By: Taylor Armerding, Security Expert at Synopsys Software Integrity Group
The cyber threat landscape is going to get worse before it gets better — if it ever gets better.
That’s the view of a majority of respondents to a recent survey on cyber risks conducted by security and threat intelligence firm FireEye, titled Cyber Trendscape 2020.
Yet a significant percentage of the respondents to that survey — in some cases a majority — weren’t planning to up their security game all that much to counter those ever-evolving, ever-increasing threats.
Even though there are “roadmaps” available to help them do it. Roadmaps like the BSIMM (Building Security In Maturity Model), which has been collecting data for more than a decade now on how organisations create and grow software security initiatives (SSI).
Perception of cyber risks is ‘grim’
The survey polled more than 800 senior executives from North America (U.S. and Canada), Europe (France, Germany, and the U.K.) and Asia (China, Japan, and South Korea).
Globally, the perception of cyber risks was, as the report put it, “grim,” with “56% believing it would worsen over the next 12 months and 33% of the opinion it would stay the same. The most pessimistic views were from the U.S. (74%) and Japan (72%) where risks from cyber threats were expected to worsen over the next 12 months.”
A large majority of the respondents (70%) also said cyber threats were becoming more complex, as in “more difficult to understand and defend against.”
Cyber security budgets are under strain
In response to that growing threat, three-quarters of the organisations surveyed said they plan to increase their cyber security budget, but those increases are incremental — running 1% to 9% more than their current budgets, which average only 6% to 7% of overall IT budgets. Perhaps marginally encouraging is that 25% of U.S. respondents said their cyber security budgets were more than 10% of the IT budgets.
But a quarter of organisations in Japan and Korea said they planned to keep their cyber security budgets the same. And a small percentage — 3% or less — of those in France, Japan, Korea, and China said they planned to decrease it.
Lack of formal cyber security programs is worrying
It isn’t just a matter of money. Perhaps even more concerning is that organisations aren’t confronting the risk strategically.
A significant percentage of the senior executives surveyed said their cyber security programs were semiformal and focused mainly on compliance with mandatory regulations.
“Globally, 23% of organisations reported formal security programs with a broad, risk-based focus supporting continuous optimisation of processes and approaches, compared to the U.S. (41%) and China (38%),” the report said.
But even in the U.S. and China, that means nearly two-thirds of organisations don’t have a formal program.
And the report found that “only 19% of organisations identified their security program as strategic with intelligence data driving investment decisions, operational priorities and other critical cyber security factors.”
How to improve your cyber security program
All of which is both ironic and puzzling, since there are tools and organisations available to help those organisations improve their cyber security programs dramatically. A major way to do that is to improve the security of an organisation’s software, both proprietary and third party.
The BSIMM, now into its 11th year, produces an annual report that offers detailed descriptions of what organisations, mainly in eight verticals, are doing to grow and mature their SSIs.
From the beginning, the report has been a “measuring stick” for SSIs. It is neither a “how-to” on developing an SSI nor a “what-to-do” manual. But it is a “what’s happening now” guide, documenting what organisations are doing to improve the security of their software, and what practices make those initiatives more mature.
Get a roadmap
The 10th iteration of the report, released in October and available for free — licensed under the Creative Commons Attribution-ShareAlike — offers data gathered from 122 organisations in verticals including financial, independent software vendors (ISV), tech, healthcare, Internet of Things (IoT), insurance, cloud, and retail.
In other words, organisations can see what is already working, or perhaps not working, for others in their specific industry.
Those observations cover 119 activities grouped under 12 practices, which fall under four domains: Governance, Intelligence, SSDL (Secure Software Development Lifecycle), and Deployment.
But, of course, to benefit from the BSIMM, an organisation needs to have an SSI — a “formal” software security program — that it can compare to others in the same industry. It could also agree to have its SSI undergo a BSIMM evaluation, which would give it a much more precise sense of the program’s effectiveness and maturity.
Steven Cohen, product marketing manager, senior staff, at Synopsys, noted that the results of a BSIMM assessment help an organisation “create an improvement strategy and prioritise change. It is the only yardstick available today for measuring how your efforts stack up against others also trying to secure their software portfolios.”
It also has the potential to provide some leverage for increasing the security budget. As Cohen put it, a BSIMM assessment can provide “irrefutable evidence that your company is not keeping up with similar organisations or that your peers are better at protecting their and their customers’ sensitive data.”
Determine what works for your organisation
It is not just a matter how much you spend, however. It’s more about how you spend. Sammy Migues, senior member, technical staff, at Synopsys and a co-author of all the BSIMM reports since the beginning, said he doesn’t think it’s possible to calculate the “right” amount to spend on security “as a percentage of any other part of the budget.”
“And I think this will get even more difficult as cyber security evolves, cloud use evolves, digital transformation evolves, corporate security boundaries evolve, and so on.”
He said there are too many variables. “What would 10% or 20% mean anyway? One in 10 or 2 in 10 people in IT have to do security? Or 1 or 2 in 10 dollars spent on cloud have to be spent on cloud security? Would it be the same if I insource or outsource? The same if I use much more CapEx or much more OpEx? If I’m highly regulated or not?”
“The right amount is the right amount,” he said.
But as Cohen noted, the BSIMM can help you spend smarter. “A BSIMM assessment can open your eyes to new strategies used by companies you admire,” he said. “You can use the information to help you make investment decisions.”