To a chief information officer (CIO), cybersecurity is a multifaceted concern. Not only could a breach that results in a loss of sensitive data or information be a legal or reputational nightmare for their organization, but it could also cost them (and others in the C-suite) their job.
Thus, the question CIOs today must ask—regularly and consistently—is whether they’re protecting their data and information appropriately and to the best of their ability. The best way to answer this question is by understanding your cybersecurity effectiveness in comparison to other organizations in your industry, or benchmarking. For example, if you can determine you’re underperforming in cybersecurity compared to your peers, you’ll have a solid indication that you’re facing more risk and liability than they are.
There are two traditional methods used to approach IT security benchmarks: formal benchmarking and informal benchmarking. Both are used frequently in today’s business landscape and have a number of benefits and risks.
Formal benchmarking takes place when you gather data on your peers and competitors, analyze that data, and use it to form an IT security benchmark. This can take place in-house or through a consulting firm working on your behalf.
Benefits Of Formal Benchmarking
Ideally, formal benchmarking allows you to get a comprehensive picture of your peers’ and competitors’ performance. You can compare what they’re doing in regard to cybersecurity to what your organization is doing so you can bear down in the areas that need more work.
Risks Of Formal Benchmarking
Your analysis only gives insight for a particular point in time. Your peers and competitors are constantly changing—just as you are—and that change can bring about major differences in cybersecurity posture.
Your analysis is subjective and may focus too heavily on feelings rather than data.
Whether this is done in-house or through a consultant, this may be costly. It can get expensive quickly!
Formal benchmarking is time-consuming. You must account for “the human element” and how long it may take those involved with the benchmarking to get contact information, set up meetings, and analyze and present the data.
Informal benchmarking takes place in a more casual setting and doesn’t necessarily involve hard and fast data. For example, you may be a part of a CIO online forum or a group that meets monthly to discuss cybersecurity best practices.
Benefits Of Informal Benchmarking
This process is significantly less time-consuming than formal benchmarking, so you can do it more frequently.
Informal benchmarking is also much more cost effective. It’s a good starting point for younger companies that are just beginning the benchmarking process. It can also be a good supplement to formal benchmarking.
Risks Of Informal Benchmarking
This method of cybersecurity benchmarking tends to be more subjective and qualitative. The takeaways may be helpful for the CIO in his day-to-day activity, but it may not offer direct insights that can affect the organization as a whole.
Some organizations won’t be interested in sharing their best cybersecurity practices, as those practices may be a part of their competitive advantage.
Participants in these types of forums must consider antitrust issues and other legalities.
Download Cybersecurity Benchmarking: A CIO’s Guide for Reducing Security Anxiety
The two traditional methods used in for IT security benchmarks aren’t without their complications. The nature of cybersecurity is sensitive—so many companies are simply unwilling or unable to discuss it openly. And if you are able to gather benchmarking data, it’s difficult to know whether the particular controls your peer put in place were actually effective.
Because we know this is a critical topic for today’s CIO, we’ve tackled it head-on in our latest ebook. In this ebook, we walk through why cybersecurity benchmarking is difficult for the modern CIO, different methods of benchmarking you may be involved in (or may want to consider), and how BitSight Security Ratings can solve many benchmarking challenges. Download it today!
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...