troubleshooting Question

security metrics from vulnerability assessments

Avatar of Pau Lo
Pau Lo asked on
VulnerabilitiesNetworkingOS SecuritySecurity
4 Comments2 Solutions197 ViewsLast Modified:
Our corporate network is subject to 6 monthly vulnerability scans from a certified 3rd party to meet a variety of security standards certifications. Our directors would like to see the security team responsible to do some metrics for performance management purposes to demonstrate that lessons are being learned from the findings, root causes addressed, and the number of issues raised decline each time the scans/assessments are complete.

I wondered if anyone else does this degree of analysis and what metrics do you use, is it as simple as number of risks logged in the assessors report, or are they broken down by category, e.g. password related issues, patch related issues, configuration related issues etc. etc. I totally get the idea that in theory if the scans/assessments just find the same types of risk each audit, then the root causes probably aren't being addressed - its just realistically what metrics are you using to demonstrate each time things have improved, lessons learned etc.
ASKER CERTIFIED SOLUTION
btanExec Consultant
Join our community to see this answer!
Unlock 2 Answers and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros