CISO Survey 2013: Governance and control

From OWASP
Jump to: navigation, search

< Back to the CISO Survey

4. Governance and control

Security Strategy

Noteworthy, although two thirds of organizations are using technical tools to support their programs, only about 57% have a documented application security strategy to guide their program decisions. The median of security strategy timespans lies at 1 year, with about half of the organizations with security strategy timespans of 1 year or less and the other half with 2 years or more. As noted in the section on investments, interestingly we noted that there appears to be a correlation “sweet spot” for increasing your security budget if you use a planning horizon of two years (but note, we did not see additional budget advantages when going beyond the 2 years horizon.).

CISO Survey 2013 14 strategy.png


CISO Survey 2013 15a table strategy horizon.png


CISO Survey 2013 15 strategy horizon.png

Alignment and review of the security strategy

An interesting observation is further: although the far majority have reviewed and updated their strategy within the past 12 months, yet, only half of the security strategies are aligned or integrated with the organization’s business strategy and only half outline the key security activities for the next 12 months. Considering that CISOs see as one of their challenges an awareness gap of senior management for security topics, it might be a good idea to build that bridge from both ends: sharpen awareness for security issues and also at the same time align the security strategy with the business strategy, thus making it more relevant for day-to-day business decisions.

And of those with an application security strategy, this strategy
… has been reviewed and updated within the past 12 months 76%
… is aligned with, or integrated into, the organization's IT strategy 65%
… is aligned with, or integrated into, the organization's business strategy 53%
… outlines our key security activities for the next 12 months 51%

Do strategies address new technology risks, related to social networking, personal devices, or cloud?

The question is not only whether your strategy is up-to-date and aligned with your business strategy, but there are constantly new risks arising and we asked CISOs how confident they are that their current strategy is addressing new risks associated with the increased use of social networking, personal devices, or cloud. And only one third found their strategy sufficient, while two thirds either need to investigate or modify how these new technology risks affect their security and security strategy.

CISO Survey 2013 16 strat new risks.png


Use of Application Security Management Systems (ASMS) and Maturity Models

We also noted that only a small portion of CISO are currently using an ASMS or maturity models to assess their security status and develop their security roadmap or strategy based on that assessment. In fact only one in four is using or in the process of currently implementing an ASMS.

CISO Survey 2013 16b ASMS or MM.png

This is interesting, as some may argue that it is vital to understand your current position in order to formulate an adequate security strategy going forward. However, ASMS and maturity models come in many different shapes and sizes and some of them can require great effort just for getting this first assessment.

(On a personal note: I found the OWASP openSAMM a very fast and lightweight maturity model to get that first assessment with a just few hours on an afternoon with some of my CISO clients. And building on that you can develop your security roadmap very quickly. And you may notice that openSAMM is still used in only very few organizations as you can see from the following graph.)

Frameworks and Security Management Systems used by organizations

Going beyond the maturity models, we also wanted to see which systems are used at the moment by organizations. And clearly the ISO 2700x standards are most common, used by nearly half of the organizations. But using a maturity model seems today to be still an exotic approach, practiced by only a minority.

CISO Survey 2013 17 frameworks.png

Assessing the quality and effectiveness of application security

And although the use of external frameworks is relatively low, the vast majority (85%) of organizations are performing assessments of their application security in one way or the other. Most of them through internal self-assessments by IT or application security functions.

CISO Survey 2013 18 assessment.png

Assessment of external partners, service providers and contractors

CISO Survey 2013 19 external.png


The CISO role: scope and areas of responsibility

And last but not least, we also took a closer look at the role and responsibilities of the CISO. They seem to still vary a great deal between organizations and across industries. So we were curious as to the current extend of the surveyed CISOs areas of responsibility and especially as to how far her/his domain is stretching when it comes to application security related questions.

Interestingly while CISOs find policies and metrics close to their desk, nearly one third of the CISOs find secure development processes (SDLC) outside of their area of responsibility, and nearly one fourth of the CISOs have security training and awareness not in their area of responsibility. These aspects might be due to delegation to other application stakeholders and/or lower levels of functional management. They could also indicate a gap in aligning CISO responsibilities on application security within risk management, governance and compliance. It will be interesting to see whether the CISO role will further evolve over time when revisiting the CISO role and responsibilities in the next iteration of the CISO survey in 2014.


CISO Functions & Responsibilities: areas of responsibility
Investigate and analyze suspected security incidents and data breaches and recommend corrective actions 89%
Develop and implement policies, standards and guidelines for application security 86%
Measure and monitor security and risks of web application assets within the organization 86%
Work with executive management, business managers and internal audit and legal counsel to define application security requirements that can be verified and audited 83%
Network Security and perimeter defense 83%
Define, identify and assess the inherent security of critical web application assets, assess threats, vulnerabilities, business impacts and recommend countermeasures/corrective actions 80%
Application security training and awareness for information security and software development teams 77%
Develop, articulate and implement risk management strategy for applications 77%
Application Vulnerability Management 71%
Develop and implement software security activities (e.g. S-SDLC) and security testing processes 63%
Develop implement, manage and report on application security governance processes 60%
Procure new web application processes, services, technologies and testing tools for the organization 57%
Develop, articulate and implement continuity planning/disaster recovery for web applications 54%