Top Executives in Critical Infrastructure Cite Need for Improvement in Managing Cyber Risks
May 16, 2012
Contact: Chriss Swaney
Carnegie Mellon University
- RSA, The Security Division of EMC alongside Carnegie Mellon CyLab highlight Carnegie Mellon CyLab's new 2012 Governance Report, the first global analysis of how boards and senior executives are managing cyber risks by geographical region and industry sector.
- The report reveals the complexities associated with governing privacy and security risks, with survey data revealing a gap in board-level understanding of the linkage between IT risks and enterprise risk management.
- The report offers 12 recommendations to help improve the governance of enterprise security.
- The findings confirm the belief among security experts that,
overall, the financial sector is better following security best practices
versus the energy/utilities, IT/telecom, and industrials sectors. All sectors, however, are not undertaking
critical governance activities such as reviewing cyber insurance coverage,
assigning key privacy and security responsibilities and receiving regular
reports on cyber risks and incidents.
- Results indicate that North American boards are lagging behind Asian and European boards in undertaking key activities associated with best practices for privacy and security governance.
The Carnegie Mellon Governance of Enterprise Security: CyLab 2012 Report is the first survey to examine how corporate boards and executives are managing cyber risks across geographical regions and by various industry sectors. Sponsored by RSA, The Security Division of EMC, this is the third report conducted by CyLab Adjunct Distinguished Fellow, Jody Westby. The report examines responses to a survey of senior executives and corporate board members from the Forbes Global 2000 list. The report reveals that corporate boards and executives are taking risk management seriously but there is still a gap in understanding the link between information technology (IT) risks and enterprise risk management. This gap indicates that boards have a lack of understanding of how all business operations are supported by computer systems and digital data and how risks in these areas can undermine operations. Less than two-thirds of the respondents' organizations have full-time personnel in key roles for privacy and security (CISO/CSO, CPO, CRO) in a manner that is consistent with internationally accepted best practices and standards. The degree to which these roles are filled varies by industry and region.
Survey results in the report confirms the belief among security experts that, overall, the financial sector has better security and governance practices than other industry sectors. The financial sector shows the greatest degree of board attention to critical issues related to cyber risk management, while the energy/utilities and industrials sectors reveal a lack of board attention to critical issues such as vendor management, computer and information security and IT operations. The energy/utilities respondents also rank next to last in establishing necessary segregation of duties between board Risk Committees and Audit Committees.
More than half, 57 percent, of respondents are not analyzing the adequacy of cyber insurance coverage or undertaking key activities related to cyber-risk management to help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches. Although boards across geographical regions are consistent in not reviewing cyber-insurance coverage, a very high percentage of respondents from critical-infrastructure sectors, such as the energy/utilities and IT/telecom sectors, indicate that close to 80 percent of their boards of directors do not review insurance for cyber-related risks.
Although Europe leads globally in privacy regulations and enforcement, only 3 percent of the respondents indicate that their organizations have CPOs. The U.S. generally believes it is the global leader in security, but the survey results indicate that North American boards lag behind European and Asian boards in undertaking key activities associated with privacy and security governance such as regular reviews involving annual budgets, roles and responsibilities, and top-level policies.
- Respondents across all industry sectors are not assigning key privacy and security responsibilities to defined executive roles, such as CISO/CSO, CPO, or CSO, with reporting lines that avoid segregation of duties issues.
- A much higher percentage of energy/utilities (79%) and IT/telecom (77%) boards are not reviewing cyber-insurance coverage than financial-sector boards (52%) and industrials sector (44%) boards
- Asian boards (76%) are much more likely to have a board Risk Committee responsible for privacy and security than North American (40%) and European (38%) boards
- Although Europe leads globally in privacy regulation and enforcement, the respondents indicate that only 3 percent of European organizations have a CPO. Asia closely follows with only 5 percent having CPOs while 23 percent of North American organizations have a CPO.
Signs of Improvement
A positive sign from the survey is the importance that boards are placing on IT and security/risk expertise in board recruitment as respondents ranked it very important or more important. Risk and security expertise was even more encouraging with 64 percent of the respondents indicating that it was very important or important. Improvements are also occurring at the organizational level in the increased number of organizations with Board Risk Committees and cross-organizational teams that manage privacy and security risks within the organization.
With the results indicating that governance and enterprise security is still lacking in most organizations, the report outlines 12 recommendations for boards of directors and senior management to help improve their organizations' security posture and reduce risk.
RSA Executive Quote
Tom Heiser, President, RSA
"The increasing criticality of digital resources and the more complex threat landscapes mean senior executives and boards must get better at marrying security functions with corporate operations. Boards are asking questions about risk and IT security, now there needs to be a closed loop system with management for risk policies to assure a trusted IT environment throughout their enterprise. Senior executives and boards can't get better at this without boosting their essential oversight and involvement in cyber risk management."
Carnegie Mellon Executive Quote
Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab
"Cyber criminals today are sophisticated; they are getting inside corporate systems and stealing confidential and proprietary data. It is imperative that boards and executives take appropriate governance steps to protect their organizations' computer systems and information. This involves undertaking key-oversight activities, obtaining independent cyber-risk expertise, recruiting board members with cyber risk and governance expertise, and reviewing cyber-insurance coverage. These are the basics; critical infrastructures have a higher duty of care. Boards that fail to step up their cyber risk management are placing their organizations at risk and could be breaching their fiduciary duty to protect the assets of the corporation, which includes digital assets."