August 22, 2008
To underscore the significance of governance in the effort to implement effective cyber security, Carnegie Mellon CyLab has a conducted a survey of corporate board directors. It reveals a gap in board and senior executive oversight over the managing of cyber risks.
The survey measures the degree of governance afforded by boards and senior management to the security of their organizations’ information, software systems, and networks. Based upon data from 703 individuals (primarily independent directors) serving on U.S-listed
public company boards, only 36% of the respondents indicated that their board had any direct involvement with oversight of information security.
The survey respondents indicated that the vast majority of boards were not focusing on important activities that could help protect the organization from high-risk areas, such as reputational or financial losses flowing from breaches of personally identifiable information. Indeed, the survey shows that boards were only occasionally or rarely involved in activities related to best practices for governing privacy and security. For example, the survey indicates that:
Only 8% of respondents said their boards have a Risk Committee that is separate from the Audit Committee, and of this 8%, only half of them oversee privacy and security. "Audit Committees should not be responsible for establishing privacy and security programs and then also auditing them," notes Jody Westby, Adjunct Distinguished Fellow at Carnegie Mellon CyLab and lead author of the survey report. “This is an obvious segregation of duties issue at the board level.”
Governance of cyber security and privacy is rapidly becoming one of the central issues in the field of risk management. Year after year, as cyber security breaches increase in frequency and seriousness, and financial cyber crimes, in particular, escalate in sophistication and brazenness, it has become glaringly apparent that hiring cyber security professionals and deploying cyber security technologies is simply not enough; a serious enterprise-wide commitment is required to cope with these evolving risks and threats, and such a sweeping mandate can only issue from the corporate board room.
The survey confirms the belief among IT security professionals and privacy advocates that boards and senior executives are not adequately involved in managing cyber risks. Managing cyber risk is not just a technical challenge; it is a managerial and strategic business challenge. Through our research into both the technical and management dimensions of cyber security, CyLab is committed to providing leadership on both fronts.
The CyLab report reveals that officers and senior management are not establishing key positions for privacy and security or appropriately assigning responsibilities. Without the right organizational structure and ‘tone at the top,’ enterprise security cannot be effective, no matter how much money you throw at it. It is not surprising that the number of security breaches has doubled in the past year, as documented by the Privacy Rights Clearinghouse: only 12% of the respondents have established functional separation of privacy, security, and information technology roles, and most companies don’t have C-level executives responsible for these areas.
The CyLab report includes ten recommendations on corporate governance of privacy and security that are consistent with Federal Trade Commission security requirements for financial and personal data as well as those required by law for financial and medical data. The top five:
See all CyLab News articles