CISO Survey 2014 Questionnaire

=CISO Survey 2014 - Draft (initial version based on 2013)=

Page 1. Introduction
Thank you for taking the time to participate in the OWASP CISO Survey 2014, created by the Open Web Application Security Project (OWASP). There is no question that application security has become a serious concern in almost every industry. We created this survey to provide you with an opportunity to compare your organization with others on important application security issues and gain insights for making key decisions. The survey questionnaire consists of 26 questions. They relate to four areas of threats & risks, investments & challenges, tools & technology and governance & control within your organization. Your participation in responding to this questionnaire should require less than 20 minutes of your time. At the conclusion of the survey, the combined results will be publicly available on the owasp.org website. This survey can be conducted by keeping your profile completely anonymous. In case you are willing to provide your contact information, we will make sure that personal identifiable individual information and individual company information will not be disclosed in the survey report and be treated as confidential.

Page 2. Instructions
All responses in this survey are optional, but for the completeness of the report, please try to respond to all questions in the questionnaire. Please feel free to add additional information and views from colleagues in your organization.

Deadline for submission of the completed survey is 30 September, 2014.

Thank you for your participation!

Page 3. Threats and Risks - Information Security
1. Given the current threat landscape and the economic environment, do you perceive a change in the threats facing your organization? (choose all that apply) [1-3, increase, same, decrease, don't know:


 * A. External attacks or fraud(e.g., phishing, website attacks)
 * B. Internal attacks or fraud (e.g., abuse of privileges, theft of information)
 * C. No changes noted

2. Targeting (Infrastructure vs. Applications): In the your current threat landscape, what are the main areas of risk for your organization in % out of 100% in total:


 * A.Infrastructure %
 * B.Application %
 * C.Other %

3. Compared to 12 months ago, do you see a change in these areas: [1-3, increase, same, decrease, don't know):


 * A.Infrastructure
 * B.Application
 * C.Other

Page 4. Threats and Risks (continued) - Application Security
4. From the following list, which are the top five sources of application security risk within your organization? (Please mark your top area of risk with a "1," your second with a "2," your third with a "3," your fourth with a "4," and your fifth with a "5"):


 * A.Insecure source code development
 * B.Lack of awareness of application security issues within the organization
 * C.Poor/inadequate testing methodologies
 * D.Poor change control and version control procedures
 * E.Lack of budget to support application security initiatives
 * Lack of secure application development procedures or study materials
 * F.Poor deployment and configuration
 * G.Programs and projects (e.g. budget overruns, delays, poor quality)
 * H.Staffing (e.g.lack of security skills within team)
 * I.Third-party suppliers and outsourcing (e.g., lack of security, lack of assurance)
 * L.Other (please specify)

5. Regarding your top five areas of application security risk (above), which of the following statements best describes your organization's planned investment in these areas in the coming 12 months? (choose one):


 * A.Increasing level of investment planned
 * B.Decreasing level of investment planned
 * C.Relatively constant level of investment planned

5b. Which kind of attackers do you think are the three most likely to target your company in the next 12 months? (please rank with 1, 2 and 3)
 * Activists / Anonymous
 * insiders/employees
 * Criminals groups/professional fraudsters
 * Hobbyist hackers
 * Competitors
 * Suppliers/partners
 * Those involved in the industrial espionage
 * State sponsored spies
 * Other

Page 5. Investments and Challenges
6. Which of the following statements best describes your organization's annual investment in security? (choose one) Three columns: Decreasing ... / Relatively constant ... / :


 * A.Increasing as a percentage of total expenditures
 * B.Application Security is
 * C.Infrastructure Security is
 * D.Others (Security) is

7. Do you see new threats to web applications negatively impacting your organisation?

(Text)
 * A.No
 * B.Yes (If yes, how?)

8. How many data breaches did your company experience because of web application security incidents in the last 12 months? (DISCUSS: should we ask for numbers or ranges?) (DISCUSS: should we ask for number of breaches or incidents?)
 * Hundreds per day
 * More than one per day
 * One per week
 * A few per month
 * A few per year

(old question: Did your company experience a data breach because of a web application security incident in the last 12 months? A.No / B.Yes (If yes, what was the root cause of the incident, e.g. in terms of type of vulnerability or control gaps) (text) - was not so useful as 0 or any number and number of breaches could not be used to correlate with company size)

8b. 20.7 What are the main damages caused from cyber crime attacks? (pick up to 3) (DISCUSS: rank 1,2,3?)
 * Interruption of service
 * Direct financial loss, for example fraud
 * Theft of intellectual property
 * Loss of customer data
 * Reputation damage
 * Loss or compromise of personal data
 * I don't answer because this information is too sensitive
 * Other

8c. What is your estimate of potential damages due to security breaches your org experienced last year.
 * ranges? (DISCUSS: or is this just to difficult to find out and therefore too inaccurate to ask?)

