vulnerability management program’s progress over time. Later, we’ll cover how to use this powerful tool to accelerate TTV.  

More mature vulnerability programs might have the prioritization and remediation basics down, but their strategy may still lack the contextual insight needed to anticipate emerging threats. Or they may still be holding to standard SLA timeframes with little bearing on the actual risk posed by specific vulns, and no bearing on the organization’s tolerance for risk.

Above all, be sensitive to what your executive team and board views as value. Your CIO, for instance, may find risk scores useful (and they should), but their personal priority may be to reduce the time their team spends remediating vulns. If so, that’s a value metric you should be targeting from the get-go.

Getting to value faster

Working with vulnerability management customers, we’ve identified proven ways to accelerate TTV for vulnerability management programs at all stages. Below we’ll cover some of the most common. (Pro tip: You should also consider this a list of must-haves when evaluating vulnerability management vendors)

1. Leverage peer benchmarking. Gaining insight into how your program is performing from a cybersecurity standpoint compared to industry peers can help identify areas of opportunity. And when it comes to making a compelling argument when petitioning for process changes or more funding, nothing closes the deal better than peer benchmarking data. Interested to see what this looks like? Check out the Prioritization to Prediction Benchmark Survey and see how your program stacks up against your peers.
2. Identify outliers. Coverage gaps, high (and low) performing teams or team members, and inefficient processes all bubble up to the surface when you have access to the right insights.
   Take Epicor, an enterprise software company based in Austin, Texas. Their risk-based vulnerability management platform helped uncover an unexpected flaw in their automated patching process that was leaving more than 10,000 assets vulnerable. Once this was fixed, their risk score dropped significantly.
3. Incentivize teams. Introduce a healthy dose of friendly competition by gamifying remediation. Teams who may have previously been indifferent to working to reduce their applications’ risk scores will suddenly work to drive down their risk meters the fastest. Sure, you can reward the winners with a pizza party, but nothing beats good old-fashioned bragging rights. This is one of the most effective methods for achieving results quickly and improving them over time.
4. Create self-service user experiences. Once a company’s risk-based vulnerability management program is up and running, the bottlenecks and speed bumps fall away, allowing Security and IT teams to access the data and marching orders they need. When remediation teams have a self-service experience, gone are the fix lists issued by Security and the resentment that can result from dumping an overwhelming spreadsheet into a system owner’s box. Everyone’s on the same team and empowered to follow the shared game plan, analyze the intel, and take appropriate action.
5. Increase security literacy throughout the business. An intelligent program boosts company-wide understanding of risk (both cyber and otherwise). When you’re able to measure the impact (or lack of impact) from headline vulnerabilities or low-value vanity efforts, you’ll get more people on board with the notion that if a task doesn’t actually reduce risk, it’s probably not worth doing. Once companies establish a collective understanding of what risk means, they can rally around it and work as one to drive it down.
6. Report (and steer cultural change). Forget about tallying up the number of closed vulns. Instead, serve up a report to the board that highlights the likelihood and potential impact of a breach, the most sensitive assets and your plan to protect them, and what a great job you’re doing optimizing limited resources. Intuitive and meaningful reporting helps not only makes a case for risk-based vulnerability management but also gets leadership up to speed and aligned. One Fortune 500 shipping and delivery services company was able to make the case for abandoning their historic spreadsheet-based approach and successfully migrated all 3,000 end users to a single risk prioritization dashboard. By demonstrating the proven value of their vulnerability management program to build a culture around risk reduction, they experienced company-wide adoption of risk prioritization and scoring, and fundamentally orchestrated a shift in the security culture.
7. Craft risk-based SLAs. SLAs have always been a necessary evil when it comes to remediation. Assigning arbitrary timeframes to close vulns that might not need attention now (or at all) doesn’t help lower risk or incentivize teams. Instead, SLAs can be crafted according to the company’s risk tolerance, the asset priority, and the likelihood the vuln will be exploited. This way teams can set (and meet) evidence-based SLAs, optimize resources, and keep working to lower risk. 
8. Enhance your intel with context. For those who never raised their hand and are humming along nicely with an established and successful program, one key element that can boost your efforts, even more, is context and actionable insight. A risk score is relatively meaningless without an understanding of how that vulnerability could impact your organization and how you can act on it with confidence that you’re using your time wisely and effectively. 

This can be based on an asset’s data classification (GDPR, SOC, PCI, etc.), the business criticality of those assets, whether exploits have been observed in your industry, your own appetite for risk, and more. Achieving this kind of contextual awareness isn’t easy, particularly if attempted in-house, but it’s something the most advanced modern risk-based vulnerability management solutions enable. 

This is just the tip of the iceberg

Vulnerability management wins aren’t piecemeal, but instead support an overarching, complex machine designed to secure your organization, lower risk, and smooth out inefficiencies (that ultimately saving time, money, and resources). There are many paths forward to accomplish this and many versions of what success looks like, but home runs along the way help build and sustain momentum and decrease time to value.

Because you’re not just changing your prioritization list, you’re fundamentally shifting how your organization views and treats risk. And there’s no time to waste. 

Download this infographic to learn how to decrease your time to value.