There are questions any CISO is bound to get asked: “How do we stack up against our industry peers?” or “How does our spending on security compare to our peers?” These are questions that cut right to the heart of our programs, and are unfortunately the most difficult to answer. We all know what we spend internally, but how do we get reliable, timely information for comparison purposes?
For years we've all looked for the security studies and comparisons, and we usually fall back to a national or global industry report. Invariably, however, those studies do not give us the granularity or specificity that our executives are requesting in an answer.
Information security and compliance benchmarking define a method that compares the performance of one security and compliance provider with similar services of others. The comparison can be carried out formally or informally in a meeting or phone conversation. There are information-sharing companies out there that provide an excellent forum for talking with peers. But how do you know which one to join? Will it be worth the investment of dollars and time? Sometimes, getting the information and making the commitment to get started is the hardest part.
To get started, the process does not have to be formal. When you read the global security reports, one of the main shortcomings is that you do not have the ability to ask the author questions and drill down on the data reported. The ability to wrap specific context around issues is critical for security and compliance benchmarking. Since you need to ask questions, start by making personal contact with your peers. Too, identify your counterpart and start a discussion around sharing non-competitive information about your programs.
Benchmarking discussions should include both efficiency and effectiveness criteria. For instance, if discussing awareness programs, it is important to discuss how the programs are delivered – whether in person or via web (efficiency) – and how we measure whether we have been successful in elevating the awareness of our employees (effectiveness).
If you start simple and build a network of peers, you will receive benefits. Benchmarking can help you identify potential cost-saving opportunities, justify programs and set reasonable expectations for those programs. Last, and perhaps most valuable, it will provide a way for you to measure your performance against best-in-class companies while identifying areas where you can improve. There is a wealth of information we have. Let's share it for the benefit of all.
Questions to share
Assessing security -
Quantifying safeguards -
Information sharing -