What Benchmark Data Do You Want?
Almost all security and risk professionals will want to see benchmarking results if given the opportunity. However, the reasons they give for viewing the results can be widely diverse. In this Security Barometer we wanted to take a closer look at those reasons for gathering benchmark data. More specifically we asked security practitioners what benchmarks they would like to gather from their peers and what it would be used for. The results can be seen below:
If you could only pick a handful of the most impactful data, what data would you want to gather from your peers to compare your program?The second part of this Security Barometer gathered some information about what security practitioners wanted to benchmark against. We thought you might be interested in seeing a list of selected responses to that question to spark some ideas for your metrics program:
Reference Materials on Benchmarking that You Can UseHere are a few articles that may help you on your quest for benchmarking for your program:
Security Executive Insight: Marking the Yardstick
The benefits of benchmarking for security are many, but the process has limitations. The council’s International Security Research Database hopes to address benchmarking’s weaknesses to make it a more valuable and reliable tool for security professionals.
“Garbage In” Can Cost You Your Job
Security practitioners and executives today have few options for collecting or accessing accurate, usable information. Currently there are four categories of information out there for security practitioners to draw from. In order of validity and rigor, they are: personal opinion, ad hoc benchmarking, selective and vetted benchmarking, and research.
Benchmarks Aren’t Magic, They’re Tools
Security executives frequently come to us to request assistance in benchmarking their processes or performance metrics with similar companies. Usually we find that their interest is at least partially driven by a strong push from management. Business leaders recognize benchmarking as a proven business practice that can identify competitive strengths and vulnerabilities as well as opportunities for improvement. Benchmarking can inform corporate goal-setting and can play a significant role in strategic planning.
Enterprise Security Metrics: A Snapshot Assessment of Practices
This report provides a snapshot of the use of metrics in corporate security management. It includes information on the current state-of-the-art of various models of benchmarking and security metrics, types of metrics, judging the maturity of security metrics programs as well as challenges and opportunities for those undertaking security metrics programs. This report specifically summarizes our learned experience from corporate security measures and metrics initiatives.