Security and remediation - what metrics should you be using? - Image by Dirk Wouters from PixabayFixing problems is essential to keep systems secure. We all know that fast patching stops attackers from exploiting new vulnerabilities, and implementing best practices stops issues before they start. But how can we transfer these approaches into messy reality and make these ideals stick? We must look at the metrics we use to measure success, as these will drive behaviour.

The typical metric for patching is Mean Time To Remediate (MTTR). It covers the average time between a patch being announced and being implemented in production. It shows how quickly you can implement new updates. However, it does not provide the level of detail that you need.

MTTR does not discriminate between critical issues and standard updates that are unlikely to be targeted. It also does not show how difficult it is to complete certain deployments. These can involve multiple patches, configuration changes or registry edits required to solve one issue. It does not provide insight into where the team makes efforts to reduce risks through other steps like mitigating potential attacks before a patch deployment.

To provide better data on this to your team and your senior leadership team, break the patching process into phases. Getting more accurate data on how long it takes to put patches in place provides more insight into your processes and how well you manage risk.

What to measure around patching

Patching consists of four steps – detection, prioritisation, communication and remediation. Tracking performance in all these steps shows where you can make improvements. Other metrics, alongside  MTTR, include:

  • Mean Time To Detect (MTTD)
  • Mean Time to Prioritise (MTTP)
  • Mean Time To Communicate (MTTC)

Mean Time To Detect is another traditional measure for security programmes. It covers how quickly your team can find and report on any potential issues present in your environment. A good example of this is Patch Tuesday. How quickly can you take new issues published on this day, find them within your systems and produce an accurate, up-to-date list for remediation planning?

risk-over-time - (c) Qualys
risk-over-time – (c) Qualys

MTTD tells you how long it takes to prepare around patching before the process starts. If your MTTD takes too long, you can make the case to improve your detection methods. As an example, many organisations still carry out vulnerability scans on a regular cadence. However, you should ideally automate this process so it can run continuously. With agents and automation, you can get near real-time detection to maintain an accurate and up-to-date asset inventory.

MTTP is key to setting your priorities

The result can often be hundreds of issues to fix and an existing backlog of change requests. You have to prioritise. Our TruRisk Research report looks at 25,228 software vulnerability issues assigned a Common Vulnerabilities and Exposures entry. Of these, 7,786 vulnerabilities had potential exploits available. Yet only 159 had weaponised exploit code created. Only 93 were actually exploited by malware.

Understanding which issues represent serious risks helps you prioritise your remediation efforts. What represents a critical risk to you might be insignificant to other companies and vice versa. This is due to your deployment approach, mitigation strategies and business operations.

Tracking your MTTP shows you how quickly you can go through that list of vulnerabilities and misconfigurations and decide which are critical to fix. A fast MTTP process demonstrates that you have an efficient method to rate priorities and assign them for follow-up.

Communication to improve performance

In many organisations, IT security won’t be responsible for implementing patches. It will be managed by IT service management teams, desktop management or IT operations staff with their own goals and priorities.

Clarifying this process can show where relationships work well and where more collaboration or support from senior leadership is needed. MTTC should show a smooth transition from vulnerability detection and response planning to collaboration around deployment.

If your MTTC is high, it is normally due to differing priorities between teams or requirements for checking deployments before expanding patches. Senior leadership support will be needed to support remediation efforts, remove roadblocks, and ensure service level agreements are not conflicting. Using MTTC, you can align multiple teams around the right incentives so everyone works toward the same goals.

Improving your approach

Creating and comparing data for patching performance demonstrates where your efforts are going and where you may need more support. When you have a high-risk security issue in a mission-critical application, you want the board to know that you have taken steps to prevent attacks, even if a patch will take time to deploy.

Tracking your detection, prioritisation, communication and remediation processes will show the results that you deliver and how well your team performs. The data demonstrates how you effectively manage risk to the business and how you collaborate to remove potential problems. By getting metrics in place, you can show the security’s value over time.

Qualys logo

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions with over 19,000 active customers in more than 130 countries, including a majority of each of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and consolidate their security and compliance solutions in a single platform and build security into digital transformation initiatives for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform and its integrated Cloud Apps deliver businesses critical security intelligence continuously, enabling them to automate the full spectrum of auditing, compliance, and protection for IT systems and web applications across on premises, endpoints, cloud, containers, and mobile environments. Founded in 1999 as one of the first SaaS security companies, Qualys has established strategic partnerships with leading cloud providers like Amazon Web Services, Microsoft Azure and the Google Cloud Platform, and managed service providers and consulting organizations including Accenture, BT, Cognizant Technology Solutions, Deutsche Telekom, DXC Technology, Fujitsu, HCL Technologies, IBM, Infosys, NTT, Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a founding member of the Cloud Security Alliance. For more information, please visit


Please enter your comment!
Please enter your name here