CYBERSECURITY

BENCHMARKING
A CIOS GUIDE FOR REDUCING SECURITY ANXIETY
INTRODUCTION
In order for a business to be competitive, it must be
continuously improving. This is something the modern chief
information officer (CIO) knows all too welland has likely
lost some sleep over! But in order to build out the business
structure and technical functionality that enables your
organization to deliver products and services quickly and
efficiently, you have to know how youre doing compared to
how your competitors and peers are doing.

In other words, CIOs today must be So in order to understand whether

highly effective at benchmarking.
But as the CIO, you know you
cant outsource riskand you
have to consider the risk posed
by every new business function in
your organization. With constant
technological advances in business
today, cyber risk is one area that
requires a great deal of thought from
the CIO.
If you dont have a complete picture
of your organizations security
performance compared to your
peers, youre flying blind.
you need to drive cybersecurity
improvements across the organization,
you have to consider whether youre
accepting too much risk in comparison
to your peers and competitors.
Below, well walk through the
following:
 Why cybersecurity benchmarking is
difficult for the modern CIO.
 Different methods of benchmarking
you may be involved in (or want to
consider).
 How Security Ratings may solve
many benchmarking challenges.

Page 2
WHY CYBERSECURITY BENCHMARKING IS A CHALLENGE FOR CIOS TODAY
WHY CYBERSECURITY BENCHMARKING IS
A CHALLENGE FOR CIOS TODAY
YOUR JOB MAY BE ON
THE LINE.
CIOs and CISOs are often the first on
the chopping block when things go
wrong in the cybersecurity space. So
as the CIO, you want to know with
certainty how your organizations
cybersecurity performance is doing
so you can feel confident in your
practices (and sleep better at night).
YOU HAVE TO KNOW THAT
YOUR BENCHMARKING
EFFORTS ARE EFFECTIVE.
For example, If you are gathering
data on the best practices of your
peers and competitors, simply
knowing that many of them have a
cybersecurity training program for
employees isnt enough.
As the CIO, you have to know
whether or not this training program
actually works. In other words,
gathering qualitative information
without any hard and fast metrics to
back it up is useless.
ACCURACY IN BENCHMARKING
IS CRITICAL.
One of the most famous pieces of
advice in cybersecurity is the oft-
quoted trust, but verify. If you or
your consultant gather data through
interviews and discussion with peers
and competitors, you may not have
any way to verify that the information
youve been given is accurate. Your
employees, consultants, and peers
are only human and are prone to
misinformation, misinterpretation, and
error.
Page 3
WHY CYBERSECURITY BENCHMARKING IS A CHALLENGE FOR CIOS TODAY
YOU HAVE TO BE ABLE TO
CLEARLY COMMUNICATE
CYBERSECURITY
EFFECTIVENESS TO THE 
BOARD.
Ten to 15 years ago, cybersecurity
was an afterthoughtand certainly
wasnt a critical issue in the
boardroom. Today, this has changed
dramatically. Boards today expect
good cybersecurity hygiene and
need to be updated on the status of
a cybersecurity program regularly.
Your board will expect you to discuss
a number of cybersecurity metrics,
which are often divided into two
categories:
 Audit and compliance metrics:
These deal with legal or fiduciary
requirements like Are we ISO-
27001-compliant? and Do we
have any outstanding high-risk
findings open from our last audit or
assessment?
Operational effectiveness
metrics: These are quantitative
metricsbacked with actionable
datathat take a deep dive into
the state of your cybersecurity
program. Operational metrics
are backed with actionable data.
For example, How quickly can
we (or our vendors) identify and
respond to incidents? And, How
did we compare to our peers
across a certain time span? The
latter question could be difficult to
answer if you dont have the right
databut with BitSight Security
Ratings (which well discuss later
on in this guide) you can easily
compare your performance to a
number of your competitors over a
period of time.
Page 4
FORMAL VS. INFORMAL CYBERSECURITY BENCHMARKING
FORMAL VS. INFORMAL
CYBERSECURITY BENCHMARKING
There are two traditional
methods used for cybersecurity
benchmarking: formal and informal.
Both are used frequently in todays
business landscape and have a
number of benefits and risks.
FORMAL BENCHMARKING
Formal benchmarking takes place
when you gather data on your peers
and competitors, analyze that data,
and use it to form a benchmark. This
service can take place in-house or
through a consulting firm working on
your behalf.
Benefits Of Formal
Benchmarking
 Ideally, formal benchmarking
allows you to get a
comprehensive picture of
your peers and competitors
performance. You can compare
what theyre doing in regard
to cybersecurity to what your
organization is doing so you can
bear down in the areas that need
more work.
Risks Of Formal Benchmarking
 Your analysis only gives insight
for a particular point in time.
Your peers and competitors are
constantly changingjust as
you areand that change can
bring about major differences in
cybersecurity posture.
 Your analysis is subjective and may
focus too heavily on feelings rather
than data.
 Whether this is done in-house
or with a consultant, this may be
costly. It can get expensive quickly!
 Formal benchmarking is time-
consuming. You must account for
the human element and how long
it may take those involved with
the benchmarking to get contact
information, set up meetings, and
analyze and present the data.
Page 5
ACTIONABLE RISK VECTORS & CONFIGURATIONS TO CONSIDER
INFORMAL BENCHMARKING
Informal benchmarking takes place
in a more casual setting and doesnt
necessarily involve hard and fast
data. For example, you may be
a part of a CIO online forum or a
group that meets monthly to discuss
cybersecurity best practices.
Benefits Of Informal
Benchmarking
 This process is significantly less
time-consuming than formal
benchmarking, so you can do it
more frequently.
 Informal benchmarking is also
much more cost effective. Its a
good starting point for younger
companies that are just beginning
the benchmarking process. It can
also be a good supplement to
formal benchmarking.
Risks Of Informal Benchmarking
 This method of cybersecurity
benchmarking tends to be more
subjective and qualitative. The
takeaways may be helpful for the
CIO in his day-to-day activity, but
may not offer direct insights that
can affect the organization as a
whole.
 Some organizations wont be
interested in sharing their best
cybersecurity practices, as those
practices may be a part of their
competitive advantage.
 Participants in these types of
forums must consider antitrust
issues and other legalities.
Informal benchmarking
methods are helpful
for the CIO in day-to-day
activity, but dont always
offer direct, actionable
insights.
Page 6
DATA-DRIVEN BENCHMARKING WITH BITSIGHT

