This document discusses the challenges of cybersecurity benchmarking for CIOs and introduces Security Ratings as a solution. Some of the key challenges of benchmarking include: the difficulty gathering accurate metrics over time to compare performance to peers; clearly communicating benchmarking results to boards; and identifying security issues affecting competitors. Security Ratings provide an objective, quantitative method to continuously monitor an organization's cybersecurity performance and compare to others in the same industry through daily analysis of external network data, helping CIOs address these challenges.
2. Page 2
In other words, CIOs today must be
highly effective at benchmarking.
But as the CIO, you know you
can’t outsource risk—and you
have to consider the risk posed
by every new business function in
your organization. With constant
technological advances in business
today, cyber risk is one area that
requires a great deal of thought from
the CIO.
If you don’t have a complete picture
of your organization’s security
performance compared to your
peers, you’re flying blind.
INTRODUCTION
In order for a business to be competitive, it must be
continuously improving. This is something the modern chief
information officer (CIO) knows all too well—and has likely
lost some sleep over! But in order to build out the business
structure and technical functionality that enables your
organization to deliver products and services quickly and
efficiently, you have to know how you’re doing compared to
how your competitors and peers are doing.
So in order to understand whether
you need to drive cybersecurity
improvements across the organization,
you have to consider whether you’re
accepting too much risk in comparison
to your peers and competitors.
Below, we’ll walk through the
following:
Why cybersecurity benchmarking is
difficult for the modern CIO.
Different methods of benchmarking
you may be involved in (or want to
consider).
How Security Ratings may solve
many benchmarking challenges.
3. Page 3
YOUR JOB MAY BE ON
THE LINE.
CIOs and CISOs are often the first on
the chopping block when things go
wrong in the cybersecurity space. So
as the CIO, you want to know with
certainty how your organization’s
cybersecurity performance is doing
so you can feel confident in your
practices (and sleep better at night).
YOU HAVE TO KNOW THAT
YOUR BENCHMARKING
EFFORTS ARE EFFECTIVE.
For example, If you are gathering
data on the best practices of your
peers and competitors, simply
knowing that many of them have a
cybersecurity training program for
employees isn’t enough.
WHY CYBERSECURITY BENCHMARKING IS
A CHALLENGE FOR CIOS TODAY
WHY CYBERSECURITY BENCHMARKING IS A CHALLENGE FOR CIOS TODAY
As the CIO, you have to know
whether or not this training program
actually works. In other words,
gathering qualitative information
without any hard and fast metrics to
back it up is useless.
ACCURACY IN BENCHMARKING
IS CRITICAL.
One of the most famous pieces of
advice in cybersecurity is the oft-
quoted “trust, but verify.” If you or
your consultant gather data through
interviews and discussion with peers
and competitors, you may not have
any way to verify that the information
you’ve been given is accurate. Your
employees, consultants, and peers
are only human and are prone to
misinformation, misinterpretation, and
error.
4. Page 4
YOU HAVE TO BE ABLE TO
CLEARLY COMMUNICATE
CYBERSECURITY
EFFECTIVENESS TO THE
BOARD.
Ten to 15 years ago, cybersecurity
was an afterthought—and certainly
wasn’t a critical issue in the
boardroom. Today, this has changed
dramatically. Boards today expect
good cybersecurity hygiene and
need to be updated on the status of
a cybersecurity program regularly.
Your board will expect you to discuss
a number of cybersecurity metrics,
which are often divided into two
categories:
Audit and compliance metrics:
These deal with legal or fiduciary
requirements like “Are we ISO-
WHY CYBERSECURITY BENCHMARKING IS A CHALLENGE FOR CIOS TODAY
27001-compliant?” and “Do we
have any outstanding high-risk
findings open from our last audit or
assessment?”
Operational effectiveness
metrics: These are quantitative
metrics—backed with actionable
data—that take a deep dive into
the state of your cybersecurity
program. Operational metrics
are backed with actionable data.
For example, “How quickly can
we (or our vendors) identify and
respond to incidents?” And, “How
did we compare to our peers
across a certain time span?” The
latter question could be difficult to
answer if you don’t have the right
data—but with BitSight Security
Ratings (which we’ll discuss later
on in this guide) you can easily
compare your performance to a
number of your competitors’ over a
period of time.
5. Page 5
There are two traditional
methods used for cybersecurity
benchmarking: formal and informal.
Both are used frequently in today’s
business landscape and have a
number of benefits and risks.
FORMAL BENCHMARKING
Formal benchmarking takes place
when you gather data on your peers
and competitors, analyze that data,
and use it to form a benchmark. This
service can take place in-house or
through a consulting firm working on
your behalf.
Benefits Of Formal
Benchmarking
Ideally, formal benchmarking
allows you to get a
comprehensive picture of
your peers’ and competitors’
performance. You can compare
what they’re doing in regard
to cybersecurity to what your
FORMAL VS. INFORMAL
CYBERSECURITY BENCHMARKING
FORMAL VS. INFORMAL CYBERSECURITY BENCHMARKING
organization is doing so you can
bear down in the areas that need
more work.
Risks Of Formal Benchmarking
Your analysis only gives insight
for a particular point in time.
Your peers and competitors are
constantly changing—just as
you are—and that change can
bring about major differences in
cybersecurity posture.
Your analysis is subjective and may
focus too heavily on feelings rather
than data.
Whether this is done in-house
or with a consultant, this may be
costly. It can get expensive quickly!
Formal benchmarking is time-
consuming. You must account for
“the human element” and how long
it may take those involved with
the benchmarking to get contact
information, set up meetings, and
analyze and present the data.
6. Page 6
INFORMAL BENCHMARKING
Informal benchmarking takes place
in a more casual setting and doesn’t
necessarily involve hard and fast
data. For example, you may be
a part of a CIO online forum or a
group that meets monthly to discuss
cybersecurity best practices.
Benefits Of Informal
Benchmarking
This process is significantly less
time-consuming than formal
benchmarking, so you can do it
more frequently.
Informal benchmarking is also
much more cost effective. It’s a
good starting point for younger
companies that are just beginning
the benchmarking process. It can
also be a good supplement to
formal benchmarking.
ACTIONABLE RISK VECTORS CONFIGURATIONS TO CONSIDER
Risks Of Informal Benchmarking
This method of cybersecurity
benchmarking tends to be more
subjective and qualitative. The
takeaways may be helpful for the
CIO in his day-to-day activity, but
may not offer direct insights that
can affect the organization as a
whole.
Some organizations won’t be
interested in sharing their best
cybersecurity practices, as those
practices may be a part of their
competitive advantage.
Participants in these types of
forums must consider antitrust
issues and other legalities.
Informal benchmarking
methods are helpful
for the CIO in day-to-day
activity, but don’t always
offer direct, actionable
insights.
7. Page 7
Security Ratings help you
measure your performance and
the performance of your peers
over time by looking at externally
accessible data and configurations
on your network. This data does
not require the permission of any
company you examine and is
updated daily. If there is a major
change in your rating or the rating
of a competitor, you’re alerted right
away—so you can easily stay up-
to-date on how you’re performing
compared to your peers when it
comes to certain metrics. When
you combine Security Ratings
with data you’re able to gather
internally or through other formal
and informal benchmarking
activities, it gives you the easier,
most quantitative, cost-effective
approach for cybersecurity. Using
BitSight can help you with three
critical areas of cybersecurity
benchmarking:
DATA-DRIVEN BENCHMARKING
WITH BITSIGHT
DATA-DRIVEN BENCHMARKING WITH BITSIGHT
If you want a quantitative, objective view of your cybersecurity
effectiveness compared to thousands of other organizations in
your same sector, you need BitSight Security Ratings.
8. Page 8
IDENTIFY SECURITY ISSUES
RIGHT WHEN THEY HAPPEN.
Using the BitSight platform, you can
examine specific threats, infections,
and security issues that are targeting
your competitors and peers. This
will give you the insight you need to
prepare for this type of attack vector
or harmful security issue.
REDUCE RISK IMMEDIATELY.
The Security Ratings platform is
web-based, so you can get started
with your data-based cybersecurity
benchmarking in no time. The
BitSight platform also makes it
easy to integrate Security Ratings
into your existing benchmarking
tools and processes through CSV
downloads, PDF reports, and an API.
COMMUNICATE
PERFORMANCE TO THE
BOARD EFFECTIVELY.
Security Ratings are set up like a
consumer credit score, making
them easy to understand. This
gives you a simple and effective
way to communicate benchmarking
information in the boardroom.
9. Page 9
DO YOU KNOW WHERE YOUR
ORGANIZATION STANDS IN
REGARD TO CYBERSECURITY?
Being able to properly harvest and digest cybersecurity benchmarking
information is critical for today’s CIO. If you realize that your cybersecurity is not
at the level it should be, evaluating it properly can help you raise appropriate
resources to fix the issues. If you’re overperforming, you can rest assured that
your cybersecurity policies are meeting the standard of care required. (And
having a handle on where you’re at with cybersecurity performance will help
you rest easier, as well!)
If you want to see how
BitSight’s Security Rating
platform can help you
benchmark your cybersecurity
performance (and the
cybersecurity performance of
your vendors), request a free
demo today.
REQUEST FREE DEMO