Comparative Security
Sustainable levels of performance can never be achieved without keeping security at the forefront of an organization's digitalization strategy. Too often, security is treated like an after-thought - an activity at the end of the product development cycle or something to “fix” once a vulnerability is identified.
Created by:
Comparative Agility
A data-driven strategy to security
Comparative Security provides forward-leaning organizations with the information and intelligence necessary to embed security thinking as a natural part of an organization's operational strategy.
By treating security as an integral part of product development, companies can limit their security exposure, make better tradeoffs and more effectively maneuver the constant security challenges inherent in today's fast-moving business landscape.
About Comparative Security
Understand how you stack up against other companies or peers in your industry so you can more effectively target your security investments where it makes the most sense. By deploying a data-driven strategy to security, you'll be able to:
Continuous Improvement
1. Gather Data
Take survey, conduct open space sessions, gather objective measures and perform 1:1 interviews.
2. Analyze Results
Baseline data against world, specific industry or other comparative data set. Identify unique strengths and improvement opportunities. Understand the narrative.
3. Implement Changes
Define inprovement strategy based on key findings from your analysis. Communicate what you intend to do, execute on improvement strategy and evaluate progress.
4. Learn Together
At regular intervals, validate the impact of the improvement efforts. Communicate progress and be open about challenges. Build a culture of continuous improvement and learning across the enterprise.
'/%3e%3cpath%20fill-rule='evenodd'%20clip-rule='evenodd'%20d='M39.1429%2026.5684C36.1447%2026.5684%2033.7143%2028.9562%2033.7143%2031.9017V34.6804C32.1534%2035.0751%2031%2036.4672%2031%2038.1239V47.0128C31%2048.9765%2032.6203%2050.5684%2034.619%2050.5684H46.381C48.3797%2050.5684%2050%2048.9765%2050%2047.0128V38.1239C50%2036.4672%2048.8466%2035.0751%2047.2857%2034.6804V31.9017C47.2857%2028.9562%2044.8553%2026.5684%2041.8571%2026.5684H39.1429ZM43.6667%2034.5684V31.9017C43.6667%2030.9199%2042.8565%2030.1239%2041.8571%2030.1239H39.1429C38.1435%2030.1239%2037.3333%2030.9199%2037.3333%2031.9017V34.5684H43.6667Z'%20fill='%23EF4035'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear'%20x1='40.4473'%20y1='14.3326'%20x2='40.4473'%20y2='65.6674'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0.149171'%20stop-color='%23525F7F'/%3e%3cstop%20offset='1'%20stop-color='%23525F7F'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Integrate a continuous improvement approach to your security strategy: leverage Comparative Security to inform a strategic security roadmap at all levels of the organization.
Get a perspective of your current security risk profile and understand strengths and weaknesses of your approach compared to peers.
'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear'%20x1='24.7097'%20y1='39.5684'%20x2='24.7097'%20y2='63.5684'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0.149171'%20stop-color='%23525F7F'/%3e%3cstop%20offset='1'%20stop-color='%23525F7F'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Quickly target areas of your security strategy where you need to act; recognize where you can build on existing strengths.
'/%3e%3cpath%20d='M33.6562%2018.9892C33.6562%2018.0074%2034.4677%2017.2114%2035.4688%2017.2114H43.625C44.626%2017.2114%2045.4375%2018.0074%2045.4375%2018.9892V25.2114C45.4375%2026.1933%2044.626%2026.9892%2043.625%2026.9892H35.4688C34.4677%2026.9892%2033.6562%2026.1933%2033.6562%2025.2114V18.9892Z'%20fill='%23EF4035'/%3e%3cpath%20d='M41.8125%2034.1003C41.8125%2033.1185%2042.624%2032.3225%2043.625%2032.3225H51.7812C52.7823%2032.3225%2053.5938%2033.1185%2053.5938%2034.1003V40.3225C53.5938%2041.3044%2052.7823%2042.1003%2051.7812%2042.1003H43.625C42.624%2042.1003%2041.8125%2041.3044%2041.8125%2040.3225V34.1003Z'%20fill='%23EF4035'/%3e%3cpath%20d='M28.2188%2047.4336C27.2177%2047.4336%2026.4062%2048.2296%2026.4062%2049.2114V55.4336C26.4062%2056.4155%2027.2177%2057.2114%2028.2188%2057.2114H36.375C37.376%2057.2114%2038.1875%2056.4155%2038.1875%2055.4336V49.2114C38.1875%2048.2296%2037.376%2047.4336%2036.375%2047.4336H28.2188Z'%20fill='%23EF4035'/%3e%3cpath%20d='M11%2049.2114C11%2048.2296%2011.8115%2047.4336%2012.8125%2047.4336H20.9688C21.9698%2047.4336%2022.7812%2048.2296%2022.7812%2049.2114V55.4336C22.7812%2056.4155%2021.9698%2057.2114%2020.9688%2057.2114H12.8125C11.8115%2057.2114%2011%2056.4155%2011%2055.4336V49.2114Z'%20fill='%23EF4035'/%3e%3cpath%20d='M59.0312%2047.4336C58.0302%2047.4336%2057.2188%2048.2296%2057.2188%2049.2114V55.4336C57.2188%2056.4155%2058.0302%2057.2114%2059.0312%2057.2114H67.1875C68.1885%2057.2114%2069%2056.4155%2069%2055.4336V49.2114C69%2048.2296%2068.1885%2047.4336%2067.1875%2047.4336H59.0312Z'%20fill='%23EF4035'/%3e%3cdefs%3e%3clinearGradient%20id='paint0_linear'%20x1='39.0645'%20y1='10.4087'%20x2='38.832'%20y2='54.8148'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0.149171'%20stop-color='%23525F7F'/%3e%3cstop%20offset='1'%20stop-color='%23525F7F'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
Give team members a voice and involve people at all levels of the organization as part of your security strategy.
Sample Questions
Governance
Our organization has an evangelist - an active advocate - who keeps stakeholders aware of the issues around information security and their importance to the business.
Intelligence
We maintain a list of open source used in apps, and have a process to keep it current with security patches.
SSDL Touchpoints
Security requirements are used to review feature designs.
Deployment
We use external penetration testers to find problems.
Outcomes
The team is producing higher quality products than before.
Governance
We have gates in our SDLC that call for security-related artifacts.
Intelligence
We analyze and document application-specific threat models and/or top attack lists.
SSDL Touchpoints
We perform basic threat modelling (perhaps with a standard questionnaire) on each new application or feature.
Deployment
Findings from penetration testing are entered into the produce development process (e.g. backlog, defect tracking).
Top Features
Embed security as an integral part of your organization's product development approach.
Benchmark your company's security efforts against peers in your industry.
Understand where you need to invest additional time and resources; amplify existing strengths.
Assess efforts at the team, program and organizational levels.