Execs Unaware of Security Risks

Thursday, March 1, 2012 @ 01:03 PM gHale

Stuxnet, Duqu, Night Dragon. Those are just a few of the attacks hitting the industry over the past few years, but yet despite these and other high-profile security breaches corporate boards and senior-level executives have yet to fully grasp security and privacy risks within the enterprise, a new study said.

While there have been some improvements, there are severe gaps in the way corporate chief executives and other senior executives take responsibility for the organization’s security and privacy practices, according to the 2012 Carnegie Mellon CyLab Governance survey, which they conducted in 2008, 2010 and 2012.

RELATED STORIES
Security to Industry: Time to Wake Up
Study: Integrated Need for Security
Cyber Threat Forecast for 2012
DHS Unveils Cyber Strategy Plan

The study, sponsored by RSA, the Security Division of EMC, surveyed the firms in the Forbes Global 2000 list. RSA released the results Monday at the RSA Conference 2012.

Less than one-third of the respondents are undertaking basic responsibilities for cybergovernance, according to the report. The study found 70% of executives and their corporate board of directors rarely or never review security policies. About 74% of those surveyed indicated they fail to regularly review the roles and responsibilities of the lead personnel responsible for privacy and IT security.

“Boards and senior executives are not exercising good cybergovernance,” said Jody R. Westby, chief executive of Global Cyber Risk and adjunct distinguished fellow at Carnegie Mellon University. “They’re not watching what’s going on with privacy and security in their organization.”

Budgets for IT security and privacy initiatives do not undergo a proper review and approval, according to the study, with 64% of those surveyed, indicating they occasionally, rarely or never oversee such a review. Nearly 60% of those surveyed said they fail to get regular reports about privacy and IT security risks.

Westby said the findings are consistent with complaints by CISOs/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate. Computer and data security and IT operations ranked at the bottom of the issues being actively addressed and governed by corporate boards. The three areas that ranked lowest held the same position in the 2010 results: Vendor management (13%), computer and data security (35%) and IT operations (29%).

Nearly half of those surveyed indicated their companies do not have personnel in key privacy and security roles. In addition, 58% said their boards of directors are not regularly reviewing the company’s insurance coverage for cyber-related risks.

Westby said there were signs of progress since the study began in 2008. In 2008, only 8% of respondents said their organization had a separate risk committee; in 2010, the percentage rose up to 14%, and in 2012, it jumped to 46%. Risk management was also a top concern among boards of directors and senior leadership.

More enterprises are setting up teams of business leaders and IT professionals to talk about security and privacy issues. The number of committees has increased from a low of 17% in 2008 to about 70% in 2012. Westby said the sharp increase is a positive sign enterprises are starting to think more seriously about their risk tolerance activities.

“Risk should not all be addressed by the CISO; it should be the business unit’s line management responsibility,” she said. “We find that if it falls directly on the CISO or privacy officer, the business just doesn’t care.”

Westby said senior leadership and the corporate board of directors are in a position to set the tone for the entire organization. Signs that senior leadership don’t see security and privacy as a priority trickle down to the business units and they weaken IT security teams’ ability to properly ensure data security and maintain the integrity of the network.

Senior leadership must regularly review roles and responsibilities to ensure qualified, full-time senior-level professionals are in place to help guide security and privacy initiatives. In addition, IT budgets for privacy and security should undergo review separate from the CIO’s budget. A regular external assessment of the company’s security controls should take place so the company can address weaknesses, Westby said.

“Organizations with senior leadership that take security and privacy matters seriously have the opportunity to develop a culture among employees that security is essential,” she said. “That needs to be backed with strong leadership.”