BSIMM11 and Industry Verticals: Regulated Industries (Financial services, healthcare, insurance)
By : Krishna Anindyo | Monday, September 21 2020 - 16:30 IWST
Spider Charts by Noting The Highest-Level Activity Observed for Each Practice BSIMM Participant
INDUSTRY.co.id - Synopsys created spider charts by noting the highest-level activity observed for each practice per BSIMM participant (a “high-water mark”) and then averaging these values over the group of 130 firms to produce 12 numbers (one for each practice).
The resulting spider chart plots these values on 12 spokes corresponding to the 12 practices. Note that performing level 3 (the outside edge) activities is often a sign of Software Security Initiative (SSI) maturity but only because organisations tend to start with common activities (level 1) and build from there toward uncommon activities.
Three verticals in the BSIMM operate in highly regulated industries: financial services, healthcare, and insurance (see Figure 6). In our experience with the BSIMM, large financial services firms reacted to regulatory changes and started their SSIs much earlier than insurance and healthcare firms.
Even as the number of financial services firms has grown significantly over the past five years, with a large influx into the BSIMM data pool of newly started initiatives, the financial services SSG average age at last assessment time is 4.9 years versus 3.8 years for insurance and 3.7 years for healthcare.
Time spent by financial services firms maturing their collective SSIs shows up clearly in the side-by-side comparison.
Although organisations in the insurance vertical include some mature outliers, the data for these three regulated verticals show insurance lags behind in the Strategy & Metrics, Compliance & Policy, and Attack Models practices, while moving above average in the Security Testing practice.
Compared to financial services firms, we see a similar contrast in healthcare, which achieves par in Compliance & Policy, Architecture Analysis, Code Review, and Penetration Testing, but lags in other practices.
In the BSIMM population, we can find large gaps between the maturity of verticals, even when the technology stacks might be similar. Consider Figure 7, which directly compares the current technology and healthcare verticals.
In this case, there is an obvious delta between technology firms that build devices tied to back-end services and healthcare firms that increasingly build devices tied to back-end services.
The disparity in maturity extends to most practices, although the healthcare vertical is predictably ahead in the Compliance & Policy practice.
Fortunately for organisations that find themselves behind the curve, the experiences of many BSIMM participants provide a good roadmap to faster maturity.