The findings of a survey conducted by Tenable on companies’ use of benchmark data have been revealed.
Tenable’s Technical Director Gavin Millard shared the findings in a blog post on the company’s website.
The study found that nearly three quarters (73%) of the 280 IT and security professionals polled at the event confirmed the importance of using metrics to benchmark their cyberexposure.
A fifth of respondents (21%) said they did not currently use any benchmark data when communicating with the board of directors or c-suite – although they would like to do so.
Only 18% said they saw no value in sharing such data with c-level leadership and the majority of survey respondents (54%) said they were already comparing their organisation’s metrics against those of their industry peers.
Yet, more than a third of these respondents (35%) say they would like comparative peer data; only 19% said they are happy with the benchmark data available.
More than a quarter of respondents (26%) said they don’t currently benchmark against their peers and would like to do so.
Speaking about the findings, Millard said: “The ability to proactively measure and demonstrate how cyberexposure risk changes over time is crucial to communicating the value of cybersecurity investments to the c-suite and board of directors.
“Equally important is the ability to show how an organisation’s cyberexposure management efforts compare to that of its peers. Yet, the vast majority of IT and cybersecurity professionals surveyed by Tenable said they’re not happy with the benchmarking data they use to demonstrate the effectiveness of their security program to business leaders.
“In order to understand where an organisation is exposed, and determine which cybersecurity efforts are most effective, you need visibility into vulnerabilities and threats. But such visibility is only the beginning. You also need the ability to analyse the data and track the organisation’s ability to react appropriately when issues are discovered.
“Data showing how your cyberexposure posture has improved over time – and how it stacks up against that of your industry peers – allows you to demonstrate the value of your cybersecurity investments and support your requests for additional resources. The ability to share these cyberexposure benchmarks with your c-suite and board helps you improve their understanding of the organisation’s risk posture.”