You are on page 1of 3

Governance of Enterprise Security: CyLab 2012 Report Advanced Key Findings

By Jody R. Westby
Carnegie Mellon CyLab has just concluded its third survey on how boards and senior executives are governing the privacy and security of their organizations digital assets (networks, systems, and data). Sponsored by RSA, this survey reached beyond the U.S. survey populations used for the 2008 and 2010 CyLab Governance of Enterprise Security reports. Using the Forbes Global 2000 list, the 2012 survey represents the first analysis of cyber governance postures of major corporations around the world. Although the survey population was larger, the survey response rate was comparable to that achieved in 2010, with similar percentages of respondents: CEO/Presidents (52%), Corporate Secretaries (15%), and Board Chairs (24%). Today, cyber attacks have moved to a new level: corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks has alarmed both industry leaders and government officials around the world. These are issues that now require active oversight by boards and senior executives. Although it has long been recognized that directors and officers have a fiduciary duty to protect the assets of their organizations, this duty now extends to digital assets, and it has been expanded by laws and regulations that impose specific privacy and cyber security obligations on companies. For example, the Securities & Exchange Commission recently issued guidelines that require public companies to disclose the risk of cyber incidents if they materially affect a registrants products, services, relationships with customers or suppliers, or competitive conditions, or if they make an investment in the company speculative or risky. Officers and directors will not be able to meet their fiduciary responsibilities and compliance obligations if they are not exercising adequate governance over the privacy and security of their systems and data. 2012 Survey Findings One of the most important advance findings of the CyLab 2012 Governance survey is that boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets. Even though there are some improvements in key regular board governance practices, less than one-third of the respondents are undertaking basic responsibilities for cyber governance. The 2012 gains against the 2010 and 2008 findings are not significant and appear to be attributable to slight shifts between occasionally, rarely, and never.
Best Management Practice Board reviews & approves top-level policies on privacy & IT security risks Board reviews & approves roles & responsibilities of lead personnel responsible for privacy & IT security Board reviews & approves annual budgets for privacy & IT security programs Board regularly receives reports from senior mgmt regarding privacy & IT security risks Regularly Occasionally Rarely or Never

23% 19% 28% 38%

28% 18% 10% 34%

42% 66% 54% 25%

These findings are consistent with complaints by CISO/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate. These views are further supported by the

Jody R. Westby. All rights reserved. Sponsored by RSA