CISO Survey 2014 Questionnaire

= CISO Survey 2014 - final version =

Here to the live Survey: https://www.surveymonkey.com/s/CISOSurvey2014

Page 1. Introduction
Thank you for taking the time to participate in the OWASP CISO Survey 2014, created by the Open Web Application Security Project (OWASP). There is no doubt that application security has become a serious concern in almost every industry. We created this survey to provide you with an opportunity to compare your organization with others on important application security issues and gain insights for making key decisions. The survey questionnaire consists of 36 questions. They relate to four areas of threats & risks, investments & challenges, tools & technology and governance & control within your organization. Your participation in responding to this questionnaire should require less than 20 minutes of your time. At the conclusion of the survey, the combined results will be publicly available on the owasp.org website. This survey can be conducted by keeping your profile completely anonymous. In case you are willing to provide your contact information, we will make sure that personal identifiable individual information and individual company information will not be disclosed in the survey report and be treated as confidential. Instructions All responses in this survey are optional, but for the completeness of the report, please try to respond to all questions in the questionnaire. Please feel free to add additional information and views from colleagues in your organization. Deadline for submission of the completed survey is 30 September 2014. Thank you for your participation!

Page 2. Threats and Risks
1. Given the current threat landscape and economic environment, do you perceive a change in the threats facing your organization? (Increase, Same, Decrease, Don't know)
 * External attacks or fraud (e.g. phishing, website attacks)
 * Internal attacks or fraud (e.g. abuse of privileges, theft of information)

2. Targeting (Infrastructure vs. Applications): In your current landscape, what are the main areas of risk for your organization in % out of 100% total?: (0%	10%	20%	30%	40%	50%	60%	70%	80%	90%	100%) Other (please specify)
 * Infrastructure %
 * Application %
 * Other %

3. Compared to 12 months ago, do you see a change of threats in these areas: (1-3, increase, same, decrease, don't know) Other (please specify)
 * Infrastructure
 * Application
 * Other

4. From the following list, which are the top five sources of application security risk within your organization? (Please mark your top area of risk with a "1", your second with a "2", your third with a "3", your fourth with a "4", an your fifth with a "5") (1 (Top 1 risk), 2 (Second), 3, 4, 5)

Other (please specify)
 * Insecure source code development
 * Lack of awareness of application security issues within the organization
 * Poor/inadequate testing methodologies
 * Poor change control and version control procedures
 * Lack of budget to support application security initiatives
 * Lack of secure application development procedures or study materials
 * Poor deployment and configuration
 * Programs and projects (e.g. budget overruns, delays, poor quality)
 * Staffing (e.g. lack of security skills within team)
 * Third-party suppliers and outsourcing (e.g. lack of security, lack of assurance)
 * Other

5. Which kind of attackers do you think are the three most likely to target your company in the next 12 months? Other (please specify)
 * Activists / Anonymous
 * Criminals groups/professional fraudsters
 * Hobbyist hackers
 * Insiders/employees
 * Competitors
 * Suppliers/partners
 * Those involved in corporate/industrial espionage
 * State sponsored spies
 * Other

Page 3. Investments and Challenges
6. Security Budget: how much is your company's total cyber security budget per year (in USD)? (drop down menue)

7. What is your estimate about how much in % of the total annual IT budget your company spends on cyber security? (drop down menue)

8. When compared with last year, total cyber security spending over the next 12 months will (Increase more than 100%, Increase by 50-100%, Increase 10% to 50%, Increase up to 10%, Stay the same, Decrease less than 10%, Decrease 10% to 30%, Decrease 30% to 50%, Decrease by more than 50%, Do not know)

9. Which of the following statements best describes your organization's annual investment in security? (Choose one). (Decreasing, About the same, Increasing, Don't know.) Other (please specify)
 * Our overall information security investment is
 * Application Security investment is
 * Infrastructure Security investment is
 * Other security investment is

10. Do you see new threats to web applications negatively impacting your organization? (Yes, No) If Yes, how?

11. How many security breaches did your company experience in the last 12 months? (drop down)
 * None
 * 1
 * 2
 * 3
 * 4
 * 5
 * 6
 * 7
 * 8
 * 9
 * 10
 * 15
 * 20
 * 30
 * 40
 * 60
 * 80
 * 100
 * more than 100

