Companies are spending more and more on IT security. A recent report by Canalys found that the worldwide IT security market will grow 6.6% annually, becoming a $30.1 billion dollar industry by 2017. This increase in spending may have something to do with the heightened consequences of data breaches and security events. Another recent study, this one from the Ponemon Institute, found average data breach costs to be a lofty $3.5 million. But, as companies spend more and more money on IT security products and services, how can they verify that their overall security is improving?
Here are three ways that companies can leverage externally available internet data to benchmark security performance.
1. Compare your performance to industry peers
As our latest BitSight Insights report revealed, different US industries have dramatically different risk levels and profiles. A solid indicator of overall performance can be seen by looking at your organization's security posture in comparison to industry peers: Are your competitors showing signs of compromise? When there is a security event in their networks, how long does it stay there? Are you performing better or worse at remediating threats? Because your peers often hold similar types of sensitive data, you can get a more comprehensive picture of how your organization is performing in comparison. Moreover, by continuously monitoring performance you will be ahead of the curve when it comes to detecting and responding to industry-specific threats.
2. Track security performance over time
As companies increasingly devote both money and resources to cyber security, risk managers want to know that these initiatives are providing valuable and meaningful returns. One way to do this is by continuously monitoring and tracking cyber performance over time. After implementing a new cyber security program, security teams should constantly track the volume of security incidents in their networks and how quickly these issues are remediated. Continuous monitoring also provides insight into rapid changes in security posture, giving companies the ability to proactively address potentially damaging security issues.
3. Set executive level objectives
Many in the infosec community are praising the shifting attitude of corporate America when it comes to cyber security. Once seen as a strictly IT issue, executives are beginning to take notice (and increasingly, responsibility) for the cyber defenses of their organizations. Even shareholders are invested in the cyber defenses of companies. Yet, many executives do not have a security background, creating a challenge for IT teams in communicating security performance to upper level management. One way to do this is by setting objective benchmarks whether it be outperforming industry peers or improving specific response and detection metrics. By doing this, security professionals can better demonstrate improvement and show the business value of IT security to company leaders.
Benchmarking is a cornerstone of conducting business today. It is used in virtually every other departmental function of a business, so why not IT security? By leveraging outside internet data, it is possible to not only see internal performance but that of industry peers and competitors. BitSight collects vast amounts of this data and, using a proprietary algorithm, assigns daily Security Ratings to companies based on their security performance. Moreover, with both insightful technical data and easily accessible dashboards, the BitSight platform gives security teams an invaluable tool in benchmarking security performance.
Security ratings are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address a variety of critical,...
On March 4th, BitSight released
Peer Analytics, the newest advanced analytics module from the leader in security ratings. This allows organizations to better understand and
manage their security performance in relation to their industry...
While many IT, security, and risk professionals have developed good metrics and visuals for communicating internally about cyber risk, such as the safety cross and pareto charts, reporting on cybersecurity to non-technical individuals...