I've been guilty of similar thinking in the past; I've regularly used the analogy of the friends walking in the woods who stumble across an angry bear... you know the one. You don't have to be able to outrun the bear to survive, you only need to be able to outrun one of your friends! Of course, this analogy only works if there isn't a reason for the bear to specifically target you despite your relative sprinting ability... Perhaps your rucksack includes some particularly aromatic and tempting foodstuffs? Tempting enough for the bear to leave alone the easier targets?
Which brings me on to one of my beefs with the misuse of peer comparisons - the assumption that most attackers will target you and your peers equally. Is that really the case? Perhaps for some categories of threat actor, e.g. nationstates that may want to get into defence firms or major financial institutions. But outside of that? I'd argue that you're more likely to be specifically targeted because of some perceived activity or insult to the attacker than you are because you happen to share a field of business... notable exceptions here obviously, e.g. animal research, big oil and gas, financial services etc. But even here, I'd still suggest that there will often be specific reasons for your organisation to be targeted. So, if there are specific reasons for you to be targeted (and there will be, e.g. unflattering news stories, particular assets you own or activities you undertook, a specific customer upset by one of your customer services team etc) then why do you look to your peers for guidance on what's an appropriate amount to spend on security?
Let's have another beef. Do you base all of your business strategy on what your competitors do? The old "67% of successful generals bombard hills" example of Simon Wardley comes into play here - see http://blog.gardeviance.org/2013/11/without-map-you-have-no-strategy.html. Just because your peers do something doesn't mean it's the right thing to do. What if they are also all just looking around at their peers for guidance? At which point where's the linkage between the peer group and reality? What happens if there's some form of risk that the peer group is unaware of? It's a simple race to just above the bottom but there's no guarantee that "the bottom" is sufficient! Do what's right for you based on where you are, where you want to go and what you want to do to get there. Let others look after themselves... Of course you don't want to over-invest in security (the cash may be better used elsewhere) but using your peers as a baseline to make that decision is foolhardy. I'm not even going to get started on what happens if some of the peers are in the cloud and others still on-premises... (the validity of the methodology used to derive the benchmarks and their relevance to your particular position would be a separate post).
Which brings me on to my final beef for now - the public relations aspect. I can understand and, as a security professional who likes to get paid, sympathise with the view that you don't want to be found to be spending considerably less on security than your peers. That would be terribly embarrassing if you suffered an incident. However, being in the pack alone is not enough to spare your blushes in the event of an incident. Let's look at the recent Talk Talk compromise - how much of the media coverage has been concentrating on their position relative to their peers? Do we think Talk Talk are out of step with their peers? Do the media, their customers and their shareholders care?
So, in summary, sure it can be nice to know what your peers are up to. A peer comparison can be useful to justify a business case for further investment for example. But drawing comfort from the fact that you're "in the pack" is not something that I would recommend - be more comfortable that you have a solid grasp of your own risks and are doing something about the ones you care about. Be comfortable with your own competency rather than assuming that of your peers...
