Gartner Blog Network

Benchmarking Security – Are We Safe Yet?

by John Pescatore  |  September 25, 2009  |  6 Comments

I still cringe at that scene in Marathon Man where Laurence Olivier puts Dustin Hoffman in the dentist chair and tortures him while asking “Is it safe??” In fact, now I cringe even more because it reminds me of so many conversations between CEOs/CIOs and CISOs: “OK, we gave you the budget increase. Is it safe now???”

Of course, safety is a relative thing. As the old saw says about what one hunter said to the other when they ran into the angry bear in the woods: “I don’t have to outrun the bear, I only have to outrun you.” Animals use “herd behavior” as a basic safety mechanism – humans call it “due diligence.”

So, there is safety in being no slower than the rest of the herd, but in the IT security world it requires some kind of benchmarking against other companies. This has been a tough area in security – but there are a few sprouts out there.

A while back Gary McGraw and Sammy Miguez of Cigital and Brian Chess of Fortify put together the Building Security In Maturity Model, looking at the maturity levels of practices in large software development organizations. Now they have made a web-based survey available to collect data on 40 of the 110 elements of the BSI-MM.  Take a look – an easy way to participate and get a simplified benchmark of where your application development processes are security-wise. Then, maybe you can give your CEO a dentist drill and have him ask the VP of Business Apps “Is it safe???”


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on Benchmarking Security – Are We Safe Yet?

  1. Joe Weiss says:

    Your focus is on IT. However, there is just as much concern on the industrial control systems side. We really have no approrpriate benchmarks for how secure the industrial control systems are because the normal benchmarks are not directly applicable. I testified to this in Sebate and House hearings on this subject. I would be happy to discuss this subject if you would like to contact me directly.

  2. […] This post was mentioned on Twitter by Vikram Phatak. Vikram Phatak said: RT @Gartnergreg: Benchmarking Security – Are We Safe Yet? […]

  3. Yes, agree there are specific issues in the industrial controls side. NIST has the 800-82 draft as a step in that direction.

  4. […] Cigital released an update to their Building Security in Maturity Model, which I posted about here.  Good to see Adobe, EMC, Intel, Microsoft and Nokia on the BSIMM advisory […]

  5. Great points Hank. To me it feels like mass marketing. Segment the customer into different groups and it’s easy for the salespeople and marketing, but it misses out on the unique situation of the customer you’re trying to help. I guess we’re trying to balance best practices with the customer’s unique situation. I get the balance wrong sometimes too which is why I enjoyed your article. I’ve been taking imrov lessons, and I find it has helped to improve my situational awareness.

  6. Leandro says:

    Some genuinely wondrous work on behalf of the owner of this
    site, perfectly great written content.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.