Skip to main content
May 31, 2016

What is Benchmarking?

If you type ‘Benchmarking’ into Google, the top definition is “evaluating something by comparison with a standard”. Seems simple enough, but the bigger question here is – who sets that standard? In the past, we may have looked to the big enterprise size companies, however breaches such as; Talk Talk, and Target show us that it’s easy to see that even the biggest companies might not have concentrated on application security as much as you’d expected.

To make it even harder to benchmark your business, most major companies will tend to keep it close to their chest how their application security programme is performing. You wouldn’t shout to the bad part of your neighborhood how loud your burglar alarm is would you? This makes it hard for a CISO to truly benchmark its AppSec programme against its competitors.

Here are two ways to get started with benchmarking:

1 - Compare against industry standards

By focusing on comparing yourself to the statistics within your vertical, this allows for more of a transparent approach without fixating on specific companies that you would consider your competitor. In 2015, Veracode released a report which demonstrated the State of Software Security with a particular focus on industry verticals. By analyzing the results within this report, it would allow you to

2 - Use a benchmarking tool to do the hard part for you

There are some very good benchmarking tools out there that can do the research for you to compare how your company pairs up to the rest of the industry. Veracode can actually help you with your benchmarking by providing a dashboard that shows you what your peers are up to with their appsec programmes. By using a tool, this will allow for a better overall view, without focus on specific competitors but across the board.

Benchmarking alone isn’t enough

Comparing your business against the industry standards allows for good start to ensure you are performing well compared to your peers, but this is only the beginning. The standard being set by companies for application security is not the highest it could be. Companies should always be striving for excellence within their application security programme, so that the benchmark is always moving. By simply hitting that mark and being happy will always leave you one step behind the bad guys who could tear it all down tomorrow.

Helena is part of the EMEA marketing team based in the London office, focusing on localised campaigns, events and content specifically for the EMEA market. Helena’s been in the IT industry for a few years now, and has experience from a couple of the blue chip companies, with a range of responsibilities from creating content to project management.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.