I still cringe at that scene in Marathon Man where Laurence Olivier puts Dustin Hoffman in the dentist chair and tortures him while asking “Is it safe??” In fact, now I cringe even more because it reminds me of so many conversations between CEOs/CIOs and CISOs: “OK, we gave you the budget increase. Is it safe now???”
Of course, safety is a relative thing. As the old saw says about what one hunter said to the other when they ran into the angry bear in the woods: “I don’t have to outrun the bear, I only have to outrun you.” Animals use “herd behavior” as a basic safety mechanism – humans call it “due diligence.”
So, there is safety in being no slower than the rest of the herd, but in the IT security world it requires some kind of benchmarking against other companies. This has been a tough area in security – but there are a few sprouts out there.
A while back Gary McGraw and Sammy Miguez of Cigital and Brian Chess of Fortify put together the Building Security In Maturity Model, looking at the maturity levels of practices in large software development organizations. Now they have made a web-based survey available to collect data on 40 of the 110 elements of the BSI-MM. Take a look – an easy way to participate and get a simplified benchmark of where your application development processes are security-wise. Then, maybe you can give your CEO a dentist drill and have him ask the VP of Business Apps “Is it safe???”
Read Complimentary Relevant Research
Predicts 2017: Artificial Intelligence
Artificial intelligence is changing the way in which organizations innovate and communicate their processes, products and services. Practical...
View Relevant Webinars
Gartner Hype Cycles 2016: Major Trends and Emerging Technologies
Gartner Hype Cycles are designed to empower CIOs and IT leaders to make more impactful investment decisions, and reduce the risks of...
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.