Cylab News
CyLab Survey Reveals Gap in Board Governance of Cyber Security
posted by Richard Power
August 22, 2008
"To underscore the significance of governance in the effort to implement effective cyber security, Carnegie Mellon CyLab has a conducted a survey of corporate board directors. It reveals a gap in board and senior executive oversight over the managing of cyber risks."
To underscore the significance of governance in the effort to implement effective cyber security, Carnegie Mellon CyLab has a conducted a survey of corporate board directors. It reveals a gap in board and senior executive oversight over the managing of cyber risks.
The survey measures the degree of governance afforded by boards and
senior management to the security of their organizations’ information,
software systems, and networks. Based upon data from 703 individuals
(primarily independent directors) serving on U.S-listed
public company boards, only 36% of the respondents indicated that their board had any direct
involvement with oversight of information security.
The survey respondents indicated that the vast majority of boards were not focusing on important activities that could help protect the organization from high-risk areas, such as reputational or financial losses flowing from breaches of personally identifiable information. Indeed, the survey shows that boards were only occasionally or rarely involved in activities related to best practices for governing privacy and security. For example, the survey indicates that:
- Boards were only involved in: privacy compliance reviews 19% of the time, in assessments of risk related to IT or personal data only 31% of the time; and security breach notification plans 21% of the time.
- 56% or respondents said they only occasionally or rarely reviewed and approved top-level policies regarding privacy and security risks; an additional 23% said they never did.
- 62% of respondents said they only occasionally or rarely received reports from senior management regarding privacy and security risks; an additional 15% said they never got such reports.
Only 8% of respondents said their boards have a Risk Committee that is separate from the Audit Committee, and of this 8%, only half of them oversee privacy and security. “Audit Committees should not be responsible for establishing privacy and security programs and then also auditing them,” notes Jody Westby, Adjunct Distinguished Fellow at Carnegie Mellon CyLab and lead author of the survey report. “This is an obvious segregation of duties issue at the board level.”
Governance of cyber security and privacy is rapidly becoming one of the central issues in the field of risk management. Year after year, as cyber security breaches increase in frequency and seriousness, and financial cyber crimes, in particular, escalate in sophistication and brazenness, it has become glaringly apparent that hiring cyber security professionals and deploying cyber security technologies is simply not enough; a serious enterprise-wide commitment is required to cope with these evolving risks and threats, and such a sweeping mandate can only issue from the corporate board room.
The survey confirms the belief among IT security professionals and privacy advocates that boards and senior executives are not adequately involved in managing cyber risks. Managing cyber risk is not just a technical challenge; it is a managerial and strategic business challenge. Through our research into both the technical and management dimensions of cyber security, CyLab is committed to providing leadership on both fronts.
The CyLab report reveals that officers and senior management are not establishing key positions for privacy and security or appropriately assigning responsibilities. Without the right organizational structure and ‘tone at the top,’ enterprise security cannot be effective, no matter how much money you throw at it. It is not surprising that the number of security breaches has doubled in the past year, as documented by the Privacy Rights Clearinghouse: only 12% of the respondents have established functional separation of privacy, security, and information technology roles, and most companies don’t have C-level executives responsible for these areas.
The CyLab report includes ten recommendations on corporate governance of privacy and security that are consistent with Federal Trade Commission security requirements for financial and personal data as well as those required by law for financial and medical data. The top five:
- Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks.
- Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned.
- Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include the senior management from human resources, public relations, legal, the chief financial officer (“CFO”), the chief information officer (“CIO”), CISO/CSO (or CRO), CPO, and business line executives.
- Develop or review existing top-level policies to create a culture of security and respect for privacy.
- Review the organization’s security program and ensure that it comports with best practices and standards and address identified gaps or weaknesses.