Managing Cyber Risks
Are corporate boards and executives managing cyber risks responsibly? Carnegie Mellon University is the first to examine data across geographical regions and by various industry sectors to find out how well they're doing.
Jody Westby, Adjunct Distinguished Fellow at CMU's CyLab, conducted a survey to discover which industry sectors have more secure practices in place.
The survey results can be found in The Carnegie Mellon Governance of Enterprise Security: CyLab 2012 Report [.pdf]. Sponsored by RSA, The Security Division of EMC, this is the third report conducted by Westby.
The report examines responses to a survey of senior executives and corporate board members from the Forbes Global 2000 list. It reveals that corporate boards and executives are taking risk management seriously, but there is still a gap in understanding the link between information technology (IT) risks and enterprise risk management.
This gap indicates that boards have a lack of understanding of how all business operations are supported by computer systems and digital data and how risks in these areas can undermine operations.
Less than two-thirds of the respondents' organizations have full-time personnel in key roles for privacy and security in a manner consistent with internationally accepted best practices and standards.
Survey results confirm the belief among security experts that, overall, the financial sector has better security and governance practices than other industry sectors.
The financial sector shows the greatest degree of board attention to critical issues related to cyber risk management, while the energy/utilities and industrials sectors reveal a lack of board attention to critical issues such as vendor management, computer and information security and IT operations.
The energy/utilities respondents also rank next to last in establishing necessary segregation of duties between board Risk Committees and Audit Committees.
More than half, 57 percent, of respondents are not analyzing the adequacy of cyber insurance coverage or undertaking key activities related to cyber risk management to help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches.
Although boards across geographical regions are consistent in not reviewing cyber insurance coverage, a very high percentage of respondents from critical infrastructure sectors, such as the energy/utilities and IT/telecom sectors, indicate that close to 80 percent of their boards of directors do not review insurance for cyber-related risks.
Although Europe leads globally in privacy regulations and enforcement, only three percent of the respondents indicate that their organizations have Chief Privacy Officers.
The survey results indicate that North American boards lag behind European and Asian boards in undertaking key activities associated with privacy and security governance such as regular reviews involving annual budgets, roles and responsibilities, and top-level policies.
Security vulnerabilities in computer systems have the potential to harm everyone — from the home computer user, to businesses small and large, to government, to the military, and to anyone dependent on the nation's telecommunications, health care, energy, and financial systems.
This report is another example of CMU Cylab's mission to make computer systems more reliable and more secure for today's world.