There is No Industry Average for Security Maturity
“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway
When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry. On the surface, this “benchmarking” seems to be a reasonable request. CIOs want to spend as much on security as their peers; CISOs want to be “as secure” as their competitors. Nobody wants to devote wildly more or less resources to the effort than those in their industry. However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.
First, the results of an organization’s security maturity assessment is very rarely shared or made public. The report and its associated gaps are often treated as highly sensitive, with some deficiencies even qualifying as vulnerabilities that are very tightly controlled. No company, no matter how glowing the results, would readily share the results of a security maturity assessment with competitors without significant legal review. There may be some research reports available that poll CISOs anonymously that might include spending statistics, but the level of detail on control compliance is never meaningful enough to compare security posture.
The second and more important reason to not want to compare your security maturity against competitors is that it is not a meaningful or actionable metric. Your level of compliance as compared to another company is irrelevant to you, your customers, and your vendors. It’s the same logic used by a child trying to convince his parents to allow him to do something “because everybody else is doing it”. Security assessments measure compliance and maturity against a structured control framework such as NIST 800-53, ISO 27001, or the 20 Center for Internet Security (CIS) Controls for Effective Cyber Defense. Security assessments should strive for excellence, measuring against an industry-accepted set of best practices. Information Security maturity is a journey, measured through continuous assessment, remediation, and improvement. Measurement of that journey is only applicable to you and your organization.
There is value in information sharing consortiums and through CISO networking to get a feel for how other companies in your industry are addressing cybersecurity. And it is ok to want to be better than our peers. But the security assessment of your efforts should be your own, measured against a recognized standard of excellence by an independent cybersecurity firm with real-life experience.