Benchmarking Security Maturity: How?

In today’s threat landscape, benchmarking security maturity is no longer a luxury, it’s a necessity that needs to be repeated. However, how you benchmark matters. Should you compare your organisation against peers in your vertical, or take a broader view across the entire business ecosystem?

Vertical Benchmarking: Sector-Specific Insights

Benchmarking within your industry, whether financial services, healthcare etc. offers highly relevant insights. Regulatory pressures, threat profiles, and operational constraints tend to be similar, making comparisons more actionable and fitting of the threat actors of the industry, a recent example is retail and Scattered Spider.

Pros:

– Aligns with sector-specific compliances (e.g. FCA, DORA)
– Reflects similar threat vectors and risk appetite
– Easier to justify investment to boards and regulators
– Allows a slight comparison to competitive advantage for spend justification

Cons:

– May reinforce complacency if the whole sector is lagging… “we are leading the way”
– Limits innovation by ignoring cross-industry best practices
– When successful attacks in an industry happens, it’s an indication to malicious actors to try and replicate that attack route across the vertical
– Innovation is slow

Ecosystem Benchmarking: A Wider Lens

Looking beyond your vertical to benchmark against the broader business ecosystem, tech firms, retailers, logistics providers etc. can reveal new strategies and greater protection against emerging threats.

Pros:

– Encourages adoption of advanced practices from other sectors (regulated sectors such as finance, legal will always lead the way in security best practice)
– Highlights systemic risks (e.g. supply chain vulnerabilities)
– Useful for organisations with diverse business models

Cons:

– May lead to unrealistic comparisons or misaligned priorities
– Harder to contextualise findings for sector-specific stakeholders
– Harder to prioritise the priorities

Attack-Based Planning with MITRE ATT\&CK

Regardless of benchmarking approach, organisations should complement maturity assessments with attack-based planning. The MITRE ATT\&CK framework maps real-world adversary behaviours across tactics and techniques, enabling defenders to plan based on how attackers operate, not just theoretical controls.

By aligning detection and response capabilities to ATT\&CK techniques, security teams can:

– Identify gaps in coverage
– Prioritise controls based on threat relevance
– Simulate adversary behaviour for red/blue team exercises

This approach shifts the focus from compliance-driven maturity to operational resilience, helping organisations defend against what’s likely to happen; not just what’s required.

Conclusion

Benchmarking is a powerful tool, but only when used wisely. Sector-specific comparisons offer depth, while ecosystem benchmarking provides breadth. Combine both with attack-based planning to build a security programme that’s not just mature, but truly adversary-aware.