CSO - This is the fourth in my series of interviews with C-level executives who also happen to be thought leaders in cyber security and privacy. Remember? I enjoy pointing out that "C-level executive" and "thought leader" are not synonyms. Previously, I interviewed:
Jeremiah Grossman, founder and Chief Technology Officer (CTO) of White Security (What's real and what's not in web security),
Michelle Dennedy, Chief Privacy Office (CPO) for McAfee (The perilous path to a new privacy),
and Christopher Burgess, Chief Security Officer for Atigeo (How to meet the challenges of 21st century security and privacy).
In this installment, I engage Gary McGraw, CTO for Citigal, and the principle creator and driver of the Building Security In Maturity Model (BSIMM). McGraw is one of those I respect most in this field, and we had a delightful and wide-ranging discussion, stretching from the insecurity of electronic voting machines to the dangers of weak or conflicted governance, from the release of BSIMM4 to the follies of cyber war mongering. But in this piece, I am just going to focus on BSIMM4 and cyber war, because the two themes actually dovetail (no pun intended) in a meaningful and timely way.
Richard Power: Let's start with your perspective on how BSIMM has evolved, what is particularly striking in this year's iteration, what had surprised you so far, and what hasn't surprised you so far?
Gary McGraw: In the last four years, BSIMM has wildly exceeded my expectations. The thought, in the beginning, was to build a data-driven model. Go out and gather data, and build the model to describe the data ... BSIMM4 has ten times more data than the first BSIMM iteration we released. We have done ninety-nine measurements. Some firms have been measured multiple times, over different numbers of years, and some firms have had sub-organizations underneath the mother firm measured separately and ruled up into one measurement ... If you add up the number of all the firms there are fifty-one.
"The second [common technique] is something that will be near and dear to the heart of operational computer security people, and that is, running a software security disaster simulation drill. "
Gary McGraw on findings in BSIMM4
In BSIMM4, we finally have enough data to publish results for verticals without outing anyone accidentally; so we published the numbers for the financial services vertical, of which we have nineteen firms participating, and for the independent software vendor vertical, as well (e.g., Microsoft, VMware, etc.).
It's really cool to be able to compare those populations. We could always do it, but now we have released it so everyone can look at the data ... And for the first time in the BSIMM project, we identified to new activities that we had not seen before in previous measurements.
Let me explain. When we go to do these interviews, sometimes we'll find some crazy activity that is a one-off, and you will only see it in one place. We would never add an activity that is only done by one firm into the model. What are required instead are multiple observations across multiple firms.
The Connected Enterprise
You are previewing premium content. 
