CISO Survey 2013: Conclusions

= Conclusions= Due to the evolving threat landscape and increased pressure from audit, legal and compliance, in the last decade, investments in application security have been a growing proportion of overall information security and information technology budgets. In our 2013 OWASP CISO Survey, nearly 90% of respondents indicated that application security investment would either increase or remain constant. Nevertheless, making the business case for increasing the budget for application security remains today one of many challenges of a CISO and security manager, because of competing objectives like the prioritization of spending for development of new application features and platforms (e.g. mobile devices), initiatives to expand service uptake or profitability, and marketing to attract new customers and retain existing customers.

In today’s economic climate and ever changing threat landscape, it is increasingly important for CISOs to formulate the right security strategies for their organizations and articulate the "business case" for investment in application security and focus on the programs that have the most impact on the overall security of the organization and reducing risks.

That means, that today’s CISOs need to navigate and master many challenges, the most pressing among them are: developing the right security skills within their organizations, achieving awareness for security risks among their developers and management teams, managing with limited budgets and adjusting to constant organizational changes. And in turn these challenges shape the key priorities for CISOs for the near and medium future: to improve awareness and training, transfer security awareness into program execution and budgeting, introduce or improve their secure development lifecycle and overall strengthen application security across the system landscape to counter the dramatically increasing external threats to application security.

When comparing the new data with spending reports, there also appears to still be a disconnect between organization's perceived threats of rising application security threats on the one hand and a yet still large spending on network and infrastructure security in absolute and relative numbers. Typically, additional budget allocation for application security includes the development of changes in the application to fix the causes of the incident (e.g. fixing vulnerabilities) as well as rolling out additional security measures such as preventive and detective controls for mitigating risks of hacking and malware and limiting the likelihood and impact of future data breach incidents. Still, even with limited budgets, CISOs can improve their security posture by focusing on the most critical risks of an organization and leveraging commonly available best practices and free tools to strengthen their organization and systems.

From a fear perspective – leveraging security incidents - it is true that CISOs can also exploit the momentum, being this either a negative or positive event. But this is part of a reactive risk management approach looking backward at past events and low maturity in dealing with future risks. Often application security spending can be triggered by a negative event such as a security incident, since this shifts senior management's perception of risk. However, CISOs should find that using a two year roadmap to drive security investment would be more effective in setting the appropriate security budgets.

In the case of experienced security breaches or incidents, the money is probably being spent to limit the damage, such as to remediate the incident and implement additional countermeasures. The main question then is what further investment in application security will reduce the likelihood and impact of another similar incident happening in the future. One approach is to focus on applications that might become a target for future attacks.

To help developing a more forward looking security strategy, many organizations will be looking at introducing application security management systems and/or maturity models over the coming 12 months. A trend that will allow organizations to further grow in maturity and improve their understanding of the security risks they are facing and how to best allocate their limited resources.

Concluding, we hope the sister project, the OWASP CISO Guide, can help the CISO with practical guidance on how to deal with many of these key findings and to decide the right security investments and strategies for their organizations going forward.

Register to receive updates: OWASP is planning a new CISO survey and report in 2014
If you like to receive future releases of the OWASP CISO Survey and related CISO projects, you can register your email address here: https://docs.google.com/forms/d/1DBYIpWcx6IAZNHOXufdkLZKLIQXetwgbxxd7h_mqWN0/viewform

Your contact details will be kept strictly confidential and only used to send you updates about new releases of OWASP CISO projects and invitations to participate in the CISO Survey. And you can of course unsubscribe from this service at any time.