DATA-DRIVEN BENCHMARKING
WITH BITSIGHT
If you want a quantitative, objective view of your cybersecurity
effectiveness compared to thousands of other organizations in
your same sector, you need BitSight Security Ratings.

Security Ratings help you

measure your performance and
the performance of your peers
over time by looking at externally
accessible data and configurations
on your network. This data does
not require the permission of any
company you examine and is
updated daily. If there is a major
change in your rating or the rating
of a competitor, youre alerted right
awayso you can easily stay up-
to-date on how youre performing
compared to your peers when it
comes to certain metrics. When
you combine Security Ratings
with data youre able to gather
internally or through other formal
and informal benchmarking
activities, it gives you the easier,
most quantitative, cost-effective
approach for cybersecurity. Using
BitSight can help you with three
critical areas of cybersecurity
benchmarking:

Page 7
IDENTIFY SECURITY ISSUES
RIGHT WHEN THEY HAPPEN.

Using the BitSight platform, you can

examine specific threats, infections,
and security issues that are targeting
your competitors and peers. This
will give you the insight you need to
prepare for this type of attack vector
or harmful security issue.

REDUCE RISK IMMEDIATELY.

The Security Ratings platform is

web-based, so you can get started
with your data-based cybersecurity
benchmarking in no time. The
BitSight platform also makes it
easy to integrate Security Ratings
into your existing benchmarking
tools and processes through CSV
downloads, PDF reports, and an API.

COMMUNICATE
PERFORMANCE TO THE
BOARD EFFECTIVELY.

Security Ratings are set up like a

consumer credit score, making
them easy to understand. This
gives you a simple and effective
way to communicate benchmarking
information in the boardroom.

Page 8
DO YOU KNOW WHERE YOUR
ORGANIZATION STANDS IN
REGARD TO CYBERSECURITY?

Being able to properly harvest and digest cybersecurity benchmarking

information is critical for todays CIO. If you realize that your cybersecurity is not
at the level it should be, evaluating it properly can help you raise appropriate
resources to fix the issues. If youre overperforming, you can rest assured that
your cybersecurity policies are meeting the standard of care required. (And
having a handle on where youre at with cybersecurity performance will help
you rest easier, as well!)

If you want to see how

BitSights Security Rating
platform can help you
benchmark your cybersecurity
performance (and the
cybersecurity performance of
your vendors), request a free
demo today.

REQUEST FREE DEMO

Page 9