NEW FROM CSX
Benchmarking Your Cybersecurity Program
By Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB. RESILIA FC
The Nexus | 2 November 2015
You have probably heard the adage, “Hackers only need to get it right once. We need to get it right every time.” Well, you cannot truly expect perfection in your organization, but you can expect excellence. You can expect your processes to be the best processes possible. Needless to say, the problem is not that there are not cybersecurity frameworks and guidance to help with your processes. For starters we have AXELOS’ RESILIA, the Center for Internet Security’s (CIS) Critical Security Controls, US Department of Energy/Department of Homeland Security’s (DoE/DHS) Cybersecurity Capability Maturity Model (C2M2), ISACA’s COBIT 5 for Information Security, the International Organization for Standardization’s (ISO) Guidelines for Cybersecurity and the US National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The problem is not guidance, but focus.
You cannot do everything, or at least everything perfectly, so you must focus on those things that matter. So how do you know what matters? First, you align your cybersecurity goals with enterprise goals. The processes supporting those goals matter. Second, you benchmark your organization to your peers. Benchmarks highlight things that matter to your peers.
So what is benchmarking? It has many names; for example, peer averaging, best practice benchmarking and process benchmarking. Whatever you call it, simply put, benchmarking is the process of comparing your business processes and performance metrics to industry leaders or best practices from other organizations. You could do this by measuring quality, time or cost parameters. The upshot of doing this is learning how well others perform and, more important, gleaning the business processes and practices that explain why those organizations excel.
Simply put, benchmarking is the process of comparing your business processes and performance metrics to industry leaders or best practices from other organizations.
The COBIT 5 MEA02 process (Monitor, evaluate and assess the system of internal control) and, explicitly, management practice MEA02.01 call out benchmarking as an output. The results of MEA02.01 is an input to all management processes.
I used to get nervous when I heard the term benchmark. It is my own phobia resulting from my early career. Whenever I made a presentation on computer security looking for strategy approval or funding to my employer’s senior vice president (SVP), he would say, “What are the other banks doing?” Well, he was either a pioneer and prescient or an obstructionist and risk averse—I, obviously, thought the latter. To me, this smacked of the trailing edge: we would do it when others did it, regardless of the value of it. This kind of thinking led to the bank not needing access control until the other banks did. You will never be number 1 in your industry with that policy. But this is different. What if I could prove to you mathematically that there is a relationship between having a cybersecurity policy and earnings per share (EPS)? Or that organizations that followed documented processes have a higher return on investment (ROI)? Now that is cyberintelligence!
Benchmarking also has an unanticipated ancillary benefit: process owners, managers and operatives may learn that their process is an important part of the value chain and that their work is not taking place in a vacuum, but is contributing to the organization’s goals.
So benchmarking is another component of your continual improvement program. You could develop improvement plans or adapt specific best practices based on your benchmark results. Some of the questions benchmarking might answer include:
- What percentage of revenue do others spend on cybersecurity?
- What return on capital employed do others get? You could use ROI, return on security investment (ROSI), return on assets managed (ROAM), etc.
- What should you invest in to strengthen your security posture?
- What benefits are others getting from their cybersecurity program?
- On what should you focus?
Organizations engaging in benchmarking have achieved impressive improvements in profitability. Enterprises with best-in-class performance measurement consistently outperform their competitors. And, this is true across all industries and company sizes. So why would you not do it?
Mark my words: A benchmark is a hallmark of a bellwether organization.
Peter T. Davis, CISA, CISM, CGEIT, COBIT Foundation, COBIT Implementation, COBIT Assessor, COBIT INCS, CISSP, CPA, CMA, CMC, ITIL FC, ISO 9001 FC, ISO 20000 FC/LI/LA, ISO 27001 LI/LA, ISO 27005/31000 RM, ISO 28000 FC, ISTQB CTFL, Lean IT FC, Open FAIR FC, PMI-RMP, PMP, PRINCE2 FC, SSGB. RESILIA FC
Is the principal of Peter Davis+Associates, a management consulting firm specializing in IT governance, security and audit. He currently teaches COBIT 5 Foundation/Implementation/Assessor, ISO 27001 Foundation/Lead Implementer/Lead Auditor, ISO 31000/ISO 27005 Risk Manager (RM), ISO 20000 Foundation, ISO 22301 Foundation, ISO 9001 Foundation and Project Management Institute Risk Management Professional (PMI-RMP) courses.