12. How many of them were because of web application related security incidents? (drop down) If so, what was the most common root cause of the incident(s) (e.g. in terms of type of vulnerability or control gaps)

13. In your view, what were the three main damage types caused by cyber attacks? (please rank with "1" most damaging, "2" second, and "3" third) ( 1 - most damaging, 2 - second, 3 - third) Other (please specify)
 * Interruption of service
 * Direct financial loss, for example fraud
 * Theft of intellectual property
 * Loss of customer data
 * Reputation damage
 * Loss or compromise of personal data
 * Other

14. Is your organization spending more on application security in response to a breach or after a security incident related to a web application? ( Yes, No)

Page 4. Investments and Challenges (continued)
15. Please indicate your top five security priorities for the coming 12 months from the following list. (Mark your top priority with a "1", your second priority with a "2", etc.) ( 1 - top priority, 2 - 2nd priority, 3 - 3rd priority, 4 - 4th priority, 5 - 5th priority)


 * Application layer vulnerability management technologies and processes
 * Code review (static analysis of source code to find security defects)
 * Compliance with regulatory requirements (PCI-DSS, FISMA, etc.)
 * Cyber Risk Management / Information security risk management
 * Deployment of application security infrastructure (such as web application firewalls)
 * Data leakage/data loss prevention
 * Implementing security standards
 * Incident response capabilities
 * Infrastructure Security (e.g., antivirus, IDS, IPS, patching, encryption)
 * Mobile devices security
 * Penetration testing
 * Privacy
 * Recruiting and retaining qualified application security resources
 * Security awareness and training for developers
 * SDLC - Secure development lifecycle processes (e.g., secure coding, QA process)
 * Security assurance for Cloud-based (SaaS, IaaS, PaaS, …) software purchased by your organization
 * Security assurance for COTS (commercial off-the-shelf) purchases by your organization
 * Security assurance for software developed by 3rd parties (outsourcing)
 * Security metrics and reporting
 * Security testing of applications (dynamic analysis, runtime observation)
 * Threat and vulnerability management (e.g., security analytics, threat intelligence)
 * Others (please specify)

Page 5. Relevance of OWASP
16. What is the level of significance of OWASP guidance, books and white papers within your organization? ( Extremely significant, Very significant, Significant, Somewhat significant, Not significant)
 * Awareness materials (e.g. Top-10)
 * Application development policy
 * Code development guidelines
 * Reference to leading practice
 * Testing methodologies
 * Staff attending local OWASP chapter meetings for information
 * Staff attending OWASP AppSec conference

17. Which of the following OWASP projects has your organization found useful? (Choose all that apply). ( Very useful, Somewhat useful, Not useful for us, Don't know it)
 * AntiSamy
 * Application Security FAQ
 * Application Security Verification Standard (ASVS)
 * AppSensor
 * Broken Web Applications Project
 * Cheatsheets
 * CISO Guide
 * CISO Survey Report 2013
 * Code Review Guide
 * Cornucopia (Threat Management game)
 * Development Guide
 * ESAPI (Enterprise Security API)
 * Http Post Tool
 * JBroFuzz
 * Legal Project
 * LiveCD/WTE
 * Mod_Security Core Ruleset
 * OpenSAMM
 * O2
 * OWASP Top-10
 * RFP Criteria
 * Ruby on Rails Security Guide
 * Secure Coding Practices - Quick Reference Guide
 * Testing Guide
 * Webgoat
 * WebScarab
 * Zed Attack Proxy (ZAP)
 * None. I am not familiar with any OWASP projects.
 * Other (please specify)

Page 6. Challenges for Application Security
18. When delivering your organization's application security initiatives, how challenging are the following aspects? ( Not a challenge, Slightly challenging, Challenging, Very challenging, Extremely challenging, N/A) Other (please specify)
 * Adequate budget
 * Availability of skilled resources
 * Business uncertainty
 * Justifying business case
 * Conflicting business requirements
 * Emerging technologies
 * Level of security awareness by the developers
 * Management awareness and sponsorship
 * Organizational change
 * Regulatory change or uncertainty
 * Other

