Boards Losing Focus on Security
New Study Says Senior Leaders are Increasingly Distant from Security, Privacy
This is the message from the 2010 Governance of Enterprise Security study by Carnegie Mellon University's CyLab. This follow-up to a 2008 study shows that little progress has been made in how boards and executives oversee security of their networks and data.
"Board participation on key IT security governance activities is worse compared to 2008's survey," says report author Jody Westby, a CyLab distinguished fellow and CEO of Global Cyber Risk, a security risk advisory company. "Reviewing budgets and policies, receiving and reviewing regular reports, roles and responsibilities of key personnel -- all of the numbers are worse than 2008's survey."
Show of Numbers
Westby says a comparison of the level of board participation in key areas for IT security governance show the facts:
- Review/Approve Annual Budgets - Sixty-one percent of 2010's respondents say they never review budgets, compared to only 40 percent from the previous survey;
- Review/Approve Top-Level Policies - 2010's survey shows that 33 percent say they never do, compared with 23 percent previously.
- Review/Approve Roles & Responsibilities - 43 percent of respondents say they never take part re: IT security personnel, compared with only 28 percent last time.
One of the most alarming findings: 65 percent of respondents say their boards are not reviewing cybersecurity insurance at all. Most cyber incidents are not covered by general liability policies, which means "65 percent are walking blind in terms of knowing what they're going to be liable for in the event of a breach or a security incident," Westby says.
One positive from the study: Seventy-five percent of respondents say their boards see IT security expertise as important for a security/risk position in the company. "This is more than in the past, but there is still a long road to go before security and risk experience has a solid footing on most boards," Westby says.
This year's survey polled companies with revenues ranging from $1 billion to more than $10 billion in revenues. Seventeen percent of the respondents came from financial services.
Key Takeaways
The disconnect between companies and strong IT security governance is common and troubling, Westby says. "Management doesn't understand that their companies won't run without computers, and they take for granted that some person on their staff will take care of everything."Westby advises all companies to get some IT governance expertise on their board. "This is the only way boards will begin paying attention to this problem," she says. Companies don't need to hire an IT security geek, but rather "They need someone with IT security experience who will help them with the governance points they need to pay attention to better understand what is happening on their networks."
As for companies that hire security consultants to drive risk management and governance efforts, Westby says, "They can hire all the outside experts they want, but they still need that IT security experience on their board. Otherwise they won't know what they're looking at when they read the security and risk committee reports."
Other key points from the survey:
- Risk Awareness - Although boards are focusing more on risk management, they need to better understand the risks associated with IT, especially privacy and security risks, and increase the attention paid to vendor management and cyber insurance coverage.
- More Oversight - Few boards have Risk Committees and tend to be overly reliant upon Audit Committees for both overseeing and auditing privacy and security.
- Security vs. Privacy - Many companies don't have executives in key roles for privacy and security, and few have functional separation of privacy and security responsibilities. Companies are beginning to understand that privacy and security are enterprise business issues and are establishing cross-organizational teams or groups to discuss and manage these issues.
