Carnegie Mellon CyLab recently conducted a survey on how boards of directors and senior management are governing the security of their organizations’ information, applications and digital assets. The survey was based upon the results received from 108 board members and senior executives from Forbes Global 200 companies. The Governance of Enterprise Security 2012 Report revealed that boards are not actively addressing cyber security risk management. Although they say risk management is a high priority, they still fail to understand the connection between information technology risks and enterprise risk management.
The report also covers comprehensive comparisons between industry sectors and geographical regions into how security risks are managed. Here are some key findings that caught my attention:
- 48% of boards have Risk Committees responsible for privacy and security risks
- 72% of companies have established cross-organizational teams to manage privacy and security risks
- Less than two thirds of the companies have full-time employees in key roles for privacy and security in a manner that is consistent with the internationally accepted best practices and standards
- 82% of companies don’t have a Chief Privacy Officer (CPO)
- 47% of Chief Security Officers (CSO) are assigned responsibility for both privacy and security and tend to report to the Chief Information Officer (CIO), creating segregation of duties issues that are against best practices.
- 89% of boards analyze and evaluate risk but less than 50% hire outside consultants to assist with information risk management
- Only 16% of board Risk Committees and 16% of IT Committees hire outside experts
- 91% of respondents claim that risk management is actively addressed by the board
- The issues that receive the least attention from the board are IT operations (29%), computer and information security (33%) and vendor management (13%)
- IT expertise was very important for 42% of board members
- 64% of respondents stated that risk and security expertise is very important, while 42% consider it important
The good news that comes along with this survey is that boards have started to place increasing importance on IT, security and risk expertise in board member recruitment. The bad news is they are still not undertaking key oversight activities related to cyber risks, such as conducting regular evaluation on breaches and IT risks. Involvement in these areas would help them manage their companies’ reputation and financial risks.