Cybersecurity Benchmarking: Do you out-secure the competition?
Published: Feb 25, 2019
In business, everything is a competition. Companies are constantly battling against each other to create a better product, provide the best customer experience, improve their market share and create more value for their shareholders. The same is true with cybersecurity.
Benchmarking to see how your business structures and functionality compare to others in your industry can help you see where your departments excel, where they fall short, and what they need to do to catch up.
The importance of cybersecurity benchmarking
Cybersecurity is no different. For a CIOs and CSOs to do their job, they must feel comfortable that they’re doing everything possible keep the company secure. Most of the time that means executing on a thoughtful strategy, following best practices and keeping up-to-date on new technologies and threats. However, benchmarking efforts will provide an important outside contextual perspective of cybersecurity that can confirm the wisdom of the strategy, spur a change in direction of tactics or help justify a major new investment to others.
Just as you wouldn’t run your business without knowing how you compare against a competitor’s sales or market share, benchmarking your cybersecurity posture is crucial to help you understand if you’re running a best-in-class operation. In addition, benchmarking is useful in helping non-technical stakeholders like your CEO or board members understand the decisions you’ve made around your cybersecurity program and the value of your investments.
Formal vs informal cybersecurity benchmarking
When conducting cybersecurity benchmarking, there are two methods to consider, each with its own benefits and drawbacks.
- Formal benchmarking involves gathering hard data and conducting analysis on the actions of your competitors. While more quantitative and rigorous, it’s important to remember that the numbers represent a snapshot in time. With the speed that cybersecurity evolves, you should ensure that the benchmarking data you’re looking at is current.
- Informal benchmarking is more casual; where formal benchmarking may include long-term scientific surveys, informal benchmarking can be as simple as attending a cybersecurity conference and learning about the best practices of others in your industry. While informal cybersecurity benchmarking is good for generating ideas, its subjective nature makes it difficult to use alone when driving or justifying major strategic solutions.
How to use cybersecurity benchmarking to drive data security
When it comes to benchmarking, you shouldn’t think of it as an either/or decision between the formal and informal methods. Each has a role to play in helping you evaluate your strategy, drive decisions and improve your confidence in your cybersecurity investments.
When looking at methods of formal benchmarking, a good place to start could be Verizon’s risk reporting service, called the Verizon Risk Report, which provides an evaluation of your organization from the outside perspective, evaluating data gathered from public sources to evaluate external risk vectors and provide you with a risk score. This numeric score lets you easily compare your company against others in your industry. For an additional perspective, the Verizon Risk Report can also conduct an in-depth, inside-out automated analysis of your internal systems to identify further points of exposure, and provide a review of your security culture and processes to assess your current security against industry best practices.
Taken together, this data can be used to help prioritize limited cybersecurity resources and staff time to address your most critical areas. At the same time, this benchmark data can be used by leadership and board members to understand the level of risk faced by the company and determine the ROI of cybersecurity investments.
By understanding the security issues of your peers, cybersecurity benchmarking can help you mitigate your own. In a world increasingly threatened by the risk of cyberattacks, the company that outcompetes will most likely be the one that out-secures the competition.
IDC’s perspective in their whitepaper, Gaining Visibility into Risk and the ROI of your Security Program, should give you more context around the issue.
Learn more on how you can help protect your valuable data with the Verizon Risk Report.