- Identify vulnerabilities
- Remediate vulnerabilities swiftly to keep our attack surface to a minimum
To measure how well we're meeting those goals, we can consult several KPIs. These may include:
Combining vulnerability data with asset inventory information allows us to monitor that our vulnerability management program covers all our assets or helps identify what we need to add. This KPI is vital for every vulnerability management program, as we wouldn't be able to detect or remediate any vulnerabilities if an asset is not in scope for vulnerability scanning.
Remediation tasks closed
This KPI measures the number of vulnerabilities that have been successfully mitigated or fixed within a given time frame. A higher number can indicate that we are effectively managing our exposures.
Remediation progress over time
By tracking the number and status of remediation tasks over time, it will be transparent how many tasks are new, in progress, and successfully closed relative to all available remediation tasks. This metric helps us understand whether our vulnerability management efforts are improving, deteriorating, or remaining at a steady pace.
Remediation policy compliance
The remediation policy contains our company's time objectives regarding how long it should take us at maximum to remediate vulnerabilities. The compliance KPI measures how many remediation tasks are passed the policy target and are managed insufficiently. A high score indicates ineffective management. Combined with planned target dates per remediation task, it can also mean deliberate delays (e.g., due to project dependencies) or lack of process diligence.
Time to remediate
This KPI measures how long it takes us to remediate vulnerabilities. A shorter time to remediate can indicate that the organization has a more effective vulnerability management process.
Remediation tasks by status over time
Ideally, remediation tasks quickly change their status from 'new' to 'in progress' and eventually 'closed' to demonstrate steady progress. By measuring these numbers, an overall trend of process diligence will become transparent.
Percentage of high-risk vulnerabilities
This KPI measures the rate of high-risk vulnerabilities. A lower percentage can indicate that the organization is effectively prioritizing and addressing its most critical vulnerabilities.
Looking at multiple KPIs in combination can provide a more comprehensive understanding of the performance of a process than just one aspect by itself. For example, let's only look at the number of high-risk remediation tasks without considering scan coverage. We might conclude that we are effectively managing remediation tasks, while in reality, more and more assets are not included in the program. Similarly, looking at remediation tasks closed without taking the time to remediation into account could look like we are making steady progress when the task turnover is slowing down.
Several snapshot KPIs help assess the status quo and inform what to focus on next.