Security executives frequently come to us to request assistance in benchmarking their processes or performance metrics with similar companies. Usually we find that their interest is at least partially driven by a strong push from management. Business leaders recognize benchmarking as a proven business practice that can identify competitive strengths and vulnerabilities as well as opportunities for improvement. Benchmarking can inform corporate goal-setting and can play a significant role in strategic planning.
But while the demand for performance measures has trickled down to the security function, the appreciation for them hasn’t always come along for the ride. Too many security leaders create or find benchmarks for the sole purpose of appeasing their bosses rather than from an earnest desire to use these tools to explore what others are doing, address potential gaps and add value. When management asks for specific benchmarks, they simply gather and present the information requested rather than thinking about, or asking, why and how that information is important to the business of security.