In the beginning, security was made up of prescriptive frameworks; security experts told firms what they should do to build secure software. With time, software security experts realized that this “because I said so” approach really wasn’t a good security strategy. Instead of telling people what to do and what not to do, we needed some perspective. We needed to learn what others were doing to secure their software.
That’s when the idea for the Building Security In Maturity Model (BSIMM) was born. The BSIMM is a scientific study, measuring security activities that companies are actually doing. The measurements sought to answer how firms were spending their security budget and how effective these security initiatives were.
In the first iteration of the BSIMM, we studied nine firms. Several years later, in the sixth iteration of the study, we have 78 firms in the BSIMM community.
Security isn’t a ‘one and done’ fix. There is no right or wrong, yes or no answer to security. The measurements conducted throughout the assessment help a firm to understand where they stand today, allowing them to plan for tomorrow. In other words, these metrics allow firms to see how mature their existing security initiative is across their entire portfolio in order to establish a strategy for continuous process improvement.
It’s not about what you’re doing right or wrong. BSIMM is about observations—describing and measuring a variety of approaches.
Here, you’ll learn how the BSIMM works, what the measurements illustrate, and why these numbers are a valuable way to progress your firm’s security stance.
Download BSIMM6 to learn more.