This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

CISO Survey 2013: Threats and risks

Revision as of 21:21, 6 February 2014 by Tgondrom (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

< Back to the CISO Survey

1. Threats and risks

As with all good security strategies, we were first interested in the trends of potential sources of security threats to organizations and how CISOs are addressing them.

External threats are on the rise

More than 70% of CISOs noted that internal threats are staying pretty much on the same level, while over 80% can see external threats clearly on the rise. It appears CISOs are more and more confident about their internal controls addressing internal security threats, like insiders stealing data or abusing systems. This can be due to a variety of reasons, better internal policies and controls and tools that enforce these policies and protect against malicious agents within an organization. While on the other hand, external threats seem to be increasing dramatically. This might be due to a variety of reasons: An increase in awareness due to more disclosures about security breaches by external sources, the fact that the IT systems of organizations are more and more exposed to the Internet and with that to external threat agents, an increased number of external malicious actors and potentially an upgrade in the skills and weaponized attack tools of potential attackers.

CISO Survey 2013 1 external internal.png

Application risks are advancing to center stage

When reviewing which areas are the main areas of risk for their organizations, CISOs were very clear that application security concerns are now taking center stage in their risk management. The CISOs see more than 50% of their security risks coming from application security: The remaining 13% of “Other” were attributed to a mix of factors, in many cases to people centric risks and social engineering, but also to physical access controls and foreign states knocking on the door wanting critical data.

CISO Survey 2013 2 risk areas.png

And furthermore, application security risks are increasing, while infrastructure issues are mostly stable.

CISO Survey 2013 3 risk trends.png

New threats to web applications are negatively impacting organizations

Based on the increase of application security risks, we were also wondering about their effects and whether organizations are seeing negative impacts from new threats to web applications. And the majority of CISOs could in fact clearly confirm that these threats are having negative impacts for their companies. Deeper discussions found that there are new threats due to technologies ranging from Social media, Web 2.0 and Cloud technologies like Software-as-a-Service, but also that attacks have increased in volume and sophistication, forcing companies to upgrade their security posture accordingly to counter more sophisticated attacks like spear-phishing, APTs, exposure of customer data and fraud.

CISO Survey 2013 4 impacts.png

Every fifth company experienced a security incident or data breach in the last 12 months.

About one in five of the companies did experience one or more data breaches because of a web application security incident in the last 12 months. To some degree this can be seen at odds with various other reports that have higher or lower percentages of security breaches. This may be due to different types of survey populations, e.g. more SMEs vs. large corporations, and also be accounted for by varying interpretations of the definition of an application security incident. However, even the figure of one in five companies having an application security incident or breach is a high risk, turning the focus of CISOs to application security risks.

CISO Survey 2013 5 breaches.png

Further analyzing these trends, we also asked CISO what they perceived as the top five sources of application security risks within their organizations. Interestingly, a lack of budget for security initiatives came in only on the 4th place. The most pressing issue is the lack of awareness of application security issues within the organization. A notion we find across a variety of questions and also reflected in the priorities for CISO going forward as you will discover in the following sections.

Top 5 CISO Application Security Risks
  1. Lack of awareness of application security issues within the organization
  2. Insecure source code development
  3. Poor/inadequate testing methodologies
  4. Lack of budget to support application security initiatives
  5. Staffing (e.g., lack of security skills within team)