BSIMM11 and Industry Verticals: Regulated Industries (Financial services, healthcare, insurance)

By : Krishna Anindyo | Monday, September 21 2020 - 16:30 IWST

Spider Charts by Noting The Highest-Level Activity Observed for Each Practice BSIMM Participant
Spider Charts by Noting The Highest-Level Activity Observed for Each Practice BSIMM Participant - Synopsys created spider charts by noting the highest-level activity observed for each practice per BSIMM participant (a “high-water mark”) and then averaging these values over the group of 130 firms to produce 12 numbers (one for each practice).

The resulting spider chart plots these values on 12 spokes corresponding to the 12 practices. Note that performing level 3 (the outside edge) activities is often a sign of Software Security Initiative (SSI) maturity but only because organisations tend to start with common activities (level 1) and build from there toward uncommon activities.

Three verticals in the BSIMM operate in highly regulated industries: financial services, healthcare, and insurance (see Figure 6). In our experience with the BSIMM, large financial services firms reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.

Even as the number of financial services firms has grown significantly over the past five years, with a large influx into the BSIMM data pool of newly started initiatives, the financial services SSG average age at last assessment time is 4.9 years versus 3.8 years for insurance and 3.7 years for healthcare.

Time spent by financial services firms maturing their collective SSIs shows up clearly in the side-by-side comparison.

Although organisations in the insurance vertical include some mature outliers, the data for these three regulated verticals show insurance lags behind in the Strategy & Metrics, Compliance & Policy, and Attack Models practices, while moving above average in the Security Testing practice.

Compared to financial services firms, we see a similar contrast in healthcare, which achieves par in Compliance & Policy, Architecture Analysis, Code Review, and Penetration Testing, but lags in other practices.

In the BSIMM population, we can find large gaps between the maturity of verticals, even when the technology stacks might be similar. Consider Figure 7, which directly compares the current technology and healthcare verticals.

In this case, there is an obvious delta between technology firms that build devices tied to back-end services and healthcare firms that increasingly build devices tied to back-end services.

The disparity in maturity extends to most practices, although the healthcare vertical is predictably ahead in the Compliance & Policy practice.

Fortunately for organisations that find themselves behind the curve, the experiences of many BSIMM participants provide a good roadmap to faster maturity.

News Comment

Today's Industry

Electro-Balancer (E-Balancer)

Rabu, 13 Januari 2021 - 16:00 WIB

ZASCHE Handling Rolls Out New Range of Electric Balancers

the E-Balancer is a versatile tool suited for a broad range of heavy-duty industrial applications.

Taylor Armerding, Software Security Expert at Synopsys Software Integrity Group (Photo by Linkedin)

Rabu, 13 Januari 2021 - 15:40 WIB

What is the Cost of Poor Software Quality in the U.S.?

And if you doubt its credibility, or that it applies to software, check out the latest report from the Consortium for Information & Software Quality (CISQ), in partnership with Synopsys, “The…

Nivedita Murthy - Senior Security Consultant, at Synopsys Software Integrity Group

Jumat, 08 Januari 2021 - 17:35 WIB

DevSecOps: The good, the bad, and the ugly

DevSecOps is the practice of integrating security into every stage of the DevOps pipeline.

MP200 ExtremeBevel

Rabu, 23 Desember 2020 - 14:05 WIB

Hypertherm Introduces Extreme Bevel Plasma Consumables for its MAXPRO200 Air and Oxygen Plasma System

The MAXPRO200 is a true workhorse for companies demanding great cut quality along with high productivity and low operating costs.

Jonathan Knudsen - Senior Security Strategist, Synopsys Software Integrity Group

Jumat, 18 Desember 2020 - 13:20 WIB

How to Cyber Security: Software Security is Everyone’s Responsibility

Software security is a kind of team project — everyone in the organisation has an impact on security and risk.