What Should Be In Your Security Benchmark Reports?

A security benchmark report is a document that helps an organization identify their cybersecurity capabilities and initiatives and compare those efforts to peers or competitors of the same sector or size. This snapshot is prepared either internally by the organization or by a third party.

Do your competitors and peers have a better cybersecurity game plan than you do? If simply answering that question seems exhausting, this guide can help.

There are three primary drivers for creating a security benchmark report:

  • Governance purposes: Your CEO may want to know if your company has any shortcomings from a legal or capabilities perspective. Benchmarking reports, in this respect, may help you figure out if there are things your company isn’t doing but should be.
  • Technology purposes: Your CIO or CISO may want to use benchmark reports to see whether a particular firewall they have in place is above or below the average in your industry.
  • Performance purposes: The CIO or CISO may want to use benchmark reports because they want to drive better performance in the organization and are looking for leaders to compare themselves to.

Below, we’ll walk through a number of things you’ll want to consider when building your information security benchmarks.

Informal Vs. Formal Benchmarking

Informal benchmarking: If you’re looking at something very specific—for example, purchasing a new firewall—and want know how other organizations use it in your industry, you could create an informal survey for peers in outside companies. They could respond with the types of firewalls they use and if they’re effective. This information can help you determine if the firewall you’re examining is good enough.

Formal Benchmarking: If the board of directors at your organization expresses concern about your cybersecurity program, you may decide on a more formal benchmark report. For example, your organization may have concerns about overall cybersecurity performance and want to see how peers in the space are addressing similar problems or concerns. You may then either task the CIO or CISO with compiling this formal report or hire an outside agency to do so.

Creating A Formal Security Benchmark Report

If a consulting firm prepares this report at your request, their process may include having you first assess your own cybersecurity program as you see it. In this case, you would likely answer questions in a number of formats—writing out responses, choosing “yes” or “no,” etc. The firm may then pull reports from similar organizations (either by size or industry) and compile an anonymized benchmarking report that helps you better understand where you’re doing well and where you’re lacking. For example, if you’re in the automotive sector, the report created for you would compare what you self-reported against what other organizations in your space self-reported.

Relevant Data Sets To Include In Your Benchmark Report


  • Are we organized in a way that is comparable to our peers?
  • What kinds of policies, procedures, or processes do we have in place today, and how do they compare with what other leaders in our sector have?
  • How do our cybersecurity policies compare to organizations that are the same size?

These are all questions that would be asked and answered in a benchmarking report that focused on governance.

Benchmarking on cybersecurity governance is important but isn’t as dynamic as technology or performance benchmarking. Typically, the CISO reports the results to the board, and the board needs at least a few years to measure results from any changes. Therefore, you likely only need to run a report like this every 3-4 years.


  • What kinds of systems have we deployed?
  • How do the systems in question compare with those in the same industry or with organizations with similar parameters?

Once you determine if you’re lacking in any technological areas, you want to take action immediately. This usually involves identifying and remediating systems that may be below par or tweaking systems in order to bring them up to par. You want to know with some regularity whether your cybersecurity technology is meeting the standards set by your peers, so running a technology benchmark report on a routine basis is critical.


This category comprises the hardest data to benchmark because organizations aren’t terribly forthcoming with cybersecurity performance information. Some performance data is published on an annual basis in reports like Verizon’s Data Breach Incident Report (DBIR), but otherwise, you have to rely on anonymized information for benchmark reports on performance.

Performance benchmarking information is critical for identifying and remediating cyber risks. Therefore, CIOs and CISOs today know that security benchmark reports don’t cut it. Luckily, there are a number of tools that measure security performance in real time so you can then communicate this information to the board and senior executives.

A Final Piece Of Advice

Don’t just benchmark to benchmark—do it to improve your organization. When done properly, your cybersecurity benchmarks will help you assess where your organization stands compared to peers so you can identify areas of improvement.

If you want to learn more about cybersecurity benchmarking, download this free guide. It walks through a number of different benchmarking methods you may want to consider.