9. Is your organization spending more on application security in response to a breach or security incident related to a web application? (choose one)


 * A.No
 * B.Yes

Page 6. Investments and Challenges (continued)
10. Please indicate your top five application security priorities for the coming 12 months from the following list. (Specify your top 5 priorities, marking your top priority with a "1," your second priority with a "2," etc.)


 * A.Application layer vulnerability management technologies and processes
 * B.Code review (static analysis of source code to find security defects)
 * C.Compliance with regulatory requirements (PCI-DSS, FISMA, etc.)
 * D.Deployment of application security infrastructure (such as web application firewalls)
 * E.Recruiting and retaining qualified application security resources
 * F.Secure development lifecycle processes (e.g., secure coding, QA process)
 * G.Security assurance for Cloud-based (SaaS, IaaS, PaaS, …) software purchased by your organization
 * H.Security assurance for COTS (commercial off-the-shelf) purchases by your organization
 * I.Security assurance for software developed by 3rd parties (outsourcing)
 * L.Security awareness and training for developers
 * M.Security metrics and reporting
 * N.Security testing of applications (penetration testing)
 * O.Security testing of applications (dynamic analysis, runtime observation)
 * P.Others (please specify)
 * Cyber Risk Management / Information security risk management
 * Data leakage/data loss prevention
 * Implementing security standards
 * Privacy
 * Securing mobile computing technologies
 * Infrastructure Security (e.g., antivirus, IDS, IPS, patching, encryption)
 * Threat and vulnerability management (e.g., security analytics, threat intelligence)
 * Incident response capabilities

Page 7. Relevance of OWASP
11. What is the level of significance of OWASP guidance, books and white papers within your organization? (Scale of 1-5, where 1 is the "least significant" and 5 is the "most significant")


 * A.Awareness material (e.g. Top-10)
 * B.Application development policy
 * C.Code development guidelines
 * D.Reference to leading practice
 * E.Testing methodologies
 * F.Staff attending local OWASP chapter meetings for information
 * G.Staff attending OWASP AppSec conferences

Page 8. Relevance of OWASP (continued)
12. Which of the following OWASP projects has your organization found useful? (choose all that apply) [1-3, very useful, somewhat useful, not useful for us, don't know it]

Other (please explain)
 * A.AntiSamy
 * B.Application Security FAQ
 * C.Application Security Verification Standard (ASVS)
 * D.AppSensor
 * E.Cheatsheets
 * F.CISO Guide
 * G.Code Review Guide
 * H.Development Guide
 * I.ESAPI (Enterprise Security API)
 * L.Http Post Tool
 * M.JBroFuzz
 * N.Legal Project
 * O.LiveCD/WTE
 * P.Mod_Security Core Ruleset
 * Q.OpenSAMM
 * R.O2
 * S.OWASP Top-10
 * T.RFP Criteria
 * U.Ruby on Rails Security Guide
 * V.Secure Coding Practices Quick Reference
 * Z.Software Assurance Maturity Methodology (openSAMM)
 * K.Testing Guide
 * X.Webgoat
 * W.WebScarab
 * Y.Zed Attack Proxy (ZAP)
 * J.None. I am not familiar with any OWASP Projects.

Page 9. Challenges for Application Security
13. What is the level of challenge related to effectively delivering your organization's application security initiatives for each of the following? (Scale of 1-5, where 1 is "not a challenge" and 5 is "significant challenge"), Not a Challenge,Significant Challenge


 * A.Adequate budget
 * B.Availability of skilled resources
 * C.Business uncertainty
 * D.Justifying business case
 * E.Conflicting business requirements
 * F.Emerging technologies (e.g., application vulnerability scanners, web application firewalls)
 * G.Level of security awareness by the developers
 * H.Management awareness and sponsorship
 * I.Organizational change
 * L.Regulatory change or uncertainty
 * M.Others (please specify)

Page 10. Tools and Technology
14. Does your organization use any specific technology tools to support the application security management process?


