Visualising the meaning of 'benchmark'

If you want to impress your CFO, investors or corporate clients, you're going to have to throw in the word "benchmark" from time to time. Here's a quick backstory on why this word is critical for scaling your tech start-up.

Dictionary

Definitions from?Oxford Languages?

benchmark

/?b?n(t)?mɑ?k/

noun

1. a standard or point of reference against which things may be compared. "the pay settlement will set a?benchmark for?other employers and workers" Similar: Standard, point of reference, gauge 2. a surveyor's mark cut in a wall,?pillar, or building and used as a reference point in measuring?altitudes.

verb

evaluate (something) by comparison with a standard. "we are?benchmarking?our performance?against?external criteria"

When we say that an IT product or a company is "benchmarked", we mean it has been compared to a standard and it came out looking good.

The most well known benchmark is ISO/IEC27001. You can be audited against ISO/IEC27001 because it is a quality standard. A centimeter is a standard unit of measure, so when you say your pencil is 10cm long, your customer knows it'll fit into their 10cm long pencil case. So if I tell you that two different service providers are ISO/IEC27001 certified, we all know that the way they manage their information security is standardized and will meet certain expectations. They have been benchmarked against a standard. This means we don't need to double check that they are managing risk, the ISO auditor already did that for us.

You can be assessed or AUDITED against a standard, you can be COMPLIANT with a law, and you can ADOPT best practice.

More importantly, if I speak to two companies who both have ISO certificates, they should have similar, if not the same, terminology for what they do. I would expect them both to have minutes of their "Management Review Meetings" for example. In the messy world of information security, this is pure gold. Are you even clear whether we are talking about Information Security , Cybersecurity, or Cyber Security? Some standardisation would be nice. Sadly, the standards and frameworks don't even align on terminology or categorisation of controls. It can be a full time job keeping up, which is why we tend to settle on one or two standards then stop.

(Shout out to securecontrolsframework.com , your SCF Framework is a work of art!)

The need for common terminology: "I know you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant." :)

Another standard we talk about in cybersecurity-land is "NIST". Now, a very accurate nerd would point out that NIST actually an organisation that was founded in 1901, it is the US national standards body (like the SABS in South Africa or the BSI in the UK). But like all good brands, we conflate the organisation with the product.

NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. https://www.nist.gov/cybersecurity         

The cool thing about NIST is that their stuff is free to use. For example they offer the Cybersecurity Framework (CSF), which is "a set of cybersecurity best practices and recommendations from the National Institute of Standards and Technology (NIST)", says Cisco. You can download it right now, if you like: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

Why is benchmarking useful?

Let's say that you have adopted NIST as the framework for your information security. NIST explain to you what Zero Trust is in their Special Publication 800-207 and you decide that's a good strategy. So you "adopt" their "Notional ZTA Architecture" and start implementing the NIST guidelines. You are starting to benchmark your security controls. Let's also assume that you are a Microsoft house, and you need to decide which of the Microsoft security tools you need to invest in.

So you watch this cool video from Microsoft (Microsoft Zero Trust Workshop - Introduction) explaining how to implement Zero Trust using Microsoft tools. The they flash up this wonderful mapping of Microsoft tools to the NIST ZTA.

Because you can now speak "NIST ZTA" and you have already figured out how it applies to your infrastructure, you are in a much stronger position to select and motivate for specific tools (this is a hypothetical situation, I have never had to implement ZTA, feel free to critique my over-simplified perspective in the comments). Telling your CFO that the spend will align your organisation to the NIST framework is a far more compelling argument than "because Microsoft said it's a good idea that we give them more money".

So, do you see how Microsoft benchmarking themselves against NIST gives you a way to defend your purchase decision to your CFO? You can do that for your product too!

Taking a defensible position

Using the CSF process also gives you a way to defend your decisions when you're in the hot seat. You can decide to implement something now but delay buying something else until just now based on the your risk assessment. This is a "defensible" position if you get into trouble when you suffer a successful security breach. Many laws actually say things like you must "have due regard to generally accepted information security practices and procedures" (POPIA s19).

If you are very clever, you would have done your risk assessment, planned out your risk treatment plan (RTP), then had that approved by the relevant C-Suite. If you are a Tech-Start-up Founder, congrats, you ARE the C-Suite, so you should get that RTP approved by your Board (this is why good governance structures are a good idea).

No one will fault you for making decisions based on a thorough due diligence exercise that is benchmarked against an authoritative standard. It's even better if that decision was endorsed by others with authority in your organisation.        

But good intentions are not enough, you need evidence

Sad but true, you do have to have evidence of everything you did, i.e. you need to have RECORDS. That's why meeting minutes and documented processes are a good investment of your limited time. It's also better if you can actually find those records when needed in a few year's time.

You might not even be the person looking for those records in a few years from now, hence the reason that a structured approach to labelling and storing your records and documents is also a really good idea, i.e. you need a records management process and some sort of system where you deliberately archive your records. Archiving protocols make sure that your documents can still be opened and read in a decade from now. Can you open that Word 3 .doc you created in 1991? What is that you say? You weren't born yet? Well, take it from me, time flies and technology will leave you hanging. Anyway, the point is, PDFA is a good ISO-based standard for archiving records, there's even an ISO standard for the process of archiving records (that's correct, there is no end to this crazy).

You also need an information classification policy and a retention policy. Your decision to benchmark against a standard also needs to be documented for future reference, you do that in your Information Security Policy, another document that really helps when auditors or regulators or investors come knocking.

Remember, if it is not written down, it is not real and it did not happen        

That's all folks!

I hope that helped clear the mist a little bit about the role of governance and standards and risk management and policies. Hopefully now you will confidently talk about benchmarking your business or product, and create lots of warm, fuzzy feelings in your customers' and investors' hearts . Because, as we all know, trust is run on warm, fuzzy feelings :)

#techstartup #governance #benchmark #informationsecurity #privacycompliance