How are you calculating average patch time (MTTP)? Do you see that as a valuable metric for your org?

We use ManageEngine for patching and Rapid 7 for vulnerability management, ensuring we are patched within 30 days of detection or the published date of the patch/vulnerability. Both systems have heat charts that help us prioritize, focusing on critical patches (CVSS 7-10), exploitable vulnerabilities, and zero-day vulnerabilities. Depending on severity, we may act faster, especially with zero-day exploits.

As for calculating Mean Time to Patch (MTTP), we measure the time from when a vulnerability is identified to when the patch is applied and confirmed. This is tracked across all vulnerabilities to ensure we stay within the 30-day window. We do find MTTP to be a valuable metric, as it helps us monitor efficiency in addressing vulnerabilities and provides clear reporting for IT Steering and Risk Committees. It also helps highlight areas where we might need to improve our response time.

We use our vulnerability management tool to calculate MTTP. Since the tool relies on scanning to identify vulnerabilities and track remediation, we perform bi-weekly scans as part of our default policy. Additionally, we recommend running a remediation scan after applying patches to confirm successful resolution.

We have a KPI, critical vulnerability remediation, for BU leadership and it really help IT team to keep up with patch management based on SLA.