CISO Survey 2013: Executive Summary
People often ask us which results of the CISO survey report, we as a fellow CISO would find particularly interesting and useful. There are many good insights and learning points from this report. And the benefits of it will depend a lot on your own organization’s maturity and security status. For some the overall strategic picture of application security risks and threats is useful to set their security priorities and strategies for next year, for others the list of best practices and recommendations from other CISO peers is particularly useful and others find most valuable to understand which best practices and tools work best for their peers.
Some of the things we personally found interesting were:
- Application security risks are clearly on the rise, in absolute numbers and also relative to infrastructure security risks.
- Risks from external threats are clearly increasing for organizations.
- Security awareness and training is the biggest challenge and most important priority for CISOs going forward into 2014 (more critical than tools, testing or budget).
- As we hear from a number of CISOs about difficulties acquiring an adequate budget, it appears that having a 2-year security strategy improves your chances for getting or increasing your security budget/investments.
- Only about one fourth of organizations currently have some form of application security management system or maturity model - which is pretty low in my humble opinion. But now the good news: over 40% are looking at this for the coming 12 months. So there might be a lot of activity in this area in the near future, and I hope openSAMM (Open Software Assurance Maturity Model), one of our OWASP projects can help executives with that.
Beyond these points, you will find this report contains many more interesting facts and findings and I hope that you will find many of them interesting and helpful for your daily work as a CISO, giving you the right data for defining your security strategies and priorities for the future. We are confident that like 2013, the coming year 2014 will be an interesting year with many challenges in web and application security and hope that we as OWASP can provide you and your organizations with good intelligence and help you with many of our free documentation and tools to manage your security programs better and overall improve application security around the world.