As an industry, retail’s reputation for providing software security has taken some hits. The top 15 data breaches of the current century include Target in 2013, with account information on an estimated 110 million customers compromised; TJX in 2006, with 94 million credit cards exposed; and Home Depot in September 2014, with about 56 million customer credit/debit cards compromised.

SecurityScorecard’s 2018 Retail Cyber Security Report concluded that “although hackers have become increasingly clever with stealing credit card data, the retail industry is no better prepared to deal with the threat.”

Of 18 industries analyzed, retail was “the second lowest performer in terms of application security, indicating a decrease from 2017’s Retail Report where they were the fourth lowest performer,” the report said.

But looking at the industry through another lens, there’s hard evidence that at least a portion of it is taking security seriously. Measuring its collective proficiency across a long list of software security activities, it outpaces several other industries, including healthcare.

Retail is the newest vertical to be studied in an annual industry report called the Building Security In Maturity Model (BSIMM). Launched in 2008, the BSIMM is a self-described measuring stick for software security. It is not a “how to” guide. Rather, it’s a “what’s happening now” guide that allows businesses to review the software security initiatives (SSIs) of others in their industry, and to see what is working, or perhaps not working.

The latest report, BSIMM9, tracked the SSIs of 120 firms in eight industries, covering 116 activities they can implement to improve their software security. And it is not only participants who can compare their own SSIs with their peer companies. Anyone can. The data collected and organized are available for free to any business under the Creative Commons Attribution-Share Alike license.

What insights can retailers take from the report? For one, participating firms demonstrated significant progress in software security. A comparison of retail versus “Earth” (the average of all BSIMM9 participants) showed superior…