[Global_industry_committee] CISO survey 2013 questions - your feedback please

Tobias tobias.gondrom at owasp.org
Thu Nov 8 03:23:13 UTC 2012

Thank you so much for your feedback.
Made changes accordingly and comments inline.

Best regards, Tobias

On 22/10/12 07:54, marco.m.morana at gmail.com wrote:
> Tobias,
> I quickly read through the survey and looks very comprehensive. In 
> terms of alignment with the CISO guide, I think is important to poll 
> the CISOs along these three main questions:
> 1) are new threats to web applications negatively impacting the 
> organisation? If yes, how? Did their company experienced a data breach 
> because of a security incident involving one of the web applications 
> that the company owns/manage? If yes, what was the root cause of the 
> incident? There was any exploit of web application vulnerabilities or 
> gaps in security controls/countermeasures?
added to page 5
> 2) how CISOs manage application security programs within their 
> organisation? which domains are managed and how are managed? which 
> metrics is being used? Example of GRC programs for application 
> security include, vulnerability management, SSDLC
added combined with Colin's feedback to page 11 / replaced page 11 with that

> 3) specific OWASP related questions such as projects that CISOs have 
> used before or consider using? also questions about attendance to 
> security team to local OWASP chapters
added something to page 9

> 4) general questions about knowing about the CISO guide if they know 
> it ask if is relevant and if there are topics that are missing that 
> would like the guide to cover. If they do not know it, ask if they 
> would like to receive a copy by email as well as set up a meeting to 
> discuss it.

Added to page 19.
(did not add the send copy as not needed because we will refer to the 
CISO guide in the report of the survey.)

> All
> Btw the CISO guide has almost completed all sections, please feel free 
> to provide me feedback as well so I can incorporate it
> Thanks
> Marco
> Sent from my iPad
> On 20 Oct 2012, at 18:13, Tobias <tobias.gondrom at owasp.org 
> <mailto:tobias.gondrom at owasp.org>> wrote:
>> Hello dear GIC fellows,
>> as discussed during our GIC call this week, I took the CISO Survey 
>> from last year and revised it a little bit.
>> https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013
>> Please take a good look and review and/or make modifications _*until 
>> Tuesday Oct-23. *_
>> It is in the Wiki, so you can edit easily. I will try to put whatever 
>> we have by then into a surveymonkey the following day, so we can use 
>> the AppSecUS to already hand-out a first set of links to the survey.
>> Maybe a couple of questions as food for thought:
>> - the survey feels relatively long? Are there questions we should 
>> remove?
>> - Are there questions we missed / should add?
>> - regarding page-10 question 13 and 14: Is it really important for us 
>> (and later the report readers) which tool categories are used or 
>> being planned to be used? I have the feeling that some may use none 
>> and some may use all, so am not sure these two questions really add 
>> significant value. What do you think?
>> Best regards and wish you a nice weekend, Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/global_industry_committee/attachments/20121107/a3ca6bbf/attachment-0001.html>

More information about the Global_industry_committee mailing list