IT security risks dismissed by boards, survey finds

By Michael S. Mimoso, Editor, Information Security magazine 04 Dec 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A report released this week by Carnegie Mellon University's CyLab, illustrates the wide gap between boards of directors and those responsible for information security in the enterprise, in particular where board members who still aren't clear on the link between IT risk and a company's overall risk posture.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

CyLab's Governance of Enterprise Security report was based on data collected by the National Association of Corporate Directors for its 2008 Public Company Governance Survey. The survey was taken by 703 sitting directors of U.S. public companies, primarily audit, compensation and governance professionals.

The conclusions aren't encouraging for CISOs who are desperate to be heard by boards and senior management. Directors and officers still aren't devoting resources or attention to the business-critical implications of faulty information security processes. And with a recession in full swing, board members' attention is further diverted.

Risk management: Bruce Schenier, Marcus Ranum debate risk management: Experts Bruce Schneier and Marcus Ranum debate whether risk management is an appropriate strategic direction for information security professionals to follow. Panel: IT governance, risk and compliance program helps reduce expenses: Panelists at the Symantec Vision 2008 conference said a well implemented IT governance, risk and compliance (GRC) program boosts revenue and cuts costs. Why you shouldn't wager the house on risk management models: Risk models can provide a way to communicate with management but don't fall into the trap of thinking that risk scores are a silver bullet for security.

A little more than a third of the respondents believe overall enterprise risk is a critical governance issue, well behind other issues such as board leadership, CEO relations, evaluation and succession plans, and board culture. Thirty-six percent of those surveyed said boards have a direct involvement in the oversight of information security, and of the 47% of respondents that have formalized enterprise risk management plans, only two-thirds include IT risks in those plans.

"That disconnect of risk management plans not including IT risk is eye-opening. [Boards] don't understand that the majority of their operations rely on technology," said report co-author Jody Westby, CEO of Global Cyber Risk LLC and an Adjunct Distinguished Fellow at CyLab. "They don't understand that if the Internet or communications goes down, or if there's a sustained attack, they're out of business."

Boards still labor under the thinking that security is primarily a technology issue and leave security issues to IT, the report concludes. Noteworthy findings include:

And those board members who are engaged with information security, apparently aren't focusing on important data protection initiatives, despite compliance mandates and the litany of state data breach notification laws. For example, respondents said boards are involved in oversight of annual privacy compliance reviews 19% of the time, security breach notification plans 21% of the time, and assessments of risks related to the handling/use of personally identifiable information or other protected data 31% of the time. More than half of the respondents said none of the above.

"Boards are still very reactive. The fact they don't review and understand roles and responsibilities is telling," Westby said. "They wouldn't dream of not having a CFO to protect financial assets; they don't understand the link between IT risk and overall enterprise risk."

SearchSecurity radio:

Boards also fall short in separating risk from audit committees (only 8% of respondents said they did so), leading to segregation of duties conflicts. "When you've got a board overseeing risk and then the same board turning around and auditing it; isn't that what we had been telling the financial firms wasn't OK for years?" Westby said. "The same thing is going on here and it's a problem."

The report makes additional recommendations that include formally assigning privacy and security roles within an organization (59% of respondents said their companies did not have a CISO; 78% said they did not have a chief privacy officer). It also recommends the establishment of cross-organizational teams required to meet monthly on privacy and security issues; those teams should include senior management, human resources, legal and financial officers.

"We plan on making this an annual report and my hope is that the results get boards to listen more and hear more of what security is saying," Westby says.

Tags: Enterprise Risk Management: Metrics and Assessments,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Risk Management: Metrics and Assessments The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Mature SIMs do more than log aggregation and correlation Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession Security budgets take hit in media, tech industry, survey finds Service-focused security offers best value to organization Ease the compliance burden with automation Forensic accounting success depends on information security support Enterprise Risk Management: Metrics and Assessments Research Business Management: Security Support and Executive Communications RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession How to align an information security framework to your business model Service-focused security offers best value to organization Cybersecurity Act of 2009: Power grab, or necessary step? Information security skills must include communication, expert says Mimic the IBM approach to security at RSA Sell the business on virtualization security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary