The Case for Industry Benchmarking

• With cyber risk growing across all industries, visibility of your own risk is getting more difficult. 
• Industry benchmarking can help organisations compare their risk against their peers to drive performance.  
• The process of researching, benchmarking, and reporting can be strenuous. 
• Recommendations for key areas to measure, how to measure them, and how to determine if Calibrate, our benchmarking software, could simplify the process. 

Why Use Industry Benchmarking?

Risk is becoming everyone’s business, and it’s only growing as the market becomes more populated with additional compliance and legislative regulations, additional threats to security, and changing economies. It can be easy to lose sight of how protected our businesses really are in today’s ever-changing environment. The need to have your organization’s view of overall risk is growing and maintaining track of this across multiple different platforms or mediums is becoming more difficult.

While benchmarking, as a definition, focuses on providing a comparative standard to incentivize performance improvements, many cyber security teams have found it hard to utilize benchmarking to help organizational cyber resilience.  

But there’s a strong business case for industry benchmarking: they’re more effective than one-off engagements, and can save headaches in the long run. Long story short, cyber security improvement programs are built beyond point-in-time assessments and can set a benchmark target on an annual basis to create and track real KPIs.  

By understanding and comparing against industry peers regularly between assessments, industry benchmarking insights can:  

Drive performance: demonstrating organizational performance compared to peers.  
Identify improvement areas: highlighting key priorities which require additional investment to improve cyber maturity and resilience.  
Provide executive reporting: to communicate organization performance to executives with a conclusive viewpoint. 
Support progress monitoring: by enabling companies to assess, adapt, and flourish through industry changes. 

At NCC Group we see Calibrate as our personal trainer to help us identify weaknesses, and areas for improvement and to provide key industry insights based upon real industry data. 

Calibrate’s benchmarking offers a data-driven measure of security performance, allowing organizations to establish a quantified baseline across both qualitative and quantitative assessment styles, with a view of comparative data, to achieve resilience. Our tool, Calibrate, highlights meaningful benchmarks based on industry verticals, to encourage data comparisons with other organizations in the same sector.  

Calibrate is powered by cutting-edge automated analysis techniques, intelligent data algorithms and rich NCC Group datasets across the field of consultative risk and controls assessments, as well as vulnerability assessments. It provides a holistic view of organizational cyber resilience, with data feeds from various cyber security assessments to document a view of organizational cyber risk, resilience, and an executive summary of improvement areas.  

In short, we support our clients to improve their cyber resilience and maturity performance by encouraging the utilization of industry benchmark comparisons. For score improvements, organizations need to have materially improved their cyber risk position based upon addressing the highest risk and most impactful remediation actions, prior to their next cyber assessment.