I am 75% confident your vulnerability management metrics are too complicated. I’m 75% confident because I’d need to see examples from about twice as many organizations than I’ve seen in order to be 95% confident. But I’ve probably seen 150 more samples than most people. But I have bad news for you. I’m 75% confident your vulnerability management metrics are too simplistic. How can you be both? Measuring the wrong things puts you in situations like that. So let’s talk about NIST’s recommended vulnerability management metrics, and how to more closely align with their recommendations.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.