Page 7. Tools and Technology
19. Does your organization use any specific technology tools to support the application security management process? ( Yes, No)

20. Which of the following technology tools does your organization use or are planned to be implemented by your organization to provide application security capability? (Choose all that apply) ( Currently in use, Planned within 12-18 months, No plans to implement) Other (please specify)
 * Application Vulnerability Scanners
 * Desktop Web Application Vulnerability Scanners
 * Runtime analyzers
 * Source code analyzers or scanners
 * Web application firewalls
 * Other

21. As part of your information security management program, do you... ( Currently in use, Planned within 12-18 months, No plans to implement)
 * Use a SDLC (Secure development life cycle)
 * Conduct security training
 * Document and enforce security guidelines
 * Use risk management
 * Use threat modeling
 * Specify security requirements
 * Secure architecture
 * Use tested common security modules/frameworks
 * Do code reviews
 * Testing with test cases for security
 * Harden the deployment environment
 * Have a vulnerability management process

Page 8. Governance and Control
22. How confident are you that your organization is protected from cyber security risk? ( we are very secure, we are good, we are ok, we have problems, we are not secure, Don't know.)

23. Do you routinely assess your organisation's cyber security? (No. We do not asses., infrequently, or less than once per year, ca. once per year, between once per year to once per month, once per month or more, or continously, Don't know.)

24. Security reporting: Does your company board receive cyber security briefings? ( Yes, No, Other (please specify))

25. What metrics should the security manager focus on when reporting to the board? Can you provide suggestions or examples? (text)

26. Does your organization have a documented security strategy (incl. application security)? ( Yes, No)

27. For how long time does this security strategy plan ahead? ( 3 months, 6 months, 1 year, 2 years, 3 years, 5+ years, N/A or don't know)

28. Your application security strategy (choose all that apply)
 * ...has been reviewed and updated within the past 12 months
 * ...is aligned with, or integrated into, the organization's business strategy
 * ...is aligned with, or integrated into, the organization's IT strategy
 * ...outlines our key security activities for the next 12 months

29. Which of the following statements best describes your organization's security strategy with regards to the risks of new technologies, like the increased use of social networking, personal mobile devices, or cloud computing? (Choose one)
 * Our current application security strategy adequately addresses the risks
 * We need to modify our strategy to address the new risks
 * We need to investigate further to understand the risks
 * We do not see any new or increased risks associated with these technologies

Page 9. Governance and Control (continued)
30. Has your organization implemented an Application Security Management System (ASMS) or Maturity odel (e.g. OWASP SAMM) that covers overall management of application security? (Choose one)
 * Yes, implemented and formally certified/verified by a third party
 * Yes, without verification
 * Yes, currently in the process of implementing
 * No, but considering it
 * No, and not considering it

31. Which of the following list of application security standards or frameworks, are used by your organization? (Choose all that apply)
 * BSIMM
 * Capability Maturity Model Integration (CMMI)
 * CLASP
 * CobIT
 * COSO
 * Information Security Forum's (ISF) Standard of Good Practice
 * Information Technology Infrastructure Library (ITIL)
 * ISO/IEC 27001:2005 27002:2005
 * MS SDL
 * NIST Handbooks (e.g. the "800 Series")
 * Octave
 * Open SAMM
 * PCI DSS
 * Other (please specify)

32. How does your organization assess the quality and effectiveness of application security? (Choose all that apply)
 * Internal self assessments by IT or application security function
 * Assessments performed by other internal function
 * Assessment by external party/third party
 * Formal certification to external security standards
 * Formal certification to industry security standards (e.g. Payment Card Industry Data F, Security Standard)
 * Code review and metrics
 * No assessments performed

33. Suppliers & External Partners: How do you verify that your external partners, service providers or contractors are protecting your organization's information from an application security standpoint? (Choose all that apply)
 * We communicate our security requirements to our key suppliers and partners
 * Asessments performed by our organization's application security, procurement or internal audit function (e.g. site visits, security testing)
 * Independent external assessments of partners, vendors or contractors
 * Self assessments or other certifications performed by partners, vendors or contractors
 * No reviews or assessments performed

