Carnegie Mellon CyLab today revealed the advanced findings of its third study on how boards and senior executives are governing the privacy and security of their organisations’ digital networks, systems and data – and the results were not favourable to them.
The ‘Governance of Enterprise SecurityL CyLab 2012 Report’ was sponsored by RSA and partly revealed during the first day of the RSA Conference 2012 in San Francisco. Using the Forbes Global 2000 list, the survey represents the first analysis of cyber governance postures of major corporations around the world.
The results show that cyber attacks today have moved to a new level, that corporate data is at a higher risk of theft or misuse than every before, and the systemic nature of recent attacks has alarmed both industry leaders and government officials globally.
There are also more issues that now require active oversight by boards and senior executives, namely digital assets expanded by laws and regulations that impose specific privacy and cyber security obligations on companies. For example, the Securities & Exchange Commission recently issued guidelines that require public companies to disclose the risk of cyber incidents if they materially affect a registrant’s products, services, relationships with customers or suppliers, or if they make an investment in the company speculative or risky.
The most notable advanced finding of the survey is that boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets. Less than one-third of the respondents undertook basic responsibilities for cyber governance.
The survey discovered that over two-thirds of organisations are not doing enough for IT security. 70% of respondents said the board of their organisations reviews and approves top-level policies on privacy and IT security risks only occasionally, rarely or never. 74% said the same on reviewing and approving roles and responsibilities of lead personnel responsible for privacy and IT security, and 64% on annual budgets for privacy and IT security programs. 59% said they either only occasionally, rarely or never receive reports from senior management regarding privacy and IT security risks.
The survey also found vendor management (13%), computer and data security (35%) and IT operations (29%) to be amongst the lowest issues that are actively addressed and governed by boards. Furthermore, 59% of respondents said their board did not review the organisation’s insurance coverage for cyber related risks.
Sub editor, Ben Rossi is reporting live from the RSA Security Conference, 2012 in San Francisco. For live tweets from the event, follow @ComputerNewsME and #RSAC.