Download Forrester's complimentary guide[1] to learn more about the five steps to Zero Trust security — and recommendations for tracking and measuring Zero Trust.
Many vulnerability risk management (VRM) solutions are limited and fail to provide meaningful metrics about the health of your VRM program. One example is the use of counting metrics such as the number of vulnerabilities identified in your organization. Counting stats don't have any real value because they fail to provide context. These vulnerabilities could very well be on a single system air-gapped in a basement, protected by sharks with laser beams. Say you do have 50,000 high and critical vulnerabilities -- without understanding the number of systems these are spread across, you may be in great shape or should spend the weekend getting caught up on patching. In my upcoming Forrester Wave evaluation on the VRM space, I challenged each vendor to demonstrate the ability to provide the following metrics, and you should, too! Ideally, a solution should not only generate these metrics for you but should also be viewable and organized by line of business or remediation responsibility so you can identify specific areas within your organization that need improvement.
SLA Adherence
How good are you at patching systems within service-level agreements (SLAs)? This is by far my favorite metric for tracking the health of a VRM capability because it is the truest measure of the health of your VRM program. Start simple and track this for high and critical vulnerabilities within your organization. Large organizations should consider tracking