[Global_industry_committee] CISO survey 2013 questions - your feedback please
tobias.gondrom at owasp.org
Thu Nov 8 03:23:13 UTC 2012
Thank you so much for your feedback.
Made changes accordingly and comments inline.
Best regards, Tobias
On 22/10/12 07:54, marco.m.morana at gmail.com wrote:
> I quickly read through the survey and looks very comprehensive. In
> terms of alignment with the CISO guide, I think is important to poll
> the CISOs along these three main questions:
> 1) are new threats to web applications negatively impacting the
> organisation? If yes, how? Did their company experienced a data breach
> because of a security incident involving one of the web applications
> that the company owns/manage? If yes, what was the root cause of the
> incident? There was any exploit of web application vulnerabilities or
> gaps in security controls/countermeasures?
added to page 5
> 2) how CISOs manage application security programs within their
> organisation? which domains are managed and how are managed? which
> metrics is being used? Example of GRC programs for application
> security include, vulnerability management, SSDLC
added combined with Colin's feedback to page 11 / replaced page 11 with that
> 3) specific OWASP related questions such as projects that CISOs have
> used before or consider using? also questions about attendance to
> security team to local OWASP chapters
added something to page 9
> 4) general questions about knowing about the CISO guide if they know
> it ask if is relevant and if there are topics that are missing that
> would like the guide to cover. If they do not know it, ask if they
> would like to receive a copy by email as well as set up a meeting to
> discuss it.
Added to page 19.
(did not add the send copy as not needed because we will refer to the
CISO guide in the report of the survey.)
> Btw the CISO guide has almost completed all sections, please feel free
> to provide me feedback as well so I can incorporate it
> Sent from my iPad
> On 20 Oct 2012, at 18:13, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>> Hello dear GIC fellows,
>> as discussed during our GIC call this week, I took the CISO Survey
>> from last year and revised it a little bit.
>> Please take a good look and review and/or make modifications _*until
>> Tuesday Oct-23. *_
>> It is in the Wiki, so you can edit easily. I will try to put whatever
>> we have by then into a surveymonkey the following day, so we can use
>> the AppSecUS to already hand-out a first set of links to the survey.
>> Maybe a couple of questions as food for thought:
>> - the survey feels relatively long? Are there questions we should
>> - Are there questions we missed / should add?
>> - regarding page-10 question 13 and 14: Is it really important for us
>> (and later the report readers) which tool categories are used or
>> being planned to be used? I have the feeling that some may use none
>> and some may use all, so am not sure these two questions really add
>> significant value. What do you think?
>> Best regards and wish you a nice weekend, Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Global_industry_committee