See Your Rating
Free Attack Surface Report
menu

How To Approach IT & Cybersecurity Benchmarking As A CIO

Melissa Stevens | November 22, 2016 | tag: Vendor Risk Management

To a chief information officer (CIO), cybersecurity is a multifaceted concern. Not only could a breach that results in a loss of sensitive data or information be a legal or reputational nightmare for their organization, but it could also cost them (and others in the C-suite) their job.

Thus, the question CIOs today must ask—regularly and consistently—is whether they’re protecting their data and information appropriately and to the best of their ability. The best way to answer this question is by understanding your cybersecurity effectiveness in comparison to other organizations in your industry, or benchmarking. For example, if you can determine you’re underperforming in cybersecurity compared to your peers, you’ll have a solid indication that you’re facing more risk and liability than they are.

Do your competitors and peers have a better cybersecurity game plan than you do? If simply answering that question seems exhausting, this guide can help.

There are two traditional methods used to approach IT security benchmarks: formal benchmarking and informal benchmarking. Both are used frequently in today’s business landscape and have a number of benefits and risks.

Formal Benchmarking

Formal benchmarking takes place when you gather data on your peers and competitors, analyze that data, and use it to form an IT security benchmark. This can take place in-house or through a consulting firm working on your behalf.

Benefits Of Formal Benchmarking

  • Ideally, formal benchmarking allows you to get a comprehensive picture of your peers’ and competitors’ performance. You can compare what they’re doing in regard to cybersecurity to what your organization is doing so you can bear down in the areas that need more work.

Risks Of Formal Benchmarking

  • Your analysis only gives insight for a particular point in time. Your peers and competitors are constantly changing—just as you are—and that change can bring about major differences in cybersecurity posture.
  • Your analysis is subjective and may focus too heavily on feelings rather than data.
  • Whether this is done in-house or through a consultant, this may be costly. It can get expensive quickly!
  • Formal benchmarking is time-consuming. You must account for “the human element” and how long it may take those involved with the benchmarking to get contact information, set up meetings, and analyze and present the data.

Informal Benchmarking

Informal benchmarking takes place in a more casual setting and doesn’t necessarily involve hard and fast data. For example, you may be a part of a CIO online forum or a group that meets monthly to discuss cybersecurity best practices.

Benefits Of Informal Benchmarking

  • This process is significantly less time-consuming than formal benchmarking, so you can do it more frequently.
  • Informal benchmarking is also much more cost effective. It’s a good starting point for younger companies that are just beginning the benchmarking process. It can also be a good supplement to formal benchmarking.

Risks Of Informal Benchmarking

  • This method of cybersecurity benchmarking tends to be more subjective and qualitative. The takeaways may be helpful for the CIO in his day-to-day activity, but it may not offer direct insights that can affect the organization as a whole.
  • Some organizations won’t be interested in sharing their best cybersecurity practices, as those practices may be a part of their competitive advantage.
  • Participants in these types of forums must consider antitrust issues and other legalities.

Download Cybersecurity Benchmarking: A CIO’s Guide for Reducing Security Anxiety

 The two traditional methods used in for IT security benchmarks aren’t without their complications. The nature of cybersecurity is sensitive—so many companies are simply unwilling or unable to discuss it openly. And if you are able to gather benchmarking data, it’s difficult to know whether the particular controls your peer put in place were actually effective.

Because we know this is a critical topic for today’s CIO, we’ve tackled it head-on in our latest ebook. In this ebook, we walk through why cybersecurity benchmarking is difficult for the modern CIO, different methods of benchmarking you may be involved in (or may want to consider), and how BitSight Security Ratings can solve many benchmarking challenges. Download it today!

 

CIO's Guide For Reducing Security Anxiety

Suggested Posts

Vendor Risk Management

5 Vendor Evaluation Tools to Add to Your Cyber Risk Management Toolkit

Kaitlyn Graham | December 9, 2021

Data breaches that originate through third parties are more commonplace than organizations are used to. The SolarWinds hack and Kaseya ransomware attack are two recent examples of threat actors exploiting the security practices of...

READ MORE »
Vendor Risk Management

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Kaitlyn Graham | May 12, 2021

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring third-party...

READ MORE »
Vendor Risk Management

5 Best Practices for Conducting Cyber Security Assessments

Kaitlyn Graham | April 27, 2021

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.

READ MORE »

Get the Weekly Cybersecurity Newsletter.

© 2026 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers

Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469