The 20 Worst Metrics in CybersecuritySecurity leaders are increasingly making their case through metrics, as well they should - as long as they're not one of these.
Days To Patch
Says Menachem Shafran, vice president of product at XM Cyber: "In many organizations, this is a very basic and common metric. This is because it is easy to get from a vulnerability scanner. Most organizations track how long it takes them to patch vulnerabilities, either in general or, in better cases, divided to CVSS risk score and assets groups. The problem with this metric is it doesn't really reflect your current risk. You might have in your environment vulnerabilities that have a low score and are on noncritical assets yet could help adversaries gain access to more important assets."
(Image: Sergei Fedulov via Adobe Stock)
Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading. View Full Bio
16 of 21