This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CISO Survey 2013: Introduction

Revision as of 18:40, 22 February 2014 by Tgondrom (talk | contribs) (added information about number of survey participants.)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

< Back to the CISO Survey main page


Over the last years, we noticed that application security risks and threats have been on the rise and OWASP has started the CISO survey project to gather intelligence and provide it to CISOs and senior managers in order to improve their security strategies, assess their priorities and learn from their peers about what works best protecting web and application security in organizations across various industries. Although this first data set has already been collected from more than a hundred senior information security managers from around the world, to some degree the current data set was too small to be broken down into country or industry specific findings. Having said that, we found that on an anecdotal level, many of the findings appear to be consistent across a multitude of industries. OWASP will, in the coming year 2014, significantly further improve the breadth and depth of the current CISO survey and conduct it with a much wider audience around the globe. A number of findings support common assumptions, but others clearly show where assumed general expectations have been oversimplified. The report provides insight into which risks and threats are on the rise, which challenges are most pressing for CISOs and their organizations and what techniques are particularly useful to counter application security risks.

The Survey methodology and data collection

The survey questionnaire consists of 26 comprehensive questions, across four domain areas:

  • Investments and challenges,
  • Threats and risks,
  • Tools and technology,
  • Governance and control.

The surveyed population mostly consists of:

  • Chief Information Security Officers (CISOs)
  • Senior security management

The population of surveyed CISOs was invited across a number of various CISO events, with a large portion of participants outside the common OWASP community. So we aimed at minimizing any OWASP specific biases, still, some small bias may remain as it is an OWASP project after all. A good number of more than a hundred CISOs and senior security managers worldwide participated in this comprehensive survey.


This report helps CISOs manage application security risks by considering the exposure from emerging threats and compliance requirements. This report helps:

  • Make application security visible to CISOs and help them to make informed decisions on priorities and application security programs
  • Provide strategic intelligence on which security risks are of the highest priority across organizations
  • Provide tactical intelligence on best practices and free projects the CISO can leverage to improve their security programs.

Register to receive future updates and invitations for OWASP CISO projects

If you like to receive information about future releases of the OWASP CISO Survey and related CISO projects, you can register your email address here:

Your contact details will be kept strictly confidential and only used to send you updates about new releases of OWASP CISO projects and invitations to participate in the CISO Survey. And you can of course unsubscribe from this service at any time.