A worrying number of companies said they don’t plan to improve their cyber security programs, despite the threats. But all it takes to start is a roadmap.
The cyber threat landscape is going to get worse before it gets better—if it ever gets better.
That’s the view of a majority of respondents to a recent survey on cyber risks conducted by security and threat intelligence firm FireEye, titled Cyber Trendscape 2020.
Yet a significant percentage of the respondents to that survey—in some cases a majority—weren’t planning to up their security game all that much to counter those ever-evolving, ever-increasing threats.
Even though there are “roadmaps” available to help them do it. Roadmaps like the BSIMM (Building Security In Maturity Model), which has been collecting data for more than a decade now on how organizations create and grow software security initiatives (SSI).
The survey polled more than 800 senior executives from North America (U.S. and Canada), Europe (France, Germany, and the U.K.) and Asia (China, Japan, and South Korea).
Globally, the perception of cyber risks was, as the report put it, “grim,” with “56% believing it would worsen over the next 12 months and 33% of the opinion it would stay the same. The most pessimistic views were from the U.S. (74%) and Japan (72%) where risks from cyber threats were expected to worsen over the next 12 months.”
A large majority of the respondents (70%) also said cyber threats were becoming more complex, as in “more difficult to understand and defend against.”
In response to that growing threat, three-quarters of the organizations surveyed said they plan to increase their cyber security budget, but those increases are incremental—running 1% to 9% more than their current budgets, which average only 6% to 7% of overall IT budgets. Perhaps marginally encouraging is that 25% of U.S. respondents said their cyber security budgets were more than 10% of the IT budgets.
But a quarter of organizations in Japan and Korea said they planned to keep their cyber security budgets the same. And a small percentage—3% or less—of those in France, Japan, Korea, and China said they planned to decrease it.
It isn’t just a matter of money. Perhaps even more concerning is that organizations aren’t confronting the risk strategically.
A significant percentage of the senior executives surveyed said their cyber security programs were semiformal and focused mainly on compliance with mandatory regulations.
“Globally, 23% of organizations reported formal security programs with a broad, risk-based focus supporting continuous optimization of processes and approaches, compared to the U.S. (41%) and China (38%),” the report said.
But even in the U.S. and China, that means nearly two-thirds of organizations don’t have a formal program.
And the report found that “only 19% of organizations identified their security program as strategic with intelligence data driving investment decisions, operational priorities and other critical cyber security factors.”
All of which is both ironic and puzzling, since there are tools and organizations available to help those organizations improve their cyber security programs dramatically. A major way to do that is to improve the security of an organization’s software, both proprietary and third party.
The BSIMM, now into its 11th year, produces an annual report that offers detailed descriptions of what organizations, mainly in eight verticals, are doing to grow and mature their SSIs.
From the beginning, the report has been a “measuring stick” for SSIs. It is neither a “how-to” on developing an SSI nor a “what-to-do” manual. But it is a “what’s happening now” guide, documenting what organizations are doing to improve the security of their software, and what practices make those initiatives more mature.
The 10th iteration of the report, released in October and available for free—licensed under the Creative Commons Attribution-ShareAlike—offers data gathered from 122 organizations in verticals including financial, independent software vendors (ISV), tech, healthcare, Internet of Things (IoT), insurance, cloud, and retail.
In other words, organizations can see what is already working, or perhaps not working, for others in their specific industry.
Those observations cover 119 activities grouped under 12 practices, which fall under four domains: Governance, Intelligence, SSDL (Secure Software Development Lifecycle), and Deployment.
But, of course, to benefit from the BSIMM, an organization needs to have an SSI—a “formal” software security program—that it can compare to others in the same industry. It could also agree to have its SSI undergo a BSIMM evaluation, which would give it a much more precise sense of the program’s effectiveness and maturity.
Steven Cohen, product marketing manager, senior staff, at Synopsys, noted that the results of a BSIMM assessment help an organization “create an improvement strategy and prioritize change. It is the only yardstick available today for measuring how your efforts stack up against others also trying to secure their software portfolios.”
It also has the potential to provide some leverage for increasing the security budget. As Cohen put it, a BSIMM assessment can provide “irrefutable evidence that your company is not keeping up with similar organizations or that your peers are better at protecting their and their customers’ sensitive data.”
It is not just a matter how much you spend, however. It’s more about how you spend. Sammy Migues, senior member, technical staff, at Synopsys and a co-author of all the BSIMM reports since the beginning, said he doesn’t think it’s possible to calculate the “right” amount to spend on security “as a percentage of any other part of the budget.”
“And I think this will get even more difficult as cyber security evolves, cloud use evolves, digital transformation evolves, corporate security boundaries evolve, and so on.”
He said there are too many variables. “What would 10% or 20% mean anyway? One in 10 or 2 in 10 people in IT have to do security? Or 1 or 2 in 10 dollars spent on cloud have to be spent on cloud security? Would it be the same if I insource or outsource? The same if I use much more CapEx or much more OpEx? If I’m highly regulated or not?”
“The right amount is the right amount,” he said.
But as Cohen noted, the BSIMM can help you spend smarter. “A BSIMM assessment can open your eyes to new strategies used by companies you admire,” he said. “You can use the information to help you make investment decisions.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.