 * A.Yes
 * B.No

15. Which of the following technology tools does your organization use or are planned to be implemented by your organization to provide application security capability? (choose all that apply) Currently in use, Planned within 12-18 months,No plans to implement

(please specify other below):
 * A.Web application firewalls
 * B.Source code analyzers
 * C.Runtime analyzers
 * D.Application Vulnerability Scanners
 * E.Desktop Web Application Vulnerability Scanners
 * F.Manual Code Review (e.g., 3rd party experts)
 * G.Other

Page 11. Tools and Technology (continued)
16. As part of your information security management program, do you... Currently in use,Planned within 12-18 months,No plans to implement


 * A.use a SDLC (Secure development lifecycle)
 * B.conduct security training
 * C.document and enforce security guidelines
 * D.specify security requirements
 * E.use risk management
 * F.use threat modelling
 * G.specify security requirements
 * H.secure architecture
 * I.use tested common security modules/frameworks
 * L.do code reviews
 * M.testing with test cases for security
 * N.harden the deployment environment
 * O.have a vulnerability management process

Page 12. Governance and Control
17. Does your organization have a documented application security strategy?


 * A.Yes
 * B.No

18. For how long does this application security strategy plan ahead?
 * A 3 months
 * B 6 months
 * C 1 year,
 * D 2 years,
 * E 3 years,
 * F 5 years+ (circle one)

19. Your application security strategy: (choose all that apply)


 * A....has been reviewed and updated within the past 12 months
 * B...is aligned with, or integrated into, the organization's business strategy
 * C...is aligned with, or integrated into, the organization's IT strategy
 * D...outlines our key security activities for the next 12 months

20a. Please rate how confident you are about the effectiveness of your current cyber security in the following areas
 * backend servers and databases
 * middleware servers
 * desktop
 * in web scenarios on the PC of users outside your organisation

(rate: 1-5 very confident - not confident)

Page 13. Governance and Control (continued)
20. Which of the following statements best describes your organization's application security strategy in regards to the risks associated with the increased use of social networking, personal devices, or cloud computing? (choose one)


 * A.Our current application security strategy adequately addresses the risks
 * B.We need to modify our strategy to address the new risks
 * C.We need to investigate further to understand the risks
 * D.We do not see any new or increased risks associated with these technologies

21. Has your organization implemented an Application Security Management System (ASMS) or Maturity Model (e.g., OWASP SAMM) that covers overall management of application security? (choose one)


 * A.Yes, implemented and formally certified/verified by a third party
 * B.Yes, without verification
 * C.Yes, currently in the process of implementing
 * D.No, but considering it
 * E.No, and not considering it

Page 14. Governance and Control (continued)
22. From the following list of application security standards or frameworks, which are used by your organization? (choose all that apply)


 * A.BSIMM
 * B.Capability Maturity Model Integration (CMMI)
 * C.CLASP
 * D.CobIT
 * E.COSO
 * F.Information Security Forum's (ISF) Standard of Good Practice
 * G.Information Technology Infrastructure Library (ITIL)
 * H.ISO/IEC 27001:2005 27002:2005
 * I.MS SDL
 * L.NIST Handbooks (e.g., the "800 Series")
 * M.Octave
 * N.Open SAMM
 * O.PCI DSS
 * P.Other (please specify)

Page 15. Governance and Control (continued)
23. How does your organization assess the quality and effectiveness of application security? (choose all that apply)


 * A.Internal self assessments by IT or application security function
 * B.Assessments performed by other internal function
 * C.Assessment by external party/third party
 * D.Formal certification to external security standards
 * E.Formal certification to industry security standards (e.g., Payment Card Industry Data F.Security Standard)
 * G.Code review and metrics
 * H.No assessments performed

24. How do you verify that your external partners, service providers or contractors are protecting your organization's information from an application security standpoint? (choose all that apply):


 * A.Assessments performed by your organization's application security, procurement or internal audit function (e.g., site visits, security testing)
 * B.Independent external assessments of partners, vendors or contractors
 * C.Self assessments or other certifications performed by partners, vendors, or contractors
 * D.No reviews or assessments performed

24b. Incident Response Best practices (DISCUSS: should we add a question about incident response. E.g. priorities between "stop the bleeding" and "capture evidence for prosecution") Other ideas?

24c. How confident do you feel in the effectiveness of processes and resources to recover from a significant cyber security incident? rate 1-5 (very low - very high)

24d. Process of Incident Response:
 * Contact law enforcement
 * Contact CERT
 * Run an internal investigation
 * share information with other companies

25. How you describe your job role/function?


 * A.Chief Operating Officer
 * B.Chief Information Officer
 * C.Chief Application Security Officer
 * D.Chief Security Officer
 * E.Chief Privacy Officer
 * F.Chief Compliance Officer
 * G.Chief Technology Officer
 * H.Chief Risk Officer
 * I.Business Unit Executive/Vice President
 * L.Information Technology Executive
 * M.Application Security Executive
 * N.Network/System Administrator
 * O.Internal Audit Director/Manager
 * P.Other: (please specify)

