CISO Survey 2013: Governance and control
4. Governance and control
Noteworthy, although two thirds of organizations are using technical tools to support their programs, only about 57% have a documented application security strategy to guide their program decisions. The median of security strategy timespans lies at 1 year, with about half of the organizations with security strategy timespans of 1 year or less and the other half with 2 years or more. As noted in the section on investments, interestingly we noted that there appears to be a correlation “sweet spot” for increasing your security budget if you use a planning horizon of two years (but note, we did not see additional budget advantages when going beyond the 2 years horizon.).
Alignment and review of the security strategy
An interesting observation is further: although the far majority have reviewed and updated their strategy within the past 12 months, yet, only half of the security strategies are aligned or integrated with the organization’s business strategy and only half outline the key security activities for the next 12 months. Considering that CISOs see as one of their challenges an awareness gap of senior management for security topics, it might be a good idea to build that bridge from both ends: sharpen awareness for security issues and also at the same time align the security strategy with the business strategy, thus making it more relevant for day-to-day business decisions.
|And of those with an application security strategy, this strategy|
|… has been reviewed and updated within the past 12 months||76%|
|… is aligned with, or integrated into, the organization's IT strategy||65%|
|… is aligned with, or integrated into, the organization's business strategy||53%|
|… outlines our key security activities for the next 12 months||51%|
The question is not only whether your strategy is up-to-date and aligned with your business strategy, but there are constantly new risks arising and we asked CISOs how confident they are that their current strategy is addressing new risks associated with the increased use of social networking, personal devices, or cloud. And only one third found their strategy sufficient, while two thirds either need to investigate or modify how these new technology risks affect their security and security strategy.
Use of Application Security Management Systems (ASMS) and Maturity Models
We also noted that only a small portion of CISO are currently using an ASMS or maturity models to assess their security status and develop their security roadmap or strategy based on that assessment. In fact only one in four is using or in the process of currently implementing an ASMS.
This is interesting, as some may argue that it is vital to understand your current position in order to formulate an adequate security strategy going forward. However, ASMS and maturity models come in many different shapes and sizes and some of them can require great effort just for getting this first assessment.
(On a personal note: I found the OWASP openSAMM a very fast and lightweight maturity model to get that first assessment with a just few hours on an afternoon with some of my CISO clients. And building on that you can develop your security roadmap very quickly. And you may notice that openSAMM is still used in only very few organizations as you can see from the following graph.)
Frameworks and Security Management Systems used by organizations
Going beyond the maturity models, we also wanted to see which systems are used at the moment by organizations. And clearly the ISO 2700x standards are most common, used by nearly half of the organizations. But using a maturity model seems today to be still an exotic approach, practiced by only a minority.
Assessing the quality and effectiveness of application security
And although the use of external frameworks is relatively low, the vast majority (85%) of organizations are performing assessments of their application security in one way or the other. Most of them through internal self-assessments by IT or application security functions.
Assessment of external partners, service providers and contractors
The CISO role: scope and areas of responsibility
And last but not least, we also took a closer look at the role and responsibilities of the CISO. They seem to still vary a great deal between organizations and across industries. So we were curious as to the current extend of the surveyed CISOs areas of responsibility and especially as to how far her/his domain is stretching when it comes to application security related questions.
Interestingly while CISOs find policies and metrics close to their desk, nearly one third of the CISOs find secure development processes (SDLC) outside of their area of responsibility, and nearly one fourth of the CISOs have security training and awareness not in their area of responsibility. These aspects might be due to delegation to other application stakeholders and/or lower levels of functional management. They could also indicate a gap in aligning CISO responsibilities on application security within risk management, governance and compliance. It will be interesting to see whether the CISO role will further evolve over time when revisiting the CISO role and responsibilities in the next iteration of the CISO survey in 2014.
|CISO Functions & Responsibilities: areas of responsibility|
|Investigate and analyze suspected security incidents and data breaches and recommend corrective actions||89%|
|Develop and implement policies, standards and guidelines for application security||86%|
|Measure and monitor security and risks of web application assets within the organization||86%|
|Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited||83%|
|Network Security and perimeter defense||83%|
|Define, identify and assess the inherent security of critical web application assets, assess threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions||80%|
|Application security training and awareness for information security and software development teams||77%|
|Develop, articulate and implement risk management strategy for applications||77%|
|Application Vulnerability Management||71%|
|Develop and implement software security activities (e.g. S-SDLC) and security testing processes||63%|
|Develop implement, manage and report on application security governance processes||60%|
|Procure new web application processes, services, technologies and testing tools for the organization||57%|
|Develop, articulate and implement continuity planning/disaster recovery for web applications||54%|