Vulnerability Management CISO dashboard

  • Release version: Xanadu
  • Updated August 1, 2024
  • 7 minutes to read

    • With the Vulnerability Management CISO dashboard, view data such as Key Performance Metrics (KPIs) for vulnerability remediation, see the highest risks, verify scan coverage, and learn how to lower risks.

    Required ServiceNow AI Platform roles

    • sn_vul.vulnerability_ciso to view the dashboard.
    • sn_vul.ciso_write to edit the dashboard.

    Activating the CISO dashboard

    To activate the CISO dashboard, you must install Performance Analytics for Vulnerability Response and activate the corresponding Performance Analytics job. For more information, see Analytics and Reporting Solutions for Vulnerability Response.

    Use cases

    User Dashboard use
    Chief Information Security Officers (CISOs) Chief Information Security Officers (CISOs) can use the CISO dashboard to gain insight into the vulnerability management program for their organizations.

    The dashboard provides data to help them identify data at-a-glance how they can use to lower the vulnerabilities to their environments.

    Using the CISO dashboard

    Executive users, like the Chief Information Security Officers (CISOs) in your organization, can view the CISO dashboard for Vulnerability Response to understand how effective their vulnerability management program is. You can view the CISO dashboard by navigating to Vulnerability Response > CISO Dashboard. Use the top-level filters to filter reports by Risk Rating, Age Range, or Internet Facing. Some reports display trending data over a period of time. You can view how the important metrics are trending on a regular basis, analyze the overall business security risk, and identify the areas that need improvement.

    Starting with version 19.0 of Vulnerability Response, this dashboard can also be viewed in the New Experience UI. To view the dashboard in the new UI, navigate to Workspaces > Vulnerability Manager Workspace and click the Dashboards icon. Depending on your role, the default dashboard is displayed. To view other dashboards, click the drop-down next to the dashboard name. For more information, see Dashboards in the Vulnerability Manager Workspace and Dashboards in the IT Remediation Workspace.
    Note:
    If you are on Tokyo, you can view the dashboards in the Next Experience UI but with some functional loss.

    Running the scheduled jobs

    Run the scheduled jobs in this order to update the data in the reports:
    1. Update dashboard tables
    2. [PA VR] CISO Dashboard
    Table 1. Scheduled jobs for CISO dashboard
    Scheduled job name Description
    Update dashboard tables Daily scheduled job that you must run before the [PA VR] CISO Dashboard job so that you can collect the CISO data. By running this scheduled job, you update the Scan Coverage reports.

    The information updated includes the operational configuration items (CIs) that are scanned in the last 90 days, their classes, and the total number of operational CIs that correspond to these classes. Running this scheduled job updates the reports in the Recommended Actions tab as well.

    Note:
    Operational CIs refer to the CIs that have an operational status as Operational.
    [PA VR] CISO Dashboard After the Update dashboard tables scheduled job is complete, run this scheduled job to populate all the reports in the CISO Overview tab.

    CISO dashboard tabs

    This dashboard provides an insight into the risks present in Vulnerability Management. You can view vulnerabilities and their related data by region, age, services, and other breakdowns.

    Figure 1. Overview tab

    The Overview tab contains reports that provide the security posture of your organization at a glance.

    CISO overview tab

    Note:
    The top-level filter can only be used for some reports.
    Figure 2. Recommended Actions tab

    The Recommended Actions tab contains reports that provide insights into exploitable, aging, and prevalent vulnerabilities. It also contains solutions that recommend actions to reduce the risks. Run the Update CISO dashboard tables scheduled job to update the reports in this tab.

    CISO recommended actions tab

    Indicators

    To view the indicators, navigate to Performance Analytics > Indicators.
    1. On the Indicators page, search for the required indicator name in the Name column.
    2. Click the indicator name to open the record and view its details.

      The indicators for the CISO dashboard do not collect records by default. You can choose to collect records by selecting the Collect records check box.

