Vulnerability Management KPIs

As with any good security project, one of the best ways to start is by establishing reasonable Key Performance Indicators (KPIs) to guide the security team and create realistic goals. Tenable recommends these five KPIs to get you started:

• Scan frequency: How often does your enterprise conduct assessments?

• Scan intensity: How many different scans are launched on a given scan day?

• Asset authentication: How does your enterprise measure assessment depth?

• Asset coverage: What proportion of the licensed assets are scanned in a 90-day period?

• Vulnerability coverage: What proportion of total vulnerability plugins are used in a 90-day period?

Once these KPIs are established, here are three ways security teams can start applying Predictive Prioritization and Vulnerability Priority Ratings (VPR) to their vulnerability management process:

• In the discovery phase, VPR can assist in classifying assets within the network by improving accuracy and helping to discover new IP addresses that are added.

• When scanning, VPR can be applied automatically. As the security team scans the network more frequently, the threat intelligence improves because there’s more data to analyze in real time.

• During the patching process, VPR helps security teams provide a much-needed context to the IT professionals responsible for patching. As a result, the security teams can improve their ability to prioritize and allocate resources based on real-world risk.