[Global_industry_committee] CISO survey 2013 questions - your feedback please

Marco Morana marco.m.morana at gmail.com
Thu Nov 8 09:05:02 UTC 2012


can we add the following question  (so we make it 20 :). This is
important to tailor the guide content to the areas where CISOs are
mostly focused on :

CISO Functions & Responsibilities: Which of these functions are within
you area of responsibility?
1.	Develop, articulate and implement risk management strategy for applications
2.	Develop and implement policies, standards and guidelines for
application security
3.	Develop implement, manage and report on application security
governance processes
4.	Develop and implement software security activities (e.g. S-SDLC)
and security testing processes
5.	Work with executive management, business managers and internal
audit and legal counsel to define application security requirements
that can be verified and audited
6.	Measure and monitor security and risks of web application assets
within the organization
7.	Application Vulnerability Management
8.	Network Security and perimeter defense
9.	Define, identify and assess the inherent security of critical web
application assets, assess threats, vulnerabilities, business impacts
and recommend countermeasures/corrective actions
10.	Procure new web application processes, services, technologies and
testing tools for the organization
11.	Application security training and awareness for information
security and software development teams
12.	Develop, articulate and implement continuity planning/disaster
recovery for web applications
13.	Investigate and analyze suspected security incidents and data
breaches and recommend corrective actions



On Sat, Oct 20, 2012 at 4:55 PM, Tobias <tobias.gondrom at owasp.org> wrote:
> Hello dear GIC fellows,
> as discussed during our GIC call this week, I took the CISO Survey from last
> year and revised it a little bit.
> https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013
> Please take a good look and review and/or make modifications until Tuesday
> Oct-23.
> It is in the Wiki, so you can edit easily. I will try to put whatever we
> have by then into a surveymonkey the following day, so we can use the
> AppSecUS to already hand-out a first set of links to the survey.
> Maybe a couple of questions as food for thought:
> - the survey feels relatively long? Are there questions we should remove?
> - Are there questions we missed / should add?
> - regarding page-10 question 13 and 14: Is it really important for us (and
> later the report readers) which tool categories are used or being planned to
> be used? I have the feeling that some may use none and some may use all, so
> am not sure these two questions really add significant value. What do you
> think?
> Best regards and wish you a nice weekend, Tobias

More information about the Global_industry_committee mailing list