Page 16. Governance and Control (Scope of the CISO role)
26. CISO Functions & Responsibilities: Which of these functions are within you area of responsibility? (select all the ones that apply to you)


 * A.Develop, articulate and implement risk management strategy for applications
 * B.Develop and implement policies, standards and guidelines for application security
 * C.Develop implement, manage and report on application security governance processes
 * D.Develop and implement software security activities (e.g. S-SDLC) and security testing processes
 * E.Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 * F.Measure and monitor security and risks of web application assets within the organization
 * G.Application Vulnerability Management
 * H.Network Security and perimeter defense
 * I.Define, identify and assess the inherent security of critical web application assets, assess threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions
 * L.Procure new web application processes, services, technologies and testing tools for the organization
 * M.Application security training and awareness for information security and software development teams
 * N.Develop, articulate and implement continuity planning/disaster recovery for web applications
 * O.Investigate and analyze suspected security incidents and data breaches and recommend corrective actions

Page 17: Wishes and suggestions
And last but not least, all your feedback is very important to us and the community is continuously striving to improve. If you could wish freely, what kind of OWASP project, guidance or tool would you like to see in the future that could really improve your daily life and operation around web and application security?

Page 18. This Completes the Survey
This completes the survey. We would appreciate if could also provide a few personal and professional details. This will provide us valuable information about your industry and position helping us to analyze the survey data by industry and type of organization. It will also provide you an opportunity to leave your contact information if you would like us to follow up with you regarding the survey results. Once again, all responses are optional and especially your contact data will be treated as confidential and used only for the evaluation of this survey

A.Yes, I am willing to take a couple more minutes to assist with survey benchmarking. B.No, I prefer to exit the survey at this point.

Page 19. Optional: Participant Information
(*)We reccomend do not type your first name, last name and email in the survey herein but send it over to the survey's point of contact by email since this information is considered personal identifiable information and we would like to be treated as strictly confidential.


 * (*)Name of person completing survey: (optional, will be treated strictly confidential)
 * (*)Email address: (optional, will be treated strictly confidential and only be used to send you a link to the final survey report after it's completion)
 * Title of delegate completing survey:
 * Chief Operating Officer
 * Chief Information Officer
 * Chief Application Security Officer
 * Chief Security Officer
 * Chief Privacy Officer
 * Chief Compliance Officer
 * Chief Technology Officer
 * Chief Risk Officer
 * Business Unit Executive/Vice President
 * Information Technology Executive
 * Application Security Executive
 * Network/System Administrator
 * Internal Audit Director/Manager
 * Other: (please specify)

To further refine our survey data by a qualitative component, we would also like to ask whether you would potentially be open for a 30 minute confidential phone interview to further refine certain areas and learn more about your views for future surveys and application security projects that matter to you. All data will be treated as confidential and only be used in anonymous and aggregated form.
 * If you are ok with us contacting you for a 30-minute phone interview, please provide your email address (*) (again):

Are you aware of the OWASP CISO guide (link to CISO guide, https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs) ?
 * A No
 * B Yes

Are there specific additional areas you would like us to cover in future versions of the CISO guide? (text)
 * A No
 * B Yes

Page 20. Organization Information

 * Organization name: (optional)
 * Country:
 * Ownership: (choose one)
 * Public - traded on stock exchange
 * Private - not traded on stock exchange
 * Government or non-profit


 * Total number of employees: (choose one)
 * Less than 100
 * 100 to 999
 * 1,000 to 9,999
 * 10,000 to 49,999
 * 50,000 to 100,000
 * More than 100,000


 * Annual revenue (in USD): (choose one)
 * Less than $100 million
 * $100 million to $249 million
 * $250 million to $499 million
 * $500 million to $999 million
 * $1 billion to $9 billion
 * $10 billion to $24 billion
 * More than $24 billion
 * Not applicable


 * Industry: (choose one)
 * Aerospace and Defense
 * Airlines
 * Asset Management
 * Automotive
 * Banking & Capital Markets
 * Chemicals
 * Consumer Products
 * Government & Public Sector
 * Insurance
 * Media & Entertainment
 * Mining & Metals
 * Oil & Gas
 * Power & Utilities
 * Professional Firms & Services
 * Real Estate
 * Retail & Wholesale
 * Technology
 * Telecommunications
 * Transportation
 * Other: (please specify)


 * Where is your organisation’s headquarters?
 * Region: US/Latam/Africa/EU/ME/Asia/Australasia
 * Country:


 * At what level is your organisation operating?
 * National Level
 * Regional Level
 * Global Level

Page 21. Thank You
Thank you again for your time and considering in completing this survey. Please contact Tobias Gondrom at tobias.gondrom@owasp.org with any questions or comments regarding the contents of this survey.