4. Outcome-Based Metrics
All metrics are not created equal. The best security operation centers utilize metrics that drive an adjustment or a change of behavior or result in security resource adjustments, Thompson said. It's no longer sufficient to provide the total count of identified vulnerabilities because that doesn't map to an outcome or adjustment. Instead, report on the count of vulnerabilities that are net newly discovered since the last scan; the vulnerabilities that are exempted because they are risk accepted; or those that are still unresolved. Each of these is due to a different root cause and therefore require different paths to root-cause resolution, Thompson said. The count of vulnerabilities simply doesn't provide the requisite information for a change of behavior that results in an improved outcome.