34. Incident Response: How confident do you feel about the effectiveness of processes and resources to recover from a significant cyber security incident? rate (5: very high - 1: very low) ( Very confident, confident, Somewhat confident, some doubts, Not confident, N/A - Don't know)

35. In the last 12 months, have you experienced, exercised or prepared how you will recover from a cyber security incident? ( Yes, No, N/A - Don't know)

36. Incident Response and Sharing of Information: When an incident or breach occurs, would you usually as part of your normal incident response procedures... (choose all that apply)
 * conduct an informal root cause analysis
 * run a formal internal investigation
 * contact an external CERT or independent non-profit from a country/region or industry
 * contact law enforcement
 * share information with other companies (like peers in your industry)
 * be required by law to report security incidents to a regulator or government.

Page 10. CISO role and information security function
37. Job Title: How do you describe your job role/function? (new column) (new column)
 * CISO (Chief Information Security Officer)
 * Chief Security Officer
 * Chief Risk Officer
 * Chief Privacy Officer
 * Chief Compliance Officer
 * CTO (Chief Technology Officer)
 * COO (Chief Operating Officer)
 * CIO (Chief Information Officer)
 * CFO (Chief Financial Officer)
 * Business Unit Executive/Vice President
 * Head of Information Security & Risk
 * Head of IT Security
 * Head of Audit
 * Security Architect
 * Security Officer
 * Application Security Executive
 * Head of IT
 * Head of Development
 * Internal Audit Director/Manager
 * Developer
 * Information Technology Executive
 * Network/System Administrator
 * Other (please specify)

38. Who are you reporting to? (new column) (new column)
 * CEO (Chief Executive Officer)
 * CIO (Chief Information Officer)
 * COO (Chief Operating Officer)
 * CMO (Chief Marketing Officer)
 * CTO (Chief Technology Officer)
 * CFO (Chief Financial Officer)
 * Chief Risk Officer
 * CISO (Chief Information Security Officer)
 * Chief Security Officer
 * Chief Privacy Officer
 * Chief Compliance Officer
 * GC (General Counsel)
 * Board of Directors
 * Country Company CEO / Regional Company CEO
 * Business Unit Executive/Vice President
 * Head of Information Security & Risk
 * Head of IT Security
 * Head of Audit
 * Head of IT
 * Head of Development
 * Head of Architecture
 * Internal Audit Director/Manager
 * Other (please specify)

39. Size of Security Team: How many FTEs (full-time employees, incl. contractors) does your organization employ within the information security function? (number)

40. CISO Functions & Responsibilities: Which of these functions are within your area of responsibility? (Select all that apply to you)
 * Develop, articulate and implement risk management strategy for applications
 * Develop and implement policies, standards and guidelines for application security
 * Develop, implement, manage and report on application security governance processes
 * Develop and implement software security activities (e.g. S-SDLC) and security testing processes
 * Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited
 * Measure and monitor security and risks of web application assets within the organization
 * Application Vulnerability Management
 * Network Security and perimeter defense
 * Define, identify and assess the inherent security of critical web application assets, assess threats, vulnerabilities, business impacts and recommend countermeasures / corrective actions
 * Procure new web application processes, services, technologies and testing tools for the organization
 * Application security training and awareness for information security and software development teams
 * Develop, articulate and implement continuity planning/disaster recovery for web applications
 * Investigate and analyze suspected security incidents and data breaches and recommend corrective actions
 * Report on company security to the board
 * Other (please specify)

41. CISO Salary benchmarking: So we can build and provide the CISO community with a salary benchmark: What is your current total yearly salary (total package, incl. base and bonus) in USD? (your data will of course be anonymized and treated as strictly confidential, like all other data in this survey) (new column) (new column)
 * $0-$24,999
 * $25,000-$49,999
 * $50,000-$74,999
 * $75,000-$99,999
 * $100,000-$124,999
 * $125,000-$149,999
 * $150,000-$174,999
 * $175,000-$199,999
 * $200,000-$249,999
 * $250,000-$299,999
 * $300,000-$349,999
 * $350,000-$399,999
 * $400,000 and up
 * Don't want to say.
 * Other (please specify)

Page 11. Wishes and Suggestions
42. And last, but not least, all your feedback is very important to us and the community is continuously striving to improve. If you could wish freely, what kind of OWASP project, guidance or tool would you like to see in the future that could really improve your daily life and operation around web and application security? (text) This completes the main part of the survey.

