Blog post

The Gartner Cybersecurity Business Value Benchmark

By Paul Proctor | May 22, 2023 | 0 Comments

CIO Leadership of Strategy, Governance and Operating ModelsIT Cost Optimization, Finance, Risk and ValueSecurity and Risk Management Leaders

The Gartner Cybersecurity Business Value Benchmark is 16 cybersecurity value metrics that change the way organizations measure, report and invest in cybersecurity.

Background can be found in these freely available resources:

Blog: Cybersecurity as a Business Decision: A Manifesto

Blog: Use Value to Govern Cybersecurity as a Business Investment

Blog: The Three Unanswered Board Questions That Drive Cybersecurity Investment

Free Gartner Webinar: Make Cybersecurity a Priority Business Investment

The new metrics were featured in the 2022 Gartner Symposium keynote.

Thousands of organizations have expressed active interest, hundreds are implementing the metrics, and dozens are working towards standardizing their metrics and governance on this approach.

If you are a Gartner client, you can access the full metric definitions here:

The Gartner Cybersecurity Business Value Benchmark, First Generation (G00775537)

If you are not a Gartner client, see this blog post to develop and implement your own metric definitions. Using these concepts and metrics will materially improve your board reporting.

Benchmarking Protection Levels is a Game Changer

The new Gartner benchmark is measuring protection levels for key security investments.

When you measure an outcome-driven metric and the metric improves, the investment is producing measurably better protection. When the metric degrades, the investment is producing measurably lower protection. The metric also supports direct investment to change a measurable protection level.

For example, I can spend more money, patch faster, and I will be measurably better protected. Or, I can save some money, patch slower, and I will be measurably less protected. But I will save some money.

Collectively these properties change how we measure, report, and invest in security.

How Does the Cybersecurity Business Value Benchmark Work?

Benchmarks are a community activity. The Gartner community has more than 17,000 client organizations. We are uniquely positioned to create the first benchmarkable protection levels. Gartner is an industry leader in IT benchmarking and we will apply our years of experience to ensure that our resulting benchmarks are explainable, credible and defensible.

Our 16 metrics address many complications associated with gathering data like this across organizations of every size, in every industry, across the globe.

For each metric we capture current protection-level delivered and target protection-level. For example, an organization is currently patching in-scope systems within 30 days, while they are working towards a target of 15-day patching. Seeing benchmarks for both current and target protection-levels helps guide security investment decisions.

We are currently updating the benchmark quarterly and participants in the ecosystem are encouraged to update their current and target numbers quarterly or whenever they materially change.

We ask the following of the community:

  • It is important to understand the definitions and submit credible and defensible information. Estimates are OK if they are based on best available information.
  • Although we have mechanisms to detect and clean up faulty data, please avoid entering data that is not credible and defensible for your organization.

Our tool does not deliver results for a metric until benchmark thresholds are met. The faster the community enters data, the faster we will have benchmarks to share. Early adopters will get the benefit of our early insights while the database builds.

The Cyber Business Value Community and Ecosystem

This benchmark requires more than just answering a few questions and comparing your answers to others. These metrics represent current and desired protection levels across key security investments for participants within the ecosystem.

To gain full value from this opportunity, an organization should instrument their systems and processes to gather these metrics continuously.

  • If you do not gather these metrics, the benchmark has little value beyond a curiosity. This is why we are not sharing the data broadly.
  • If you gather the data once, the benchmark continues to evolve while your data and your value ages out very quickly.
  • If you gather the data continuously, you are a part of a community and an ecosystem that will continuously guide your security investments while evolving a standard of due care.

Benchmark Availability

Our new benchmark tool is currently available through an early adopter program (EAP). The requirements to join the EAP include:

  • You must be a Gartner client with an active login or a qualified individual who is evaluating Gartner services and unlimited access to the benchmark.
  • You must have at least 4 of the defined metrics. See more on this requirement below.
  • You must go through our qualification process and be accepted into the program.

Can I Participate If I am Not a Gartner Client?

Yes, but you must be actively evaluating Gartner services and you must have at least 4 of our defined metrics to share. We share the full metric definitions with qualified individuals.

Click here to evaluate Gartner services and mention this blog post to your account executive who will be in contact.

To quote Ralphie , “a crummy commercial?” In return for your time to discuss Gartner services, you will receive a report with our latest benchmark data if you share at least 4 metrics. This report has similar value to an Official Red Rider Carbine-Action 200-Shot Range-Model Air Rifle… but it’s easier on your eye.

If you become a Gartner client, you will join the cyber benchmark ecosystem and continue to get value as the benchmark evolves and grows.


Our response and demand for this has been so great that we had to take a step back, invest more in development, and scale up.

This approach delivers benefits for years and we are making the right investments for it to scale and evolve for the long term.

Gartner Will Release Early Benchmark Data at the 2023 Gartner Security and Risk Management Summit in National Harbor, MD.

At my June 5, 2023 2:30 PM ET session “Drive Cybersecurity Investments With the Gartner Cybersecurity Value Benchmark” I will share early data for 10 of our 16 metrics. See you there!

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment