Boards Weak On Security, But Improving

Thursday, July 8, 2010 @ 04:07 PM gHale


A majority of Fortune 1000 companies are failing to adequately assess and manage the risks information security and privacy issues pose to their business, with more than half of them lacking a full-time chief information security officer, while 38% have a chief security officer, and 20% have a chief privacy officer.
Those findings come from “Governance of Enterprise Security,” a study by Carnegie Mellon University’s CyLab. The report is the result of a survey of 66 board directors or senior executives who work at Fortune 1000 companies. Nearly half of respondents work at critical infrastructure companies. CyLab conducted a similar survey in 2008.


“The survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data,” said Jody Westby, chief executive of Global Cyber Risk and a distinguished fellow at CyLab and author of the report.
For starters, no respondent identified one of their board’s top-three priorities as involving computer or data security, and only 2% said their board actively addressed IT operations and vendor management. Furthermore, 65% of boards failed to review their business’s insurance coverage for any cyber-related risks.
The report is not all gloom and doom as it did find some improvements.
The number of organizations with a risk committee that’s separate from an audit committee rose from 8% in 2008 to 14% in 2010. Even so, only about two-thirds of those risk committees oversee their company’s privacy and security practices.
Failing to have a proper risk management program, and instead simply using audit committees to manage IT risks and security programs, can create a number of “segregation of duties issues,” Westby said.
Organizations, however, are getting better at recruiting board-level members who bring security smarts to the table.
“Another positive sign from the survey was the importance that boards are placing upon IT security and risk expertise in board recruitment,” according to the report. Three-quarters of respondents rated IT experience as at least “somewhat important” when recruiting new directors, while 86% said the same for risk management or security expertise.
The report also found 65% of organizations now have a cross-functional team for managing security and privacy, compared with only 17% of organizations in 2008.



Leave a Reply

You must be logged in to post a comment.