{"id":1772,"date":"2025-02-04T19:38:59","date_gmt":"2025-02-04T19:38:59","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1772"},"modified":"2025-02-04T19:38:59","modified_gmt":"2025-02-04T19:38:59","slug":"it-pays-to-know-how-your-cybersecurity-stacks-up","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1772","title":{"rendered":"It pays to know how your cybersecurity stacks up"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Like all other business leaders, chief information security officers (CISOs) could find themselves on the unemployment line if something on their watch goes seriously sideways.<\/p>\n

But what if CISOs simply aren\u2019t demonstrating enough business value?<\/p>\n

With companies cutting costs, proving cybersecurity programs are good for the business has become vital to protecting budgets and jobs. That\u2019s why performance benchmarking is becoming mandatory for cybersecurity leaders everywhere.\u00a0<\/p>\n

Pressure builds for cybersecurity benchmarking<\/strong><\/p>\n

As executives increasingly face risk-based performance metrics, CISOs will almost certainly feel more heat to quantify the success of their programs in meetings and reports. That means jumping out of their tech-oriented comfort zones and putting more priority on business issues like improving innovation, investment outcomes, and cybersecurity maturity.<\/p>\n

\u201cCISOs struggle to talk to the C-suite because what they want to know is, \u2018Am I safe? Am I secure?\u2019\u201d says Frank Dickson, group vice president of security and trust at market intelligence firm IDC. \u201cWhat CISOs tend to do, however, is report a bunch of activity-related features that don\u2019t answer those questions, which annoys CEOs.\u201d<\/p>\n

What CISOs need to emphasize, Dickson says, is how their activities will reduce risk. To that end, performance benchmarks enable leaders to monitor progress toward risk reduction and demonstrate how their programs stack up against internal goals as well as their peers. Moreover, they let CISOs capture and present business-relevant data.<\/p>\n

\u201cBoards and management teams are much more involved in cybersecurity these days,\u201d says Lou Celi, CEO of ThoughtLab Group, a global research firm. \u201cThey want to make sure they\u2019re not falling behind the eight ball. They don\u2019t want to be doing less than others.\u201d<\/p>\n

Time to pick a standard<\/strong><\/p>\n

Numerous industry and association IT security frameworks can be useful for benchmarking, including the\u00a0National Institute of Standards and Technology (NIST)\u00a0Cybersecurity Framework<\/strong><\/a>, the Department of Defense\u2019s\u00a0Cybersecurity Maturity Model Certification (CMMC)<\/a><\/strong>, the International Organization for Standardization (ISO)\u00a027000 series of standards<\/a><\/strong>\u00a0(ISO 27001 and 27002 are common for cybersecurity), among others. Most organizations and tools use these kinds of frameworks.<\/p>\n

Dickson says all these frameworks can be worthwhile to examine but notes their applicability and utility can vary by industry. He says it\u2019s a good idea to research and compare them and then \u201cpick one that works for you.\u201d<\/p>\n

If properly implemented, programs aligned to cybersecurity benchmarks can reduce the probability of network breaches. In fact, a\u00a0ThoughtLab survey<\/a>\u00a0of 1,200 large companies found those that are further along in applying the NIST Cybersecurity Framework outperform others on key metrics like time to detect a breach (119 days for advanced organizations vs. 132 days for everyone else). Leading organizations also had fewer annual material breaches, according to the report.<\/p>\n

Those are the kinds of stats boards and C-suites love to hear. They indicate an organization faces a lower risk of attack, which helps communicate to the public that it is protecting not only its own data but also the data of its customers and partners.<\/p>\n

With a lower likelihood of being seriously hacked, a company is also far more agile and able to innovate, which can create competitive advantage.<\/p>\n

\u201cIf you have your house in order and can display a degree of agility, you can show leaders you\u2019re driving a \u2018shift-left\u2019 mentality,\u201d says Paul Watts, distinguished analyst with the ISF. \u201cThis is where you are taking a proactive stance for security in your organization against people, processes, and technology. It means you can pivot and do things in quick and innovative ways. You have the agility to try new things.\u201d<\/p>\n

Approaches can vary<\/strong><\/p>\n

Still, gathering relevant data that shows how an IT security team is mapping to key standards can be tedious and tricky. Not all organizations do this particularly well.<\/p>\n

