How to Approach IT & Cybersecurity Benchmarking as a CIO
POSTED on November 22, 2016
To a chief information officer (CIO), cybersecurity is a multifaceted concern. Not only could a breach that results in a loss of sensitive data or information be a legal or reputational nightmare for their organization, but it could also cost them (and others in the C-suite) their job.
Thus, the question CIOs today must ask—regularly and consistently—is whether they’re protecting their data and information appropriately and to the best of their ability. The best way to answer this question is by understanding your cybersecurity effectiveness in comparison to other organizations in your industry, or benchmarking. For example, if you can determine you’re underperforming in cybersecurity compared to your peers, you’ll have a solid indication that you’re facing more risk and liability than they are.
Do your competitors and peers have a better cybersecurity game plan than you do? If simply answering that question seems exhausting, this guide can help.
There are two traditional methods used to approach IT security benchmarks: formal benchmarking and informal benchmarking. Both are used frequently in today’s business landscape and have a number of benefits and risks.
Formal Benchmarking
Formal benchmarking takes place when you gather data on your peers and competitors, analyze that data, and use it to form an IT security benchmark. This can take place in-house or through a consulting firm working on your behalf.
Benefits Of Formal Benchmarking
- Ideally, formal benchmarking allows you to get a comprehensive picture of your peers’ and competitors’ performance. You can compare what they’re doing in regard to cybersecurity to what your organization is doing so you can bear down in the areas that need more work.
Risks Of Formal Benchmarking
- Your analysis only gives insight for a particular point in time. Your peers and competitors are constantly changing—just as you are—and that change can bring about major differences in cybersecurity posture.
- Your analysis is subjective and may focus too heavily on feelings rather than data.
- Whether this is done in-house or through a consultant, this may be costly. It can get expensive quickly!
- Formal benchmarking is time-consuming. You must account for “the human element” and how long it may take those involved with the benchmarking to get contact information, set up meetings, and analyze and present the data.
Informal Benchmarking
Informal benchmarking takes place in a more casual setting and doesn’t necessarily involve hard and fast data. For example, you may be a part of a CIO online forum or a group that meets monthly to discuss cybersecurity best practices.
Benefits Of Informal Benchmarking
- This process is significantly less time-consuming than formal benchmarking, so you can do it more frequently.
- Informal benchmarking is also much more cost effective. It’s a good starting point for younger companies that are just beginning the benchmarking process. It can also be a good supplement to formal benchmarking.
Risks Of Informal Benchmarking
- This method of cybersecurity benchmarking tends to be more subjective and qualitative. The takeaways may be helpful for the CIO in his day-to-day activity, but it may not offer direct insights that can affect the organization as a whole.
- Some organizations won’t be interested in sharing their best cybersecurity practices, as those practices may be a part of their competitive advantage.
- Participants in these types of forums must consider antitrust issues and other legalities.
Download Cybersecurity Benchmarking: A CIO’s Guide for Reducing Security Anxiety
The two traditional methods used in for IT security benchmarks aren’t without their complications. The nature of cybersecurity is sensitive—so many companies are simply unwilling or unable to discuss it openly. And if you are able to gather benchmarking data, it’s difficult to know whether the particular controls your peer put in place were actually effective.
Because we know this is a critical topic for today’s CIO, we’ve tackled it head-on in our latest ebook. In this ebook, we walk through why cybersecurity benchmarking is difficult for the modern CIO, different methods of benchmarking you may be involved in (or may want to consider), and how BitSight Security Ratings can solve many benchmarking challenges. Download it today!