This completes the survey. We would appreciate if could also provide a few personal and professional details. This will provide us valuable information about your industry and position helping us to analyze the survey data by industry and type of organization. It will also provide you an opportunity to leave your contact information if you would like us to follow up with you regarding the survey results. Once again, all responses are optional and especially your contact data will be treated as confidential and used only for the evaluation of this survey.

Page 12. OPTIONAL: Participant Information (treated as strictly confidential)
43. Participate in lucky draws: To thank you for your time answering this survey, there will be lucky draws among all people who answered. You can win valuable conference tickets, CISO training tickets and other prizes. Do you wish to participate in these lucky draws? (in which case we would need you to enter your email address below, so we can notify you if you win) (Yes, No)

44. CISO updates: We can send you a copy (of course for free) when this survey report will be released. Do you wish to receive CISO updates from OWASP via email? ( Yes, No)

45. Participant Information (optional; email address is needed if you like to participate in the lucky draws to win one of the prizes):
 * Name:
 * Company:
 * City/Town:
 * Country:
 * Email Address:
 * Phone Number:

46. What specific additional areas would you like us to cover in future versions of the OWASP CISO Survey and OWASP CISO Guide? (text)

47. To further refine our survey data by a qualitative component, we would also like to ask whether you would potentially be open for a 30-minute confidential phone interiew with one of our researchers to further refine certain areas and learn more about your views for future surveys and application security projects that matter to you. All data will be treated as confidential and only be used in anonymous and aggregated forms.

If you are okay with us contacting you for a 30-minute phone interview, please provide your email address or phone number to reach you (again): (text)

Page 13. Organization Information
48. In which country is your organization's headquarter? (text)

49. Ownership:
 * Public - traded on stock exchange
 * Private - not traded on stock exchange
 * Government
 * Non-profit

50. Industry: (new column) (new column)
 * Aerospace and Defense
 * Airlines
 * Asset Management
 * Automotive
 * Banking & Capital Markets
 * Chemicals
 * Consumer Products
 * Government & Public Sector Insurance
 * Media & Entertainment
 * Mining & Metals
 * Oil & Gas Power & Utilities
 * Professional Firms & Services
 * Real Estate
 * Retail & Wholesale Technology
 * Technology
 * Telecommunications
 * Transportation
 * Other (please specify)

51. Number of employees in your company: (new column) (new column)
 * <100
 * 100 - 500
 * 500 - 1,000
 * 1,000 - 2,000
 * 2,000 - 5,000
 * 5,000 - 10,000
 * 10,000 - 20,000
 * 20,000 - 30,000
 * 30,000 - 40,000
 * 40,000 - 50,000
 * 50,000 - 60,000
 * 60,000 - 80,000
 * 80,000 - 100,000
 * 100,000 - 150,000
 * 150,000 - 200,000
 * more than 200,000

52. Annual Revenue (in USD): (new column) (new column)
 * < $10 million USD
 * $10 million - $50 million USD
 * $50 million - $100 million USD
 * $100 million - $200 million USD
 * $200 million - $500 million USD
 * $500 million - $1 billion USD
 * $1 billion - $5 billion USD
 * $5 billion - $10 billion USD
 * $10 billion - $20 billion USD
 * $20 billion - $50 billion USD
 * $50 billion - $100 billion USD
 * more than $100 billion USD

53. At what level is your organisation operating (predominantly)?
 * National level
 * Regional level
 * Globally

Page 14. Thank You
Thank you very much for your time and consideration in completing this survey. Your insights are highly appreciated and will help to further develop knowledge and best practices across the global CISO community.

For any questions or comments regarding the contents of this survey, or if you like to support or sponsor this OWASP project, please contact the project lead Tobias Gondrom at tobias.gondrom@owasp.org.

For information about release dates, roadmap and how you could contribute and join the team if you wish so, here also the link to the OWASP CISO Survey Project page: https://www.owasp.org/index.php/OWASP_CISO_Survey_Project