How do you measure progress in improving your security posture with Vulnerability Management ? Being able to measure the effectiveness of the process and its participants is key to the programme’s success. Here are some points to consider …
Measure against Agreed Goals
It is unhelpful to agree the overall goal of your VM programme but measure it in a different way. The two must work together. Agree the goal and create the progress metrics that speak to the programme goals.
Report in Understandable Terms
You will lose part or most of your audience if you measure deeply technical progress markers. Not everyone is an IT Security person. Instead use terminology that is already understood by the business. Relate risks and solutions to how the business already reports in other areas. This will help to both state the relative risk of your findings as well as providing the information within the existing working framework of the organisation.
Just because you have the data – restrain yourself from reporting on all of it. Choose the most pertinent data sets and prioritise them.
There is a serious danger of overwhelming your audience with too much information so put yourself in your audience’s shoes and think about what will be an effective message.
When things are going well then find a way to highlight it. The same old reports of X thousand vulnerabilities still present in the organisation is missing the key contribution of those members of the programme that are making tangible improvements.
For example, why not include a key metric that shows the reduction in vulnerabilities by area (business, geography, platform or whatever works for you) before reporting on the overall posture of the estate. This presents the real and positive work of the programme and rewards those that deserve it.