Comparing our vuln management program to others

My boss has been on me to figure out a way to evaluate our vuln management program to other organizations. Is there a way to accomplish this? I am at a loss as to how to go about this.
For example, how do we (company A) measure up against someone else (company B).
How does our Rapid7 average risk score (without adjustments) compare against others?

I feel like this will become a feature request, but that doesn’t help me now. Maybe there is some 3rd party website that does something like this? I haven’t found one yet.

Comparing is always a dangerous activity.

  • Individual asset real risk depends on contextual information, type of asset, place in the network, tags, etc.
  • Aggregated real risk depends on the size of your network, number of assets, etc.
  • Furthermore, your attack surface depends on your organization, size, activity, etc.
    Any effort to compare yourself with others would better be time spent on remediation and risk reduction.

I really want to echo the third bullet here. Obviously take into consideration the first two bullets and use them as your conversation with your boss.

We get these types of questions a lot from customers on engagements and @SCO is spot on. First of all, we can’t intentionally share the majority of that information without a lot of other legal red-tape I’m sure but even if we could there’s entirely too many nuances to really compare one company to another.

Without getting too deep into career advice here, I would suggest having a candid conversation around the third bullet point on focusing efforts on work to reduce your overall risk.

1 Like

Thanks for the feedback. These are the words I needed help with explaining this.

1 Like