11 Patching Metrics Senior Leadership Needs to Know

Everyone loves numbers. Numbers tell an objective story. They allow you to track trends over time so that you can determine whether you’re improving or not. However, not all numbers are equally meaningful. 

As a member of the senior leadership team, you need to provide metrics that validate your security program’s effectiveness. As attackers continue to exploit known and unknown vulnerabilities, you need a vulnerability management program that efficiently applies patches so that you can protect your systems and networks. 

By understanding the different patching metrics, senior leadership can choose the metrics that provide their organization the most value. 

What does patch management mean?

Patch management is the systematic process of revising software, system, and operating system code to remediate a security vulnerability.

Patch management tools automate identification, distribution, and reporting of software patches by:

  • Scanning for vulnerabilities
  • Providing information about needed patches
  • Allowing administrators to decide on patching implementation processes

Since installing a patch update can lead to system or service downtime, you need a patch management policy that defines how you will review potential impact before applying and deploying the updates.

What is patching cadence?

Patching cadence is the time it takes an organization to test and deploy a security update.  

Patching cadence best practices focus on a vulnerability’s severity. Some examples of timelines include:

  • As soon as possible for critical and high-severity vulnerabilities
  • 30-45 days, at most, for medium-severity vulnerabilities
  • 45-90 days, at most, for low-severity vulnerabilities

What are the three types of patches?

Although three categories of patches exist, they often overlap. From a security perspective, you should prioritize critical and high-severity security patches that protect you from attackers who want to use vulnerabilities during an attack. 


These code updates eliminate exploitable security weaknesses. You need to prioritize the deployment based on their severity and the threat they pose to your environment. 

Bug Fixes

These patches repair operational errors that can impact user operational efficiency. Their severity depends on their ability to reduce workforce productivity and the amount of time the IT department spends responding to people’s questions. 

Performance and Features

Typically, these updates provide value to end-users by making an application easier to use or enabling it to run faster. They provide value when they enhance user productivity. 

What is the patch management life cycle?

The patch management lifecycle consists of the following five stages:

  • Identification: inventorying and categorizing assets based on how important they are to business operations
  • Acquisition: setting configuration baselines and determining which patches to deploy
  • Testing: using a lab environment to test patches and running a pilot on a sample set of devices
  • Deployment: planning the rollout, confirming installation, reviewing for systems missing patches
  • Documentation: documenting patching activities, vulnerability assessments, test results, and deployments
patching metrics new assets

11 patching metrics to know

When looking at patch management through the lens of security, you’re really looking at your vulnerability management program. 

  1. Patching Cadence

Patching cadence is a primary patching metric because it tells you how quickly you were able to apply updates. For example, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-40r4 explains that you track your patching cadence by asset importance and vulnerability severity, detailing:

  • Percentage patched by deadline
  • Average time it takes to patch
  • Median time it takes to patch
patching metrics percentage patched
  1. Number of Open High-Risk Vulnerabilities

When you track the number of open high-risk cybersecurity vulnerabilities, you know how well your team is monitoring vendor updates. Often, these vulnerabilities are newly discovered, and attackers are actively exploiting them. A vendor may take a few days to put out the patch, so you need to know whether your team is acting as quickly as possible. 

patching metrics unpatched vulnerabilities
patching metrics risk
  1. Vulnerability Reopen Rate

This patching metric provides visibility into vulnerability remediation and resolution. A higher reopen rate means more flaws in your resolution processes. 

  1. System Hardening

Your system hardening metric provides visibility into your overarching configuration management program. It provides information about your ability to define and maintain security baselines for:

  • Applications
  • Network devices
  • Operating systems
  1. Data Scan Coverage

This metric gives insight into your vulnerability management program’s comprehensiveness. The more assets that you can scan, the more vulnerability information you have. You want to be as complete as possible. 

patching metrics vulnerability scanner
  1. Time to Detect

When you’re talking about patch management, time to detect is the time between a vulnerability’s publish date and when you find it in your systems. The longer it takes you to detect the vulnerability, the more time attackers have to exploit it.

  1. Time to Turnaround a Patch

This patching metric enables you to track your patch management program’s efficiency because it tells you how long it takes to test a patch and deploy it across your environment. As you iterate your program, you should be able to implement the patches faster. 

  1. Number of Exceptions Granted

In some cases, you may decide not to patch a vulnerability. For example, in an operational technology (OT) environment, you may have an end-of-life device that can’t be updated. You need to document and track these to prove governance. 

  1. Time to Resolution

If you decide to grant an exception, you still need to mitigate the risk. The time to resolution tells you how long it takes your team to resolve the vulnerability which can be putting additional controls around the asset. 

  1. Risk by Business Unit or Asset Group

Using this patching metric allows you to prioritize your vulnerability management processes

patching metrics risk by business unit or asset group

For example, a critical asset with a vulnerability poses a higher data breach and business impact risk. 

patching metrics risk by business unit or asset group

To create a robust KPI, you need to correlate data that includes:

  • Cost of a data breach
  • Impact to operations
  • Distance from the internet
patching metrics risk by business unit or asset group
patching metrics risk by business unit or asset group
  1. Unmanaged Devices on Internal Networks

User-owned devices connected to your internal networks create a patch management risk because you can’t force people to install updates. To mitigate risk, you should prevent these devices from accessing your networks and monitor the number. 

KeyCaliber: At-a-Glance Visibility into Vulnerability and Patch Management

KeyCaliber’s platform provides the quantitative data you need to gain full visibility into your vulnerability and patch management programs. Our platform uses the Factor Analysis of Information Risk (FAIRTM) methodology so that you can define your risk tolerance using actuarial data breach information to define critical assets efficiently and effectively. 

Using KeyCaliber, you can prioritize your patch management program around the assets most important to your business operations and security initiatives. Our easy-to-read visualizations give you the high-level visibility you need to determine whether your patch and vulnerability management programs are achieving your security objectives. Meanwhile, vulnerability and patch management teams can dive deeper into the data to get the technical information they need. 

For more information about how KeyCaliber enables your security program reporting, contact us today.