Founder & CEO, Corix Partners | Author “The Cybersecurity Leadership Handbook for the CISO and the CEO” | Board Advisor | Non-Exec Director
For as long as I have been involved in cybersecurity, I have heard top executives asking for benchmarking data around their cybersecurity practice. It might have been in terms of maturity, security spending or frequency of breaches, but “how are the others doing” has always been a fairly common question.
I think this goes way beyond “herd mentality,” and context is key to positioning the right answer. So before going any further, CISOs facing this type of situation must ask themselves where the concern is coming from.
Consider the context.
If the question is coming up in a context of budgetary or strategic orientation discussions, it often reflects a need for reassurance, if not plain discomfort, with regard to what is being proposed.
Top executives should know that each organization is different, even across the same industry (many would have built their careers moving from one firm to another across that spectrum).
They should also understand that differences in cyber maturity and risk appetite can drive different approaches and that organizations don’t easily share sufficient quantitative data at that level to allow meaningful comparisons: They—themselves—may not be comfortable seeing disclosed to competitors how much they are budgeting for cybersecurity for example.
Companies typically don’t have enough data for an accurate comparison.
The objective could be to drive the CISO’s ambitions up or down, but in most cases, the benchmarking question is politically loaded, and it has never been a simple one to answer quantitatively with any degree of accuracy.
I’ve noticed most CISOs have historically tried to address it in a qualitative manner based on anecdotal evidence gathered at conferences or through industry forums, but window-dressing a few anecdotal data points to make them look bigger than they are can be a dangerous and misleading game.
Only a small number of very large management consulting firms might have the necessary elements of data—or the reach to collect it. But even that reach is likely to be limited to the large firms able to afford their services, and they will have to anonymize or aggregate the findings to respect the confidentiality of their clients.
CISOs might be better off in many cases by sidestepping the question. For most firms, there is simply no defendable, sufficiently accurate, quantitative answer to the cybersecurity benchmarking question.
CISOs should focus instead on the underlying motivation of the senior executives behind the question.
Trust between executives is of paramount importance to any transformative initiative around cybersecurity, and the benchmarking question could be a symptom of trust erosion. That’s a far more serious matter to address than the collection of illusory comparative data.
Trust—at this level—will have its foundations in mutual respect, and that has to start for the CISO by listening to the real priorities and constraints of the leadership team and understanding the implications these may have on cybersecurity orientations, for good or for bad.
They will have to elevate their game to look convincingly beyond the tech horizon and showcase their understanding of the key governance and management matters at the heart of the cross-functional nature of cybersecurity in large firms.
As the “when-not-if” paradigm around cyberattacks becomes prevalent across the boardroom, CISOs must also focus their attention on demonstrating their long-term ability to execute transformative measures and stop relying only on their short-term firefighting skills to build up their case.
It is likely that benchmarking will cease to be a concern for senior executives if they have the sense cybersecurity is in firm hands and driven in a direction that matches their expectations and the needs of the firm.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
