Comparing programs can yield rewards

Share this article:
Comparing programs can yield rewards
Comparing programs can yield rewards

There are questions any CISO is bound to get asked: “How do we stack up against our industry peers?” or “How does our spending on security compare to our peers?” These are questions that cut right to the heart of our programs, and are unfortunately the most difficult to answer. We all know what we spend internally, but how do we get reliable, timely information for comparison purposes? 

For years we've all looked for the security studies and comparisons, and we usually fall back to a national or global industry report. Invariably, however, those studies do not give us the granularity or specificity that our executives are requesting in an answer. 

Information security and compliance benchmarking define a method that compares the performance of one security and compliance provider with similar services of others. The comparison can be carried out formally or informally in a meeting or phone conversation. There are information-sharing companies out there that provide an excellent forum for talking with peers. But how do you know which one to join? Will it be worth the investment of dollars and time? Sometimes, getting the information and making the commitment to get started is the hardest part.

To get started, the process does not have to be formal. When you read the global security reports, one of the main shortcomings is that you do not have the ability to ask the author questions and drill down on the data reported. The ability to wrap specific context around issues is critical for security and compliance benchmarking. Since you need to ask questions, start by making personal contact with your peers. Too, identify your counterpart and start a discussion around sharing non-competitive information about your programs. 

Benchmarking discussions should include both efficiency and effectiveness criteria. For instance, if discussing awareness programs, it is important to discuss how the programs are delivered – whether in person or via web (efficiency) – and how we measure whether we have been successful in elevating the awareness of our employees (effectiveness). 

If you start simple and build a network of peers, you will receive benefits. Benchmarking can help you identify potential cost-saving opportunities, justify programs and set reasonable expectations for those programs. Last, and perhaps most valuable, it will provide a way for you to measure your performance against best-in-class companies while identifying areas where you can improve. There is a wealth of information we have. Let's share it for the benefit of all. 

Questions to share


When benchmarking, start with a simple agenda of questions that are commonly asked and build from there, says Tyco International's Fredriksen. Some examples may be: 

Assessing security -
What elements (operating expenses, software, hardware, capital) do you include in your security budget? What percentage of total IT spend is the security budget? 

Quantifying safeguards -
How many people staff the security and compliance function? What services do you provide? What metrics do you report to management, and how do you measure? 

Information sharing -
Make it a goal to find peers you can call on to share information. The security world is made up of pros who want to share information. No one has to go at it alone if we seek out our peers.

Share this article:

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.