A report released this week by Carnegie Mellon University's CyLab, illustrates the wide gap between boards of directors and those responsible for information security in the enterprise, in particular where board members who still aren't clear on the link between IT risk and a company's overall risk posture.
To get security news and tips delivered to your inbox,
CyLab's Governance of Enterprise Security report was based on data collected by the National Association of Corporate Directors for its 2008 Public Company Governance Survey. The survey was taken by 703 sitting directors of U.S. public companies, primarily audit, compensation and governance professionals.
The conclusions aren't encouraging for CISOs who are desperate to be heard by boards and senior management. Directors and officers still aren't devoting resources or attention to the business-critical implications of faulty information security processes. And with a recession in full swing, board members' attention is further diverted.
Panel: IT governance, risk and compliance program helps reduce expenses: Panelists at the Symantec Vision 2008 conference said a well implemented IT governance, risk and compliance (GRC) program boosts revenue and cuts costs.
Why you shouldn't wager the house on risk management models: Risk models can provide a way to communicate with management but don't fall into the trap of thinking that risk scores are a silver bullet for security.
A little more than a third of the respondents believe overall enterprise risk is a critical governance issue, well behind other issues such as board leadership, CEO relations, evaluation and succession plans, and board culture. Thirty-six percent of those surveyed said boards have a direct involvement in the oversight of information security, and of the 47% of respondents that have formalized enterprise risk management plans, only two-thirds include IT risks in those plans.
"That disconnect of risk management plans not including IT risk is eye-opening. [Boards] don't understand that the majority of their operations rely on technology," said report co-author Jody Westby, CEO of Global Cyber Risk LLC and an Adjunct Distinguished Fellow at CyLab. "They don't understand that if the Internet or communications goes down, or if there's a sustained attack, they're out of business."
Boards still labor under the thinking that security is primarily a technology issue and leave security issues to IT, the report concludes. Noteworthy findings include:
38% of the respondents said boards occasionally or rarely review privacy, security or risk management budgets (40% said they never do).
55% said boards occasionally or rarely approve roles and responsibilities for privacy officers (28% never do).
56% occasionally or rarely review top-level security and privacy policies (23% never do).
62% occasionally or rarely receive reports from senior management on risk (15% never do).
And those board members who are engaged with information security, apparently aren't focusing on important data protection initiatives, despite compliance mandates and the litany of state data breach notification laws. For example, respondents said boards are involved in oversight of annual privacy compliance reviews 19% of the time, security breach notification plans 21% of the time, and assessments of risks related to the handling/use of personally identifiable information or other protected data 31% of the time. More than half of the respondents said none of the above.
"Boards are still very reactive. The fact they don't review and understand roles and responsibilities is telling," Westby said. "They wouldn't dream of not having a CFO to protect financial assets; they don't understand the link between IT risk and overall enterprise risk."
Boards also fall short in separating risk from audit committees (only 8% of respondents said they did so), leading to segregation of duties conflicts. "When you've got a board overseeing risk and then the same board turning around and auditing it; isn't that what we had been telling the financial firms wasn't OK for years?" Westby said. "The same thing is going on here and it's a problem."
The report makes additional recommendations that include formally assigning privacy and security roles within an organization (59% of respondents said their companies did not have a CISO; 78% said they did not have a chief privacy officer). It also recommends the establishment of cross-organizational teams required to meet monthly on privacy and security issues; those teams should include senior management, human resources, legal and financial officers.
"We plan on making this an annual report and my hope is that the results get boards to listen more and hear more of what security is saying," Westby says.