[Global_industry_committee] CISO survey 2013 questions - your feedback please

marco.m.morana at gmail.com marco.m.morana at gmail.com
Mon Oct 22 11:54:54 UTC 2012


I quickly read through the survey and looks very comprehensive. In terms of alignment with the CISO guide, I think is important to poll the CISOs along these three main questions:
1) are new threats to web applications negatively impacting the organisation? If yes, how? Did their company experienced a data breach because of a security incident involving one of the web applications that the company owns/manage? If yes, what was the root cause of the incident? There was any exploit of web application vulnerabilities or gaps in security controls/countermeasures?
2) how CISOs manage application security programs within their organisation? which domains are managed and how are managed? which metrics is being used? Example of GRC programs for application security include, vulnerability management, SSDLC 
3) specific OWASP related questions such as projects that CISOs have used before or consider using? also questions about attendance to security team to local OWASP chapters 
4) general questions about knowing about the CISO guide if they know it ask if is relevant and if there are topics that are missing that would like the guide to cover. If they do not know it, ask if they would like to receive a copy by email as well as set up a meeting to discuss it.


Btw the CISO guide has almost completed all sections, please feel free to provide me feedback as well so I can incorporate it


Sent from my iPad

On 20 Oct 2012, at 18:13, Tobias <tobias.gondrom at owasp.org> wrote:

> Hello dear GIC fellows, 
> as discussed during our GIC call this week, I took the CISO Survey from last year and revised it a little bit. 
> https://www.owasp.org/index.php/Industry:GIC_CISO_Survey_2013
> Please take a good look and review and/or make modifications until Tuesday Oct-23. 
> It is in the Wiki, so you can edit easily. I will try to put whatever we have by then into a surveymonkey the following day, so we can use the AppSecUS to already hand-out a first set of links to the survey. 
> Maybe a couple of questions as food for thought: 
> - the survey feels relatively long? Are there questions we should remove? 
> - Are there questions we missed / should add? 
> - regarding page-10 question 13 and 14: Is it really important for us (and later the report readers) which tool categories are used or being planned to be used? I have the feeling that some may use none and some may use all, so am not sure these two questions really add significant value. What do you think?
> Best regards and wish you a nice weekend, Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/global_industry_committee/attachments/20121022/a529f39b/attachment.html>

More information about the Global_industry_committee mailing list