What metrics are you using to measure your vulnerability management program's effectiveness?

In order to measure effectiveness -noting that this is distinct from something one might show to leadership- I assume that the identification of vulnerabilities is distinct from the remediation and use a combination of metrics:

Vulnerability identification:
1. a Coverage metric:  i.e. how much of the environment us under the the vulnerability management program?
2. an Efficacy metric: i.e. how thorough is the vulnerability identification process (is it network, are credentials involved, etc.)
3. A timeliness metric:  i.e. how often does the vuln identification process occur?
4. A hygiene metric: i.e. how old is a vulnerability at time of first discovery.  This can inform you about bad practices such as deploying new systems with out-of-date software.

Vulnerability remediation:
1. % of remediation performed within SLA
2. # of critical and high vulnerabilities that are open past SLA
3. a name and shame metric showing the team(s) that is most delinquent in the remediation.
4. an effort metric that describes the resources expended to remediate, which can then lead to better prioritization and informed exceptions of findings where the juice isn't worth the squeeze.

MTTD and MTTR are good metrics.  I would also suggest keeping it simple.  What are your numbers and ratings trended over time? The total count of your Critical and High vulnerabilities and their trend is simple to put together and easy for all leadership to understand. How has the count changed since last month and last year? Are you winning or losing the fight?  How long has the longest vulnerability been there and what actions are being taken to remediate it.  Simple metrics like this can give you some sharp insights into risks that averages like MTTD and MTTR can obfuscate.

In order to assess the efficacy of any given vulnerability management program there are numerous metrics which can be employed towards this end. These metrics typically include indicators such as vulnerability identification rates, time to remediation statistics following detection procedures being implemented patch coverage rates across monitored systems risk reduction values achieved through ongoing efforts aimed at mitigating potential threats; mean times required for both detection (MTTD) and response (MTTR) processes during incidents or breaches; compliance levels being met with industry standards/regulations being adhered to also factor into these assessments. 

Starting with the first metric mentioned above: by tracking vulnerability identification rates over designated periods of time one can gain insight into how comprehensive their scanning techniques truly are - higher identification rates typically suggest broader coverage areas which lead to more effective scanning procedures in general. Similarly important metrics include analyzing timelines for remediating detected vulnerabilities within an environment as well as patch rate percentages across all relevant systems being monitored by a given team looking after this area of concerns; by having a higher patch coverage rate one can expect their organization to have better overall control over their environment which means greater preparedness against outside threats and attacks. Turning now to MTTD values: by measuring this time it becomes possible to gauge just how effective an organizations detection techniques are in catching potential breaches or security incidents before they spiral out of control; having a lower MTTD suggests superior detection and response capabilities in play at any given time. 

Finally MTTR values for an organization are another crucial indicator of how well they're equipped and primed for dealing with security incidents - by measuring this value one can pinpoint where additional resources may be needed so as to improve overall response times across the board. Organizations with lower MTTR values are likely to have better incident response capabilities, as per industry standards.