But in an interview, McGraw said the shortcomings in healthcare should not be painted too broadly. “As a sector, they are behind,” he said. “But within that data, there are some seriously good leaders in software security, doing amazingly great things.”
He said one reason for the lag is the well-intentioned Health Insurance Portability and Accountability Act (HIPAA) law of 1996. “It told them (healthcare organizations) that they had to take care of patient privacy,” he said, “and they did, but then they said, ‘OK, we’re done.’”
But he said the industry is improving, now that more healthcare organizations have recruited leaders from the financial industry, which scores well above average in the BSIMM6 data for security practices.
The timing of the latest BSIMM launch is also interesting in light of its major focus – sharing of security information among diverse companies, some of which are fierce competitors but have common interests when it comes to security from cyber attacks.
That sounds, in some ways, like the goal of the Cyber Information Sharing Act (CISA) now pending in Congress and expected to come to a vote perhaps before the end of the month.
That bill is aimed at getting both private and public organizations to share cyber threat information, but has vocal and growing opposition from advocates who say it fails to protect privacy.
McGraw wouldn’t go so far as to say that wide adoption of BSIMM practices throughout the business world would make CISA unnecessary. But he did say that, “if everybody used BSIMM to do better software engineering, there definitely wouldn’t be as big a need to share information about attacks and breaches.”
Ultimately, it is not entirely about software security, however. The report emphasizes that it has to start with network security, with the following image: “Doing software security before network security is like putting on your pants before putting on your underwear.”
Sign up for CIO Asia eNewsletters.