Benchmarking Efforts Heighten Visibility, Improve Internal Comm.

Reviewing The Upside Of 'Peer Averaging'



Dan Gunderman
10/04/2018

It’s clear that in today’s day and age – in a complex threat landscape – strategic communication (both upward and outward) and clear process documentation are imperative to business success. In order to reach optimal security, it should, and likely will, encompass security posture benchmarking, or peer averaging.

While Chief Information Security Officers (CISO) and the like are entrenched in network defense, threat intelligence gathering and threat-vector research, among other endeavors, a critical part of the role also depends on interpreting data flows for the C-Suite and board of directors.

This communication should be both routine and informative, allowing for constructive dialogue on return on investment (ROI), which in security can be interpreted as a lack of breaches, along with standards compliance. What’s more, a part of that presentation should also be “benchmarking” efforts – or using metrics to flesh out security efficacy, and the posture of industry peers.

See Related: Efforts To Boost Cyber Security Underway During 'Awareness Month'

In an ISACA post for “The Nexus,” Peter T. Davis, Principal of Peter Davis & Associates, a management consulting firm specializing in IT governance, security and auditing, wrote: “You could do this (benchmarking) by measuring quality, time or cost parameters. The upshot of doing this is learning how well others perform and, more important, gleaning the business processes and practices that explain why those organizations excel.”

He continued, discussing a hypothetical security conversation with the business: “What if I could prove to you mathematically that there is a relationship between having a cyber security policy and earnings per share (EPS)? Or that organizations that followed documented processes have a higher return on investment (ROI)? Now that is cyber-intelligence!”

Davis added an “ancillary benefit” to benchmarking, suggesting that by incorporating detailed business processes, other lines of business (LOB) will be brought into the fray, made to learn that their work is propelling the wider business.

The security professional said that benchmarking efforts could discuss cyber investment, return on security investment (ROSI), return on assets managed (ROAM), cost benefits and other areas.

The contributor called enterprises capable of gauging performance consistently “best-in-class,” and said the exercise is a necessity to be a “bellwether” organization.

See Related: Cyber Author Says Attack Could Cripple 70% Of U.S. Power Grid

Now that’s it’s clear that benchmarking is key to success, are security practitioners doing something about it? Are they utilizing these metrics?

According to a recent poll conducted by Tenable at Infosecurity Europe, 73% of security respondents said benchmarking is in fact crucial. Eighty percent see value in sharing benchmarking data with the board or C-level executives; and 59% said they currently do so.

Just 21% said they do not utilize the data but would like to do so. Lastly, 18% see no value in utilizing the data.

The numbers delve even deeper, too, suggesting that 54% of respondents already compare their metrics against peers. Thirty-five percent of those respondents said they’d like comparative data, and 19% are content with the data already in circulation.

The numbers skew overwhelmingly toward more comparative analysis for the C-Suite and board – and in order to streamline that process, the latter must be able to utilize the numbers to improve or readjust their cyber allocation (resources, funds, etc.).

Tenable acknowledged that the process can be difficult, writing, “You’re faced with a mountain of data, much of it static and drawn from multiple spreadsheets, and you’re expected to turn it into the kinds of insights business leaders can use.”

But successful benchmarking exercises and continual dialogue suggest improvement in visibility and in cyber posture, and they help catalyze resiliency. Throughout the process, CISOs could use public use cases and available information streams, along with industry/thought leader/analyst reports, etc., to glean the information – which can then be turned into comparative models for the betterment of the enterprise, and security as a whole.

Be Sure To Check Out: Security Expert & Former Secret Service Agent Discusses Cyber-Crime