Why is my CIS CSAT Industry Average so low?

Owned by Nick Romanzo, created
Last updated: Oct 27, 2021 by Chris Boldiston
2 min read

Product Name

CIS CSAT Pro (SecureSuite Controls Self Assessment Tool)

CIS CSAT Hosted

Product Version

All

Date

Oct 27, 2021

 

Problem

Why is my Industry Average so low?

Solution

Who is included in my industry?

Users self-assess their industries when creating organizations in CSAT.  There are no strict definitions of which organization must go in which industry, and no verification is performed to determine that an organization has selected the correct industry.  Additionally, to protect user privacy, we do not share more specific information about the other organizations in a particular industry; we only share aggregate averages and organization counts for that industry.

Why is my Industry Average so low?

While the industry average information can be useful as a point of comparison for your organization, it should not be used to determine when your organization has reached an acceptable level of maturity in your implementation of the CIS Controls; the decision of what is an acceptable level of maturity for the CIS Controls implementation for your organization should be made only after performing a thorough risk analysis for your organization. The industry average information provided is based on the self-assessed industry identification and self-assessed Safeguard scoring of CSAT users; as such, this information is provided as a point of reference, and should not be the basis for organizational decisions.  For instance, an organization shouldn’t say “we’re higher than the industry average, so we’re fine”.

There are several factors that can contribute to an industry average being lower than expected:

·         Different organizations score themselves differently.  Organizations are free to define the scoring categories and scoring criteria to be whatever makes the most sense for their organizations, and, as such, these definitions and practices will vary between organizations.  Similarly, some organizations might be tougher graders than others, requiring more to achieve higher scores than other organizations do.

·         For CIS-Hosted CSAT, incomplete assessments can lower the industry averages.  For CSAT Pro, we have tried to improve upon this by only including Safeguards that are in the Validated workflow state for the industry averages.

 

Keywords; Industry

Related Content

Copyright © 2020

Center for Internet Security®