Prioritization to Prediction Measuring What Matters

What matters in vulnerability management (VM)? What enables some programs to achieve higher levels of performance and greater success than others? Is it what they say (e.g., policies) or the products and tools with which they play? Does everything hinge on what they do or how they do it? Is it all about what they know (or don’t know)? Or is  Metallica right and all that really matters is trusting your team?

These are the kinds of questions we want to answer in this fourth volume of the Prioritization to Prediction (P2P) series. This report represents an analytical first for us and a rarity in the cybersecurity industry. We combine survey and observational data to test how internal VM program factors affect actual remediation performance
measures. We hope this combo of “soft” and “hard” analysis yields valuable insights for vulnerability management programs.

If this is your first P2P experience, it’s fine to jump in now, and we’re glad to have you with us. But we recommend reviewing prior volumes at some point to get the most benefit from this research. In short, our ongoing goal in this series is to analyze tons of data to improve vulnerability management and ultimately reduce risk to organizations.
Let’s get started!