'Be more secure than next door' approach divides experts

More companies are beginning to adopt a benchmarking approach to security, according to one large vendor, but it's an approach which is dividing opinion among security experts.

Security giant Symantec claims benchmarking – the process whereby companies compare themselves against rivals or industry best practice - is a strategic approach to cost-effective security. But a security expert from analyst house Gartner has branded it a box ticking exercise to keep Sarbanes-Oxley auditors happy.

Enrique Salem, senior VP of security products at Symantec, told silicon.com: "One of the services we're seeing the greatest demand for in the enterprise is the ability to benchmark. CIOs are asking us to benchmark against other companies in their market."

Salem said companies don't need to keep throwing money at security but rather they need to achieve a level of security which balances risk with the reality that nobody can be 100 per cent secure.

Salem said Symantec wouldn't disclose names but will work with businesses to keep them up to date with how companies in the same vertical or with similar risk exposure are securing themselves.

But Jay Heiser, research vice president at Gartner, told silicon.com: "Benchmarking is a classic case of something companies do when the regulators are breathing down their neck."

He added: "Just show them you're more secure than your neighbours."

Steve Wylie, managing partner in Accenture's security practice, said he agreed that benchmarking can be an inexact science and warned companies against spending too much time looking purely at external metrics.

He said it's more important that companies consider issues specific to them which may mean they don't neatly fit into a defined model.

"Benchmarking is never going to be precise and it has to be balanced with internal processes. Does a company in-source, does it outsource, does it offshore, how is it organised?" he said explaining the diversity of unique factors at play make any comparison difficult. He also said companies "have to be very careful who or what they benchmark against".

However, he said if it is "part of a balanced metric scorecard" which takes into account both internal and external metrics then there can certainly be compliance and cost benefits.

Both Heiser and Wylie agreed, however, that it is certainly a direction in which the large vendors are likely to drive the market, offering benchmarking services, especially since snapping up consultancy firms, such as Liric and @Stake, which were bought by Symantec, and Foundstone, which was bought by McAfee.

Heiser agreed that such acquisitions enable the large vendors to protect against a day when more strategic approaches to security overtake the box shifting days of the security gold rush which has seen spend increase annually.

However, he said there are going to be those who have their concerns about security companies undertaking consultancy work.

"You don't need me to tell you that it's certainly in the interests of a security vendor to help encourage the implementation of its own services."

Accenture's Wylie added: "The security vendors are there to promote the strength of their own products."

However, Symantec's Salem denied the bolted-on consultancy arms are little more than a tool for driving sales. "We might recommend a company needs a type of technology or suggest they look at a particular range of services," he said but denied customers paying for the consultancy would always be steered towards Symantec products.