Compliance Management

Comparing programs can yield rewards

There are questions any CISO is bound to get asked: “How do we stack up against our industry peers?” or “How does our spending on security compare to our peers?” These are questions that cut right to the heart of our programs, and are unfortunately the most difficult to answer. We all know what we spend internally, but how do we get reliable, timely information for comparison purposes? 

For years we've all looked for the security studies and comparisons, and we usually fall back to a national or global industry report. Invariably, however, those studies do not give us the granularity or specificity that our executives are requesting in an answer. 

Information security and compliance benchmarking define a method that compares the performance of one security and compliance provider with similar services of others. The comparison can be carried out formally or informally in a meeting or phone conversation. There are information-sharing companies out there that provide an excellent forum for talking with peers. But how do you know which one to join? Will it be worth the investment of dollars and time? Sometimes, getting the information and making the commitment to get started is the hardest part.

To get started, the process does not have to be formal. When you read the global security reports, one of the main shortcomings is that you do not have the ability to ask the author questions and drill down on the data reported. The ability to wrap specific context around issues is critical for security and compliance benchmarking. Since you need to ask questions, start by making personal contact with your peers. Too, identify your counterpart and start a discussion around sharing non-competitive information about your programs. 

Benchmarking discussions should include both efficiency and effectiveness criteria. For instance, if discussing awareness programs, it is important to discuss how the programs are delivered – whether in person or via web (efficiency) – and how we measure whether we have been successful in elevating the awareness of our employees (effectiveness). 

If you start simple and build a network of peers, you will receive benefits. Benchmarking can help you identify potential cost-saving opportunities, justify programs and set reasonable expectations for those programs. Last, and perhaps most valuable, it will provide a way for you to measure your performance against best-in-class companies while identifying areas where you can improve. There is a wealth of information we have. Let's share it for the benefit of all. 

Questions to share


When benchmarking, start with a simple agenda of questions that are commonly asked and build from there, says Tyco International's Fredriksen. Some examples may be: 

Assessing security -
What elements (operating expenses, software, hardware, capital) do you include in your security budget? What percentage of total IT spend is the security budget? 

Quantifying safeguards -
How many people staff the security and compliance function? What services do you provide? What metrics do you report to management, and how do you measure? 

Information sharing -
Make it a goal to find peers you can call on to share information. The security world is made up of pros who want to share information. No one has to go at it alone if we seek out our peers.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.