How to Measure the Performance of your Vulnerability Management Team

It can be incredibly difficult to incentivise and measure performance in cybersecurity teams. But if you want to retain your top talent, finding an appraisal method is crucial.  At RankedRight, we believe that your cybersecurity team possesses the greatest insight into your business and can therefore make the smartest decisions regarding prioritisation of vulnerabilities. This is why we want to do all we can to keep them working hard for you. This article will provide some simple options for setting objectives to manage and reward performance.

Firstly, let’s look at the problem.

Why is vulnerability management performance so difficult to assess?

To best answer this, let’s compare it to the work of a sales team. They need to make as many sales as possible and the higher the value of the sale, the better. You can set financial targets for them to meet, compare employees’ figures at the end of a quarter and reward those who met the targets and came out top. Simple.

In vulnerability management, it doesn’t work to measure performance by number of vulnerabilities patched. This is because vulnerabilities can differ in a multitude of ways: how quickly it can be patched; if it’s an accepted risk or not; how readily available the solutions are for addressing it; how critical it is to the business; who has the skills to deal with it, etc.

As we mentioned in our ‘Ultimate Guide to Vulnerability Prioritisation’, if you measured by volume of vulnerabilities patched, a team could go for all the quick and easy ones (which you may find are the ones that are least likely to cause a material impact if exploited) and that wouldn’t necessarily mean the business was any better protected from attack.  

In vulnerability management, good performance comes down to tackling the vulnerabilities that are both most likely to affect your business and will have the biggest impact. In other words, delivering the best protection for your business. So how do you measure this?

Surely no sign of a breach for a long period of time proves your company is protected, right? Wrong. According to research from IBM, the average time to identify a breach in 2020 was 228 days so you may be under attack right now and not know it yet.  Additionally, there is no guarantee that a vulnerability that causes a breach actually has been identified by your scanner, so your team wouldn’t be aware there was an issue to address.

Before we go into the measures, we recommend ensuring you give your team all of the tools and support they need to perform at their best. This means access to:

• A properly tuned scanner that has minimal false positives
• Regular training to hone their skills and knowledge
• Plus access to industry experts or mentors to provide additional guidance where needed
• Subscriptions to industry insight and other media
• Time within their working hours to invest in keeping on top of new threats being identified
• A triage tool that will take away the highly time-consuming task of vulnerability prioritisation so they can spend more of their time on what they’ll be measured on. Book a demo with us here to see how it works.

If you have all of these in place, then your team is equipped to give their all and they deserve a fit-for-purpose appraisal method in return.

Performance measure 1: Proof of insight, expertise and abilities

Split an employee’s performance into three measures (below) and let them prove their efforts on each as follows:

• Knowledge and Growth
• Give them each a dashboard on which they can record weekly/fortnightly the efforts they have taken to maintain or further their knowledge and skills.
• Responsiveness and Decision-making
• At the end of each week, ask them to report how quickly they dealt with vulnerabilities, as well as the thought process they went through to prioritise and tackle.
• Team player
• Ask the team to share instances where a colleague has helped with an issue or has supported them in their development

Performance measure 2: Self-Scoring

To empower your team and make use of their extensive knowledge and understanding of where the greatest risks are, involve them in creating a system to measure performance. Run an exercise whereby you and the team collaborate to set scores for patching different vulnerabilities, as well as demonstrating good decision making (i.e. whether to accept, patch or remediate a particular vulnerability). For example, the most critical (as determined by your triage activity) would get a higher score, as would those that are more difficult or take longer to address.

You’d keep track of the points as they were awarded and factor in the seniority and experience of individuals when appraising the scores.

As with the first measure, you’d give the individual plenty of opportunity to record comments on their activity, perhaps where they felt the scoring didn’t reflect the effort put in on a particular activity.

Performance measure 3: SLA driven

Set your team’s objectives by aligning them to the business’ SLAs. These would look at factors such as:

• Clear indexing of vulnerabilities in terms of criticality from high to low
• The amount of time a vulnerability took to be resolved from the point of identification
• Continual monitoring of accepted risks
• Reduction of deferred risk

If starting from scratch, decide on a number of KPIs to monitor with an expectation set ahead of time that there will be constant improvement, if no improvement is identified, then this is a performance issue that needs to be addressed.

These are just some of our recommendations for creating motivated and hard-working teams but if your business uses another model which you think works well, we’d really like to hear about it. If we add it here, we’ll keep you and your company anonymous if required. Please get in touch.

And if you want more insight on how we can help with your performance management and personal development, read our guide here.