SAN FRANCISCO -- A litany of high-profile data security breaches has done little to get corporate boards and senior-level executives to understand the security and privacy risks within the enterprise, according to the results of a new study.
The 2012 Carnegie Mellon CyLab Governance survey (.pdf), which was conducted in 2008, 2010 and 2012, found some improvements, but noted severe gaps in the way corporate CEOs and other senior executives take responsibility for the organization’s security and privacy practices. The corporate security governance study, sponsored by RSA, the Security Division of EMC, surveyed the firms in the Forbes Global 2000 list. The results were released Monday night at RSA Conference 2012.
Less than one-third of the respondents are undertaking basic responsibilities for cybergovernance, according to the report. The study found that 70% of executives and their corporate board of directors rarely or never review security policies. About 74% of those surveyed indicated they fail to regularly review the roles and responsibilities of the lead personnel responsible for privacy and IT security.
“Boards and senior executives are not exercising good cybergovernance,” said Jody R. Westby, CEO of Global Cyber Risk and adjunct distinguished fellow at Carnegie Mellon University. “They’re not watching what’s going on with privacy and security in their organization.”
Budgets for IT security and privacy initiatives are also failing to be properly reviewed and approved, according to the study, with 64% of those surveyed, indicating they occasionally, rarely or never oversee such a review. Nearly 60% of those surveyed indicated they fail to get regular reports about privacy and IT security risks.
Westby said the findings are consistent with complaints by CISOs/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate. Computer and data security and IT operations ranked at the bottom of the issues being actively addressed and governed by corporate boards. The three areas that ranked lowest held the same position in the 2010 results: vendor management (13%), computer and data security (35%) and IT operations (29%).
Nearly half of those surveyed indicated their companies do not have personnel in key privacy and security roles. In addition, 58% said their boards of directors are not regularly reviewing the company’s insurance coverage for cyber-related risks.
Risk management activities increasing
Westby said there were signs of progress since the study began in 2008. In 2008, only 8% of respondents said their organization had a separate risk committee; in 2010, the percentage rose up to 14%, and in 2012, it jumped to 46%. Risk management was also a top concern among boards of directors and senior leadership.
More enterprises are setting up teams of business leaders and IT professionals to talk about security and privacy issues. The number of committees has increased from a low of 17% in 2008 to about 70% in 2012. Westby said the sharp increase is a positive sign that enterprises are starting to think more seriously about their risk tolerance activities.
“Risk should not all be addressed by the CISO; it should be the business unit’s line management responsibility,” she said. “We find that if it falls directly on the CISO or privacy officer, the business just doesn’t care.”
Westby said senior leadership and the corporate board of directors are in a position to set the tone for the entire organization. Signs that senior leadership don’t see security and privacy as a priority trickle down to the business units and the weaken IT security teams ability to properly ensure data security and maintain the integrity of the network.
Senior leadership must regularly review roles and responsibilities to ensure qualified, full-time senior-level professionals are in place to help guide security and privacy initiatives. In addition, IT budgets for privacy and security should be reviewed separate from the CIO’s budget. A regular external assessment of the company’s security controls should be conducted so weaknesses can be addressed, Westby said.
“Organizations with senior leadership that take security and privacy matters seriously have the opportunity to develop a culture among employees that security is essential,” she said. “That needs to be backed with strong leadership.”
View all of our RSA 2012 Conference coverage.