Boards Losing Focus on Security

New Study Says Senior Leaders are Increasingly Distant from Security, Privacy
Boards Losing Focus on Security
Corporate boards and senior executives are too far removed from their organizations' security and privacy decisions - and the distance is growing.

This is the message from the 2010 Governance of Enterprise Security study by Carnegie Mellon University's CyLab. This follow-up to a 2008 study shows that little progress has been made in how boards and executives oversee security of their networks and data.

"Board participation on key IT security governance activities is worse compared to 2008's survey," says report author Jody Westby, a CyLab distinguished fellow and CEO of Global Cyber Risk, a security risk advisory company. "Reviewing budgets and policies, receiving and reviewing regular reports, roles and responsibilities of key personnel -- all of the numbers are worse than 2008's survey."

Show of Numbers

Westby says a comparison of the level of board participation in key areas for IT security governance show the facts:

  • Review/Approve Annual Budgets - Sixty-one percent of 2010's respondents say they never review budgets, compared to only 40 percent from the previous survey;
  • Review/Approve Top-Level Policies - 2010's survey shows that 33 percent say they never do, compared with 23 percent previously.
  • Review/Approve Roles & Responsibilities - 43 percent of respondents say they never take part re: IT security personnel, compared with only 28 percent last time.

One of the most alarming findings: 65 percent of respondents say their boards are not reviewing cybersecurity insurance at all. Most cyber incidents are not covered by general liability policies, which means "65 percent are walking blind in terms of knowing what they're going to be liable for in the event of a breach or a security incident," Westby says.

One positive from the study: Seventy-five percent of respondents say their boards see IT security expertise as important for a security/risk position in the company. "This is more than in the past, but there is still a long road to go before security and risk experience has a solid footing on most boards," Westby says.

This year's survey polled companies with revenues ranging from $1 billion to more than $10 billion in revenues. Seventeen percent of the respondents came from financial services.

Key Takeaways

The disconnect between companies and strong IT security governance is common and troubling, Westby says. "Management doesn't understand that their companies won't run without computers, and they take for granted that some person on their staff will take care of everything."

Westby advises all companies to get some IT governance expertise on their board. "This is the only way boards will begin paying attention to this problem," she says. Companies don't need to hire an IT security geek, but rather "They need someone with IT security experience who will help them with the governance points they need to pay attention to better understand what is happening on their networks."

As for companies that hire security consultants to drive risk management and governance efforts, Westby says, "They can hire all the outside experts they want, but they still need that IT security experience on their board. Otherwise they won't know what they're looking at when they read the security and risk committee reports."

Other key points from the survey:

  • Risk Awareness - Although boards are focusing more on risk management, they need to better understand the risks associated with IT, especially privacy and security risks, and increase the attention paid to vendor management and cyber insurance coverage.
  • More Oversight - Few boards have Risk Committees and tend to be overly reliant upon Audit Committees for both overseeing and auditing privacy and security.
  • Security vs. Privacy - Many companies don't have executives in key roles for privacy and security, and few have functional separation of privacy and security responsibilities. Companies are beginning to understand that privacy and security are enterprise business issues and are establishing cross-organizational teams or groups to discuss and manage these issues.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.