There is No Industry Average for Security Maturity

By Eric Noonan • December 23, 2015

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface, this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

First, the results of an organization’s security maturity assessment is very rarely shared or made public.  The report and its associated gaps are often treated as highly sensitive, with some deficiencies even qualifying as vulnerabilities that are very tightly controlled.  No company, no matter how glowing the results, would readily share the results of a security maturity assessment with competitors without significant legal review. There may be some research reports available that poll CISOs anonymously that might include spending statistics, but the level of detail on control compliance is never meaningful enough to compare security posture.

The second and more important reason to not want to compare your security maturity against competitors is that it is not a meaningful or actionable metric.  Your level of compliance as compared to another company is irrelevant to you, your customers, and your vendors.  It’s the same logic used by a child trying to convince his parents to allow him to do something “because everybody else is doing it”.  Security assessments measure compliance and maturity against a structured control framework such as NIST 800-53, ISO 27001, or the 20 Center for Internet Security (CIS) Controls for Effective Cyber Defense.  Security assessments should strive for excellence, measuring against an industry-accepted set of best practices. Information Security maturity is a journey, measured through continuous assessment, remediation, and improvement. Measurement of that journey is only applicable to you and your organization.

There is value in information sharing consortiums and through CISO networking to get a feel for how other companies in your industry are addressing cybersecurity.  And it is ok to want to be better than our peers.  But the security assessment of your efforts should be your own, measured against a recognized standard of excellence by an independent cybersecurity firm with real-life experience.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft