Ninety-one percent of chief information security officers (CISOs), chief information officers (CIOs), and senior security and risk managers use peer benchmarking data to measure and mature their security programs.

However, security leaders use disparate methods when benchmarking their data, evaluating program maturity against varying standards and on different schedules.

A study from Blue Lava and Aimpoint Group titled "Security Program Management: Priorities and Strategies" explores how security leaders measure and manage security programs and communicate priorities to executives and boards. 

Today, security leaders have an unprecedented degree of visibility and influence in boardrooms. A majority of security leaders now meet with their board of directors quarterly (37.3%) or monthly (39.6%) to communicate security priorities and investment needs.

The report includes information about how often security leaders assess the maturity and effectiveness of their security programs. Key takeaways from the study include:

  • Security leaders use benchmarking data to show program improvement over time, communicate risk to stakeholders, justify security investments, and identify areas for improvement.
  • Twenty-one percent of security leaders assess the maturity of their security program more than once per year.
  • Nearly three-quarters (74.5%) of security leaders use NIST standards to measure program maturity and effectiveness. Forty-seven percent of respondents indicated that they use the ISO 27000 standard for the same purpose.

To participate in benchmarking initiatives across the industry, security leaders can complete the Security Benchmark Report survey. For more information, click here.