Many, for example, still take a DIY approach. They select a standard, assign staff to collect performance data from around the organization, and plug that data into spreadsheets. The trouble is that data gathering can be extremely time consuming, and once the results are entered, they\u2019re often outdated. As a result, reports to the board or C-suite may not be as beneficial for business decision-making.<\/p>\n

Another approach is to hire a consultant to do a cybersecurity benchmarking analysis. This provides immediate resources and expertise that the CISO\u2019s staff may not possess. And in all likelihood, these outsiders may have a more update-to-date feel for the changing\u00a0cybersecurity frameworks landscape<\/a><\/strong> than in-house staffers. They can give companies a general idea of their security postures, but like the DIY approach, these are snapshot-in-time assessments that may not provide the most relevant context for senior leaders.<\/p>\n

A third approach is to invest in third-party performance benchmarking tools that can look across an enterprise, collect relevant data at scale, and report back in real time. Real-time tools ensure results aren\u2019t stale on delivery.<\/p>\n

Plenty of benchmarking tools are available. Some vendors, for instance, have released tools featured within their products or sold in tandem with them. The best tools allow organizations to compare their IT\u00a0risk metrics<\/a><\/strong>\u00a0in real time against industry peers and immediately fix issues from the same console, including\u00a0Tanium Benchmark<\/a>.\u00a0<\/p>\n

Associations, such as the ISF, also provide\u00a0free cybersecurity benchmarking tools<\/strong><\/a>\u00a0to their members, while groups like the Security Industry Association (SIA) offer\u00a0useful benchmarking studies<\/strong><\/a>. Gartner also provides its own benchmark reports<\/a>.<\/p>\n

Aligning metrics<\/strong><\/p>\n

The bottom line: Organizations have plenty of paths for benchmarking performance. Combining several approaches can be useful. In fact, it\u2019s advisable, because benchmarked information is sometimes based on small, unrepresentative sample sets. Mixing internal and external data, therefore, can provide a broader and more balanced view of an organization\u2019s progress against metrics.<\/p>\n

To make sure metrics are aligned to the needs of the business, CISOs should have ongoing conversations with board members and senior leaders to understand changing priorities. The ISF\u2019s Watts says these conversations should assess how much risk leaders are willing to stomach over time.<\/p>\n

\u201c[Firms] have different appetites for risk,\u201d he says. \u201cThe embryonic startups are generally willing to take a bit more risk, as they\u2019re trying to grow and are willing to trip over their shoelaces. Larger organizations, especially those that are highly regulated or held to account by investors, tend to be more risk averse.\u201d<\/p>\n

Watts adds that CISOs should work with senior leaders to determine what level of cybersecurity maturity an organization should aim for and agree on paths for turning that position into competitive advantage.<\/p>\n

Brogan Ingstad, vice president of risk advisory at Teneo, a global CEO advisory firm, says CISOs should also make sure they\u2019re evaluating actual cybersecurity metrics. Some leaders, he says, believe operational concerns, such as head count and budget, count as cybersecurity metrics. While important from a management standpoint, CISOs should be more focused on demonstrating an organization\u2019s progress against security-specific benchmarks or goals, he says.<\/p>\n

It\u2019s also important to avoid boiling the ocean with metrics, says IDC\u2019s Dickson. Often, CISOs think they must chase 10 or 20 categories of metrics, when they\u2019d be better off targeting just a few. Dickson recommends three: security efficiency, risk, and business value.<\/p>\n

\u201cIn security, a lot of times we get caught up in trying to be perfect,\u201d he says. \u201cPerfect is the enemy of good, and with metrics it\u2019s OK to be good enough.\u201d<\/p>\n

Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.<\/a><\/p>\n

This article was written by David Rand and originally appeared in\u00a0<\/em>Focal Point<\/em><\/a>\u00a0magazine.<\/em><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Like all other business leaders, chief information security officers (CISOs) could find themselves on the unemployment line if something on their watch goes seriously sideways. But what if CISOs simply aren\u2019t demonstrating enough business value? With companies cutting costs, proving cybersecurity programs are good for the business has become vital to protecting budgets and jobs. […]<\/p>\n","protected":false},"author":0,"featured_media":1773,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1772","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1772"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1772"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1772\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1773"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}