Understanding the Benchmarking Dilemma

The inquiry about benchmarking often highlights a deeper issue of trust between Chief Information Security Officers (CISOs) and senior management.

For as long as I have been engaged in the cybersecurity realm, I have observed that top executives frequently request benchmarking insights regarding their cybersecurity practices. This could relate to various aspects such as maturity levels, security expenditures, or the frequency of security breaches. The question, "How do we compare to others?" remains a prevalent one.

This inquiry transcends mere "herd mentality," and understanding the context is essential for providing an appropriate response. Therefore, before proceeding further, CISOs facing such inquiries should reflect on the underlying concerns driving these questions.

If the inquiry arises during discussions about budgets or strategic direction, it often signals a need for reassurance or discomfort with the proposals at hand. Executives should recognize that each organization is unique, even within the same industry, as many have navigated through various firms throughout their careers.

Additionally, variations in cybersecurity maturity and risk tolerance can lead to differing approaches. Organizations typically do not share adequate quantitative data at such levels to facilitate meaningful comparisons; they may hesitate to reveal their cybersecurity budgets to competitors, for instance.

The intent behind the benchmarking question could be to adjust the CISO’s objectives—whether upwards or downwards. However, in many instances, this question carries political implications and is rarely straightforward to answer with quantitative accuracy.

Historically, many CISOs have attempted to tackle this issue qualitatively, relying on anecdotal evidence collected from conferences or industry forums. However, embellishing a few anecdotal data points can be a precarious and misleading endeavor.

Only a handful of substantial management consulting firms may possess the necessary data or the capacity to gather it; however, their reach is often limited to large corporations that can afford their services, and even then, findings must be anonymized or aggregated to maintain client confidentiality.

In many cases, it may be more prudent for CISOs to sidestep the benchmarking question altogether. For most organizations, a defensible and sufficiently precise quantitative answer to the cybersecurity benchmarking query simply does not exist.

Instead, CISOs should concentrate on uncovering the genuine motivations of the senior executives posing the question. Trust between these parties is crucial for any transformative cybersecurity initiatives, and the benchmarking inquiry could signify a breakdown in that trust—a matter far more pressing than the acquisition of deceptive comparative data.

At this level, trust is rooted in mutual respect, which requires the CISO to actively listen to the priorities and constraints of the leadership team and grasp the implications of these factors on cybersecurity strategies, both positively and negatively.

CISOs must elevate their game by convincingly demonstrating a comprehensive understanding of the critical governance and management issues that lie at the core of the cross-functional nature of cybersecurity within large enterprises.

As the sentiment of "when—not if" regarding cyber-attacks takes hold in boardrooms, CISOs should also direct their focus toward showcasing their long-term capacity to implement transformative measures instead of relying solely on short-term crisis management skills to justify their role.

If executives feel that cybersecurity is being managed effectively and aligned with their expectations and organizational needs, it is likely that benchmarking will become a lesser concern.

The first video titled "The Reality vs. Expectation in Cybersecurity" explores the gap between perceived and actual cybersecurity practices, offering insights into the common misconceptions that leaders hold.

The second video titled "Cybersecurity Convocourses: Control Correlation Identifier (CCI), CIS, and STIGS" delves into the specific frameworks and standards that guide cybersecurity practices, providing valuable context for understanding benchmarking.

Conclusion: Building Trust Through Insight

CISOs must prioritize the establishment of trust with senior executives to facilitate successful cybersecurity initiatives. By addressing the motivations behind benchmarking inquiries and focusing on comprehensive governance strategies, CISOs can help ensure that cybersecurity practices align with the expectations of leadership.