BSIMM11 and Industry Verticals: Regulated Industries (Financial services, healthcare, insurance)

By : Krishna Anindyo | Monday, September 21 2020 - 16:30 IWST

Spider Charts by Noting The Highest-Level Activity Observed for Each Practice BSIMM Participant
Spider Charts by Noting The Highest-Level Activity Observed for Each Practice BSIMM Participant - Synopsys created spider charts by noting the highest-level activity observed for each practice per BSIMM participant (a “high-water mark”) and then averaging these values over the group of 130 firms to produce 12 numbers (one for each practice).

The resulting spider chart plots these values on 12 spokes corresponding to the 12 practices. Note that performing level 3 (the outside edge) activities is often a sign of Software Security Initiative (SSI) maturity but only because organisations tend to start with common activities (level 1) and build from there toward uncommon activities.

Three verticals in the BSIMM operate in highly regulated industries: financial services, healthcare, and insurance (see Figure 6). In our experience with the BSIMM, large financial services firms reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.

Even as the number of financial services firms has grown significantly over the past five years, with a large influx into the BSIMM data pool of newly started initiatives, the financial services SSG average age at last assessment time is 4.9 years versus 3.8 years for insurance and 3.7 years for healthcare.

Time spent by financial services firms maturing their collective SSIs shows up clearly in the side-by-side comparison.

Although organisations in the insurance vertical include some mature outliers, the data for these three regulated verticals show insurance lags behind in the Strategy & Metrics, Compliance & Policy, and Attack Models practices, while moving above average in the Security Testing practice.

Compared to financial services firms, we see a similar contrast in healthcare, which achieves par in Compliance & Policy, Architecture Analysis, Code Review, and Penetration Testing, but lags in other practices.

In the BSIMM population, we can find large gaps between the maturity of verticals, even when the technology stacks might be similar. Consider Figure 7, which directly compares the current technology and healthcare verticals.

In this case, there is an obvious delta between technology firms that build devices tied to back-end services and healthcare firms that increasingly build devices tied to back-end services.

The disparity in maturity extends to most practices, although the healthcare vertical is predictably ahead in the Compliance & Policy practice.

Fortunately for organisations that find themselves behind the curve, the experiences of many BSIMM participants provide a good roadmap to faster maturity.

News Comment

Today's Industry

Friedhelm Best - Vice President Asia Pacific, HIMA (Photo by HIMA)

Rabu, 21 Oktober 2020 - 14:20 WIB

Pharma 4.0: How Technology Is Transforming an Industry

Digital advancements in areas like systems integration, track-and-trace technology, and deep learning are helping the industry optimize its supply chain, improve safety, and even develop new…

Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies (Photo by Linkedin)

Rabu, 21 Oktober 2020 - 13:50 WIB

Key Pillars To Optimal Endpoint Security In Today’s Climate

What does it take for businesses to be confident in the resilience of their endpoint protection? Check Point shares 4 key pillars for optimal endpoint security solutions for CISOs and IT professionals…

L/R: Alwin Zecha, Founder - Pacific Leisure Group, Thailand; Hiran Cooray Chairman - Jetwing Symphony PLC, Sri Lanka; and Akbar Shareef, Chairman & Chief Executive - Rakaposhi Tours (Pvt) Ltd., Pakistan (Photo by Global Travel Media)

Jumat, 16 Oktober 2020 - 17:15 WIB

PATA Honours Industry Leaders, Pioneers and Professionals at 69th Annual General Meeting

The following awards were presented during the 69th Annual General Meeting held online PATA Gallery of Legends Award, PATA Life Membership, and PATA Chair’s Award.

Evan Dumas, Regional Director, Southeast Asia, Check Point Software Technologies (Photo by Linkedin)

Jumat, 16 Oktober 2020 - 17:00 WIB

3 Key Principles Businesses Must Keep In Mind When Securing the Remote Workforce

It is critical that organisations take steps to secure the remote workforce to prevent falling victim to the next cyber attack.

Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Centre (CyRC) (Photo by Synopsys)

Kamis, 15 Oktober 2020 - 19:05 WIB

Common Questions When Establishing an Organisational Culture of DevSecOps

Organisations are introducing security earlier in the software development life cycle (SDLC) by expanding close collaboration between development and operations teams in the DevOps movement…