Along with my peer CISOs, I recently added my $0.02 to a CSO Online article on how to get the best results out of an enterprise vulnerability management program.
I particularly wanted to zoom in on key performance indicators (KPIs), given this is an area where many security professionals don’t focus enough of their attention.
“He says organizations could use any of the commonly used key performance indicators—such as percentage of critical vulnerabilities remediated on time and percentage of critical vulnerabilities not remediated on time—to measure current state and track improvement over time.
Other KPIs to use could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate and number of exceptions granted.”
What are some of your key focus areas?