(Posted on Behalf of Pushkal Mishra AVP IT & CISO, HDFC ERGO Health Insurance Ltd)
Business applications are vital for the successful functioning of any organization. Therefore, managing their information security risks are just as important as the business itself. If I ask about different measures you take to ensure security of your applications, you might reply with few initiatives such as periodic secure code reviews, external scans, vulnerability assessments & penetration testings and perhaps audits etc. But what If I asked how mature is your program?

One way to answer that would be to compare your program with the industry best practice and identify relative position of your organization. For example, if the industry benchmark is 2 (out of 3) and you are at 0.05, then there are many things that need your immediate attention.

So how do I measure vis-à-vis industry?

No alt text provided for this image

The answer to that would be finding the relevant maturity model. Although there are many models , I personally find BSIMM (Building Security IMaturity Model) very useful. It can be used as a measuring stick for software security. The model has 4 security domains broken into 12 security practice areas which are further subdivided into additional 3 levels emerging over 100 activities that can be leveraged to compare as well as improve the program. The most interesting part of this model is that there are over 120 participating firms across various industries sharing their approach of application security.

Start off by doing the gap assessment against BSIMM. Then pick the relevant industry benchmark and plot your practice against it through the spider chart (or anything similar) as below. This will help in visualization of your program's maturity.

No alt text provided for this image

Obviously, it is not feasible to take all the initiatives so depending on your business requirements, you can choose which initiative to take as not every organization can afford to invest in all of them. Below are the most common ones that all the participating companies are using:

No alt text provided for this image
E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform