Learn how an enterprise IT security benchmark is built, how it works, and what results it delivers. […]
Fear is a bad counselor, they say. And yet it is a leitmotif in many debates around the topic . Many manufacturers and providers of security solutions are quick to paint horror scenarios on the wall. There is no shortage of examples such as hacks, extortion Trojans or security vulnerabilities. Who wants to be next? So better invest quickly before you get in the newspaper. Security is far from the only goal that a CIO has to pursue. Rather, it is important not to lose sight of adequacy, customer and user orientation, costs or the requirements of digitization.
But how can success be measured? In top-class sports, the world’s best performances of the individual disciplines offer athletes orientation. The benchmarks of heights, times and distances are well known. In IT, this is different. Which discipline needs targeted further development in order to eradicate weaknesses? Which performance values are the benchmark of the market leaders? Where are top performances already achieved?
Just as individual training sessions of a top athlete are embedded in an overarching training plan in order to achieve optimum speed, endurance and strength, IT security measures should also be embedded in a stringent action plan. To define the specifications of the normative safety the concrete design of the technical safety.
Balanced and aligned with information security strategy, risk management and IT business continuity, the action plan provides an all-round view of security requirements and objectives. This is where the foundation for successful information security is laid. Based on this, concrete security architectures and technical measures are derived and implemented. Gaps in normative security usually lead to gaps in technical IT security.
The subject of benchmarking is therefore both areas of information security – both normative and technical .
The eight disciplines of Normative and Technical Information Security (c) LEXTA Consultants Group
In the Governance the strategy and the basic principles of information security (IS) are defined and embedded in a management system (ISMS) in order to continuously develop information security. That Risk – an essential element of modern security management systems – is considered separately due to its high relevance. This also applies to the Business Continuity Management. Both specify the requirements and provide the framework for technical safety. For example, is passive network security using firewalls still sufficient or does active monitoring and embedding into the Security Information and Event (SIEM) require?
These concrete implementations are examined in the field of technical security. What is the maturity of overarching aspects such as identity and access management or security monitoring? How are the end devices of the users secured? What about the security of the infrastructure and business applications? Are the security gaps of tomorrow already avoided today by secure processes in development?
The process of benchmarking follows this scheme: after the mandatory Project Setup (Coordination of the schedule and the participants) and the final Definition of benchmarking scope actual data is collected. This includes the Recording of detailed services (over 200 individual items), the Cost, the relevant Quantity scaffolding, the Service Levels as well as any special features.
Quantity frameworks are a defined set of quantities that are collected within the framework of benchmarks. They form the basis of the subsequent key figure analyses and vary from the number of security incidents investigated to the number of risk analyses carried out and the external personnel capacities used per discipline.
In the benchmark of information security, additional per performance of the Degree of implementation rated. On the basis of a scoring model, the benchmark for each process in information security records the degree of maturity, the extent of use and the integration into the architecture of technical services of IT security.
A scoring model to measure the degree of implementation (c) LEXTA Consultants Group
This process usually takes about four weeks and thus half of the eight-week project duration, whereby the individual duration depends strongly on the data situation of the client. Together, all relevant data is collected in interviews with the contact persons from the technology sector and information management, content and implementation are compared with the market in order to arrive at a reliable assessment.
Comparability will be ensured in the next two phases. The right data basis and the selection of the right comparison companies play a role here. On the one hand, this is done by normalizing any differences, such as deviations in cost accounting. On the other hand, a suitable reference group is selected from the benchmark database. This includes eight to twelve companies, which are subject to comparable requirements and have similar orders of magnitude.
These data are usually recorded first-hand by the benchmark consultant in comparable projects and quality-assured. Only if the comparability of the companies among themselves is ensured, the results are meaningful. If a company is subject to the KRITIS requirements, a different level of security is appropriate than for companies from an unregulated area. A company with 50,000 users has different cost structures than a company with 1,000 users.
In the last two phases, the benchmark is evaluated and optimization potential is identified.
In order to achieve the greatest possible significance and the greatest possible benefit with this benchmark, the relationship between costs and degree of implementation must be established. The optimal representation is provided by a matrix of the two dimensions.
Sample results of one of eight possible benchmarking categories. The customer is in the upper right quadrant. It shows a slightly higher degree of conversion, but also higher costs than the average value of the comparison group. This means that the company uses significantly more money than the means of the comparison companies to achieve the degree of implementation. However, a position in the lower right quadrant would be ideal (c) LEXTA Consultants Group
The assessment of each discipline provides important impulses for the further design of the . For the wise interpretation of the results, the overall picture is important. For this purpose, further detailed evaluations are made on the degree of implementation, quantities, number of employees, service level, etc. A large number of key figures are evaluated for this purpose. This creates a context for the benchmarks and identifies deviations from the market.
Possible levers for improvement are derived from observations (c) LEXTA Consultants Group
Based on the benchmarking results and the observations made during the actual recordings, possible levers for improvements are also derived. The focus is on key figures on effectiveness as well as efficiency, for example the degree of coverage of security processes, the number of security incidents per user or personnel capacities per area.
Optimizations are identified along these dimensions: from strategic decisions based on technological trends, for example automation, to concrete tactical measures at the service level, such as the hardening of configuration or carrying out security tests. This search requires profound knowledge and many years of experience.
Through the structured market comparison, a benchmark provides clarity as to the efficiency and effectiveness of one’s own information security. While internal KPI systems can measure their own progress over time, a comparison with the market creates transparency as to whether the chosen goals and their achievement are still up-to-date and appropriate in a constantly evolving world.