The Importance of Benchmarking in Your Security Program

Do You Have Data Around What Security Products and Services Other Organizations Use and How They Use Them? 

As a security professional, you likely have a pretty good idea of what your organization’s security program looks like. You likely evaluate new risks and threats continuously to understand how they may affect your organization. You probably enlist the help of third party organizations that focus on helping security professionals stay on top of new, interesting, and innovative products and services. You might take input from a few other places, as well.  All of this is done in an effort to stay informed and up-to-date, with the intent of making decisions based on data and facts, rather than speculation or feeling.

But what if you had an entirely different set of data points to aid your decision making process? What if you had data around what security products and services other organizations use and how they use them? What if you knew how effective different products and services were, and whether or not they might work in an environment like yours? What if you had an understanding of people’s experiences with various products and services that you might be considering, or perhaps those that you may never have considered were it not for the knowledge of your peers?

Let’s take a step back and look at the big picture.  What am I getting at here?  What I’m talking about here is the ability to anonymously benchmark your security architecture.  The information you receive in return can play an important role in the decision making process around buying security products and services.

Of course, like any term used in the security field, there can be a bit of confusion around what the term benchmarking means.  To be precise, I am not referring to simply understanding the results of tests that have been performed on a given product.  That information is important of course, but it is not enough.  What I am referring to here is understanding how an organization’s security architecture compares with those of its peers, how it compares to industry standards and best practices, and where different gaps and shortcomings exist that lower the overall security maturity of the organization.

Let’s take a look at a few of the different ways in which benchmarking can help organizations make more informed decisions around their security programs.

Peer Pressure

Sometimes, peer pressure, or more precisely, peer knowledge and experience can be a good thing. It can be helpful to know what security products and services other organizations use and how they use them. What are their experiences with different products and services like?  Where they have invested their security budgets and where are they looking to invest future security budget?  How do parameters such as industry sector, organization size, security team size, and security budget size affect the peer group’s data?  The more closely I can align the data set to match my particular peer group, the more accurate and helpful it will be for me.  But of course, in order to take advantage of this, I need the ability to quickly and easily access and interact with this data.  And that necessitates a benchmarking capability.

Gap Analysis

Performing a gap analysis is a great way for an organization to understand which specific areas of security it needs to focus on improving. There are a number of different ways in which a gap analysis can be performed.  A sufficiently large security team can take a look at where it stands currently versus where it would like to go (per its strategic plan).  The “gap” between the two is where the organization can focus on improving.  Alternatively, an organization can bring in a third party to perform a gap analysis and recommend where it would make sense to focus efforts in the future.  But what if there were another way?  What if I could understand where my peers, who likely face similar issues and challenges, have invested?  What if I could use that data to help me understand the different areas in which I may need to think about improving?  For sure this is not the only data point to consider in the decision making process, but it one that can provide a great deal of insight.

One-Person Show

Large businesses typically have relatively large security teams.  That means that there are likely to be more resources available for things like performing a gap analysis.  However, when we take a look at small and medium-sized businesses, we see that they often have much smaller security teams.  In many cases, security is simply an added responsibility for the IT team.  In those situations, how can a small team that is time and resource strapped plan strategically for the future?  This is where benchmarking can help.  When resources are tight, learning from the knowledge and experience of others, as well as understanding where peers have chosen to invest can save time and money.

Benchmarking is about much more than simply understanding how well a given product or service lives up to expectations.  It’s also about understanding how people use a variety of different products and services, what specific challenges they use them to address, and how those products and services fit into the organization’s overall security strategy.  It’s about learning from the experiences of others and sharing our own experiences in return.  It’s about crowdsourcing knowledge around a variety of topics so that we are all more knowledgeable as a result.  There are many advantages to security benchmarking, and it is a capability that is sorely needed, particularly in the SMB market.