This document outlines good starting metrics to measure the effectiveness and operations of your security exceptions program.
This metric outlines the total number of security exceptions to provide visibility into delays in remediation or risk treatment. It can highlight unsustainable backlog growth, a lack of prioritization in addressing risk, and shifts in risk tolerance.
This metric indicates the amount of 'risk debt' requiring remediation from risk owners, typically within product, IT, operations, and engineering teams. This data point can be useful for senior tech leadership to understand each issue and prioritize reducing the debt.
This metric highlights risks that exceed previously agreed-upon resolution dates by risk owners and approvers. It is used to emphasize the lack of follow-up in addressing issues, delaying remediation, or prioritizing visibility for an issue. When presenting this metric, be prepared to discuss the current state of each issue, collaborate with risk owners to develop remediation plans, and escalate the issue as needed.
This metric visualizes the overall state of all security exceptions, by their status. This is a useful data point for the program owner to understand the current outstanding items.
Example status'
- Needs treatment Plan
- Needs risk acceptance
- Expiring
- Expired
This metric measures the time between when an exception is filed and when it is reviewed. It helps identify operational slowdowns and assess whether reviews are completed within any internally defined SLAs.
This metric highlights the criticality of issues with security exceptions and provides insight into how frequently critical or high-risk issues are not prioritized for risk treatment.
This metric outlines which type of exception is most common and can be tracked on a month-to-month basis to show trends.
This metric can demonstrate the percentage of vulnerabilities or risks requiring a security exception from the total unresolved issues. It can be useful when combined with a maximum percentage target to ensure that risks are not simply "delayed" or "ignored" beyond a specific threshold. The target will depend on your company's risk tolerance and culture.
Metrics version 1.0 copied from Sectemplates.com 2024