    Total Duration of Closed Vulnerable Items
    Total Duration of Closed VIs is measured daily as Days. The goal of this indicator is to minimize the score.
    Scannable Assets
    Scanned Assets is measured daily as unit #. The goal of this indicator is to maximize the score.
    Services with Most Vulnerabilities
    Services with Most Vulnerabilities is measured daily as unit #. The goal of this indicator is to minimize the score.
    Average Vulnerabilities per Asset
    [[Active Vulnerable Items]] / [[Active Vulnerable Configuration Items]
    Closed Vulnerable Items
    Closed Vulnerable Items is measured daily as unit #. The goal of this indicator is to maximize the score.
    Vulnerable Items Mean Time to Remediate
    [[Summed Duration of Closed Vulnerable Items]] / [[Closed Vulnerable Items]]
    Current Scan Coverage
    Calculates the current scan coverage as percentage.
    Scanned Assets
    Scanned Assets is measured daily as unit #. The goal of this indicator is to maximize the score.
    Closed Vulnerable Items (Target Met)
    Closed Vulnerable Items (Target Met) is measured daily as unit #. The goal of this indicator is to maximize the score.
    % of Closed Vulnerable Items that Met Target
    [[Closed Vulnerable Items (Target Met) / By month SUM]] / [[Closed Vulnerable Items / By month SUM]] *100
    Active Vulnerable Items
    Active Vulnerable Items is measured daily as unit #. The goal of this indicator is to minimize the score.
    Average Age of Vulnerable Items
    Average Age of Active VIs is measured daily as unit Days. The goal of this indicator is to minimize the score.
    Active Vulnerable Configuration Items
    Active Vulnerable CIs is measured daily as unit #. The goal of this indicator is to minimize the score.
    Monthly Remediation Efficiency
    [Number of vulnerable items closed during a month] / [Number of new or reopened vulnerable items in the same month]
    New Vulnerable Items
    New Vulnerable Items is measured daily as unit #. The goal of this indicator is to minimize the score.
    Deferred Vulnerable Items
    Deferred VIs is measured daily as unit #. The goal of this indicator is to minimize the score.

    Breakdowns

    • Assignment Group: Applies to some VI reports.
    • Risk Rating: Applies to VI reports.
    • Age Range: Applies to VI reports.
    • Age Closed: Applies to reports for closed VIs.
    • Internet Facing: Indicates whether the CI belongs to the hardware class and is internet facing.
    • Region: The CMDB CI parameter used is Location. This location indicates the country of origin of the configuration item.

    Data visualizations

    Name Type Description
    Average Vulnerabilities per Asset Single Score Single-score icon Average number of active vulnerable items for each configuration item.
    Mean Time to Remediate (MTTR) Single Score Single-score icon The mean time to remediate (close) a vulnerable item, displayed as a 30-day running average.
    Note:
    The value for Age Closed is calculated when data is collected. The value is the difference between the Last Opened date and the date and time of the collection job.
    Average Age of Vulnerabilities Single Score Single-score icon Average age of active vulnerable items in days.
    Services with Most Vulnerabilities List and LineList icon3 Line icon Monthly average of active vulnerable items for services in the organization.
    Note:
    For information on defining the service classifications that you want to display in Vulnerability Response reporting and related lists, see the Services tab in Vulnerability Management [PA] dashboard.
    Countries with Most Vulnerabilities Donutdonut report icon Top 10 countries with the highest number of vulnerable items.
    Monthly Remediation Efficiency Single Score Single-score icon Percentage of closed vulnerable items divided by new vulnerable items in the current month.
    New and Closed Vulnerable Items Bar Bar icon Number of new vulnerable items imported and number of vulnerable items closed in a month.
    Scan Coverage LineLine icon Number of scanned assets compared to the total number of scannable assets, shown over time. The CI Classes included in the widget are specified in the Scan Coverage Configuration module.

    For information on configuring the Scan Coverage module, see Configure the Scan Coverage reports.
    Monthly Scan Coverage Single Score Single-score icon Percentage of scanned assets divided by the total number of scannable assets for the current month.

    For information on configuring the Scan Coverage module, see Configure the Scan Coverage reports
    Top 10 Assignment Groups with Most Deferred Vulnerabilities List and LineList icon3 Line icon Top 10 assignment groups with the highest number of deferred vulnerable items, deferred based on the monthly average.
    Top 10 Assignment Groups with Lowest Remediation Target Adherence List and LineList icon3 Line icon Top 10 assignment groups whose vulnerable items have the lowest adherence to their remediation targets.
    Table 2. Recommended Actions
    Name Type Source table Description
    Top 10 Vulnerabilities with Exploits Available ListList icon3 Vulnerability Top Item [sn_vul_analytics_top_item] Active vulnerabilities with exploits available for all the threat intelligence vendors that use the VR exploit framework.
    Top 10 Highest Impact Solutions ListList icon3 Vulnerability Top Item [sn_vul_analytics_top_item] Preferred solutions or patches with the highest risk scores for active vulnerable items. This report uses the capabilities of Vulnerability Solution Management (VSM), which correlates patches from Microsoft and Red Hat to vulnerabilities in the environment. VSM helps identify the preferred solution for vulnerabilities.
    Top 10 Oldest Vulnerable Items ListList icon3 Vulnerability Top Item [sn_vul_analytics_top_item] Active vulnerable items with the highest age. Resolve these items to lower the average vulnerability age on the Overview tab.
    Top 10 Vulnerabilities Most Prevalent on Assets ListList icon3 Vulnerability Top Item [sn_vul_analytics_top_item] Active vulnerable items available for the highest number of assets.