CISO strategies are commonly built for two year plans.
Speaking at the AppSec conference in Cambridge, Tobias Gondrom, OWASP Global Board Member and project lead for OWASP, featured highlights from the 2013 OWASP CISO survey report which found that there was more investment in application security than infrastructure.
Gondrum said that 38 per cent of the 100 CISOs surveyed invested in infrastructure, compared to 47 per cent who invested in application security. He said that it could be concluded that “investment is the answer to the threat” as to where you put your money and where you talk. “The top result was training, and this was a clear number one for spending, then it was software development and testing, then management.”
He said that, in his view, commonly strategies are two years into the future (according to 27.8 per cent) as “we have no idea where the world will be in five years in terms of technology”. He also claimed that even in the cases where there has been a security breach there is no real change, and while it is believed that business usually invest more after an incident, there was no significant statistical evidence for that.
He said: “However there is a small benefit if there is a two year strategy, as you can increase on the security investment. My hypothesis is that a CISO cannot move much, and cannot put in money in the first year, but can in year two so they are planning it for next year. If you go into the budget negotiation, you can come in with advantageous position on budget decision. We see a correlation.”
The survey also found that 75 per cent of respondents were not using a maturity model or benchmark themselves and not looking in structured ways at where they are, but he said that there was a “glimmer of hope on the horizon” with 40 per cent considering doing it in the next 12 months.
For the future, Gondrom said that the identified top four challenges were in order: the availability of skilled resources; the level of security awareness by developers; management awareness and sponsorship; and adequate budget, which he said: “We need to teach people more about.”