One way to answer that would be to compare your program with the industry best practice and identify relative position of your organization. For example, if the industry benchmark is 2 (out of 3) and you are at 0.05, then there are many things that need your immediate attention.
So how do I measure vis-à-vis industry?
The answer to that would be finding the relevant maturity model. Although there are many models , I personally find BSIMM (Building Security In Maturity Model) very useful. It can be used as a measuring stick for software security. The model has 4 security domains broken into 12 security practice areas which are further subdivided into additional 3 levels emerging over 100 activities that can be leveraged to compare as well as improve the program. The most interesting part of this model is that there are over 120 participating firms across various industries sharing their approach of application security.
Start off by doing the gap assessment against BSIMM. Then pick the relevant industry benchmark and plot your practice against it through the spider chart (or anything similar) as below. This will help in visualization of your program's maturity.
Obviously, it is not feasible to take all the initiatives so depending on your business requirements, you can choose which initiative to take as not every organization can afford to invest in all of them. Below are the most common ones that all the participating companies are using:
Comments