CISO Board Basics: Communication Strategies: Security Benchmarking
Kudelski Security is supported by its Client Advisory Council (CAC) a group of industry CISOs who provide insight and advice on the strategic direction and program priorities of the business. The Client Advisory Council report on Facilitating Cyber Board Communications was written as a result of discussions with the CAC members as well as seasoned security leaders in EMEA and the U.S., and offers practical guidance and insight on improving communication with the board of directors. In this blog, I’m going to cover some extra points that we weren’t able to include in the final document related to one of the top, most challenging questions CISOs face when communicating with the C-Suite.
In this article:
- A challenging question: “How do we compare with our peers?”
- Benchmark using an industry standard security framework
- Benchmark security spend against your peers
- Benchmark maturity of individual program components
- More board communication strategies for CISOs
Table of contents
How do we compare with our peers?
The issue in question is “How do we compare with our peers?” As with nailing all the board questions that come up for CISOs, the starting point is to understand what the board wants to know.
According to a majority of Council members, it boils to investment and whether the organization is spending enough on security compared to everyone else. Interestingly, and as an aside, the boards indicated that they want to be equitable or even higher than peers within their industry but do not want to overspend in areas with diminishing returns on investment.
The responses from Council members regarding how to answer this challenging board question fall into three broad security benchmarking strategies.
Strategy number 1: Benchmark using an industry standard security framework
Most of the CISOs we talked to suggest using this strategy:
- CISOs should communicate how the security framework was selected and why they think the framework fits their company.
- Then CISOs should demonstrate how the company’s security program is measured against this framework, highlighting specifically where the start point was, and the progress made to the target state of maturity.
One piece of advice from one CISO to another “Always check whether investments are worthwhile from a risk reduction point of view.”
One of our Council CISOs from a Fortune 1000 company told us he was asked by his board what it takes to increase maturity score from a 2.4 to a 3.2 in one area of their security program. In this case, they recommended that before taking any action, it needed to be determined whether taking that step was worth it in terms of investment and risk reduction.
Strategy number 2: Benchmark security spend against your peers
A high number of our members also pointed to benchmarking security spend as a key strategy. Obviously, the problem here is the fact data sharing on these matters is highly sensitive and confidential.
So where do CISOs need to look to find what their peers are spending on security?
- One CISO from the technology industry recommends first looking at research firms, such as Gartner, Forrester, 451 Group, etc., that can provide information related to specific verticals.
“Start with the average security spend for a vertical, and then tweak the number based on the organization size and innovation, knowing that firms that are innovative will typically spend more on security than traditional firms.”
- Another valuable source of information is peer CISOs. Some of the CISOs we interviewed meet with their CISO peers regularly to discuss security maturity, staff, and budget topics. The general recommendation is “make friends with peers in cyber and try not to be competitive when it comes to security.”
- Participate in forums and share information within peer groups. One CISO from the media and entertainment industry obtains their benchmarking information from an industry-specific cyber community. They meet monthly to get updates on industry cyber trends, compare cyber programs and maturity, and share the latest incidents that have impacted them.
Strategy number 3: Benchmark maturity of individual program components
The third strategy focuses on a security program maturity benchmarking.
- Identify the functional or capability outcomes your peers are trying to achieve, what gaps they are trying to close, and the steps they have taken to do so. This recommendation came from one Fortune 500 CISO based on his experience that his peers gain a good idea about industry norms from the maturity assessments they run.
- As a general note, if you do not know how your program compares to your peers’, don’t guess. Instead, use strategy number one: pivot your answer to a security framework, as this is something you can control and justify.
More board communication strategies for CISOs
For a more comprehensive guide to answering tough questions from the boardroom, read our Cyber Business Executive Research: Cyber Board Communications & Metrics in full.