What metrics are important?
There can be disparities between a security tester's priority metrics regarding vulnerabilities and those of the wider organisation. So, which metrics are actually the most important?
There can sometimes be illusions in the security tester's perspective on what the important metrics are. Usually, it's things like how many high or medium risk vulnerabilities there are. However, the majority of mature organisations are really interested in mean time to detection and mean time to response over the priority level of the vulnerabilities themselves.
Looking at mean time to detection, this focuses on making sure that the time taken between the inevitable introduction of a vulnerability into a system and its detection is as small as possible. This is incredibly valuable in being able to then kick off the processes that businesses should have in place in order to triage, treat and manage vulnerabilities within that lifecycle.
This then brings us on to mean time to response, measuring the length of time between a vulnerability being acknowledged and subsequently addressed. Addressed does not necessarily mean fixed, it can mean mitigated through some compensating control or even just being accepted.
Regardless, making sure that organisations have a way of measuring whether or not they are capturing enough information, whether they have the tools, whether they have the processes, whether or not they have the technologies in order to address the detected vulnerabilities- these things remain paramount.
Get a Free Trial From Cytix
Haven’t tried Cytix yet? Try our free trial to see how it works.
Get a Free TrialStart Detecting Vulnerabilities Others Miss Today
- Detect Vulnerabilities Faster
- Patch Vulnerabilities Faster
- Be more compliant