If you type ‘Benchmarking’ into Google, the top definition is “evaluating something by comparison with a standard”. Seems simple enough, but the bigger question here is – who sets that standard? In the past, we may have looked to the big enterprise size companies, however breaches such as; Talk Talk, and Target show us that it’s easy to see that even the biggest companies might not have concentrated on application security as much as you’d expected.
To make it even harder to benchmark your business, most major companies will tend to keep it close to their chest how their application security programme is performing. You wouldn’t shout to the bad part of your neighborhood how loud your burglar alarm is would you? This makes it hard for a CISO to truly benchmark its AppSec programme against its competitors.
Here are two ways to get started with benchmarking:
1 - Compare against industry standards
By focusing on comparing yourself to the statistics within your vertical, this allows for more of a transparent approach without fixating on specific companies that you would consider your competitor. In 2015, Veracode released a report which demonstrated the State of Software Security with a particular focus on industry verticals. By analyzing the results within this report, it would allow you to
2 - Use a benchmarking tool to do the hard part for you
There are some very good benchmarking tools out there that can do the research for you to compare how your company pairs up to the rest of the industry. Veracode can actually help you with your benchmarking by providing a dashboard that shows you what your peers are up to with their appsec programmes. By using a tool, this will allow for a better overall view, without focus on specific competitors but across the board.
Benchmarking alone isn’t enough
Comparing your business against the industry standards allows for good start to ensure you are performing well compared to your peers, but this is only the beginning. The standard being set by companies for application security is not the highest it could be. Companies should always be striving for excellence within their application security programme, so that the benchmark is always moving. By simply hitting that mark and being happy will always leave you one step behind the bad guys who could tear it all down tomorrow.