There is No Industry Average for Security Maturity

By Eric Noonan • December 23, 2015

“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface, this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

First, the results of an organization’s security maturity assessment is very rarely shared or made public.  The report and its associated gaps are often treated as highly sensitive, with some deficiencies even qualifying as vulnerabilities that are very tightly controlled.  No company, no matter how glowing the results, would readily share the results of a security maturity assessment with competitors without significant legal review. There may be some research reports available that poll CISOs anonymously that might include spending statistics, but the level of detail on control compliance is never meaningful enough to compare security posture.

The second and more important reason to not want to compare your security maturity against competitors is that it is not a meaningful or actionable metric.  Your level of compliance as compared to another company is irrelevant to you, your customers, and your vendors.  It’s the same logic used by a child trying to convince his parents to allow him to do something “because everybody else is doing it”.  Security assessments measure compliance and maturity against a structured control framework such as NIST 800-53, ISO 27001, or the 20 Center for Internet Security (CIS) Controls for Effective Cyber Defense.  Security assessments should strive for excellence, measuring against an industry-accepted set of best practices. Information Security maturity is a journey, measured through continuous assessment, remediation, and improvement. Measurement of that journey is only applicable to you and your organization.

There is value in information sharing consortiums and through CISO networking to get a feel for how other companies in your industry are addressing cybersecurity.  And it is ok to want to be better than our peers.  But the security assessment of your efforts should be your own, measured against a recognized standard of excellence by an independent cybersecurity firm with real-life experience.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security