A Reality Check Around Cybersecurity Benchmarking
The benchmarking question is often a symptom of trust erosion between CISOs and senior execs
For as long as I have been involved in cybersecurity, I have heard top executives asking for benchmarking data around their cybersecurity practice.
It might have been in terms of maturity, security spending, or frequency of breaches, but “how are the others doing” has always been a fairly common question.
I think this goes way beyond “herd mentality”, and context is key to position the right answer, so before going any further, CISOs facing that type of situation must ask themselves where the concern is coming from.
If the question is coming up in a context of budgetary or strategic orientations discussions, it often reflects a need for re-assurance, if not plain discomfort, with regards to what is being proposed.
Top executives should know that each organisation is different, even across the same industry (many would have built their careers moving from one firm to another across that spectrum).
They should also understand that differences in cyber maturity and risk appetite can drive different approaches, and that organisations don’t easily share sufficient quantitative data at that level to allow meaningful comparisons: They – themselves – may not be comfortable seeing disclosed to competitors how much they are budgeting for cybersecurity for example.
The objective could be to drive the CISO’s ambitions up or down, but in most cases, the benchmarking question is politically loaded, and it has never been a simple one to answer quantitatively with any degree of accuracy.
Most CISOs have historically tried to address it in a qualitative manner based on anecdotal evidence gathered at conferences or through industry forums, but window-dressing a few anecdotal data points to make them look bigger than they are can be a dangerous and misleading game.
Only a small number of very large management consulting firms might have the necessary elements of data – or the reach to collect it; but even that reach is likely to be limited to the large firms able to afford their services, and they will have to anonymise or aggregate the findings to respect the confidentiality of their clients.
CISOs might be better off in many cases by sidestepping the question: For most firms, there is simply no defendable, sufficiently accurate, quantitative answer to the cybersecurity benchmarking question.
CISOs should focus instead on the underlying motivation of the senior executives behind the question.
Trust between them is of paramount importance to any transformative initiative around cybersecurity, and the benchmarking question could be symptom of trust erosion.
That’s a far more serious matter to address than the collection of illusory comparative data.
Trust – at this level – will have its foundations in mutual respect and that has to start for the CISO by listening to the real priorities and constraints of the leadership team, and understanding the implications these may have on cybersecurity orientations, for good or for bad.
They will have to elevate their game to look convincingly beyond the tech horizon and showcase their understanding of the key governance and management matters at the heart of the cross-functional nature of cybersecurity in large firms.
As the “when-not-if” paradigm around cyber-attacks becomes prevalent across the boardroom, CISOs must also focus their attention on demonstrating their long-term ability to execute on transformative measures and stop relying only on their short-term firefighting skills to build up their case.
It is likely that benchmarking will cease to be concern for senior executives if they have the sense cybersecurity is in firm hands and driven in a direction that matches their expectations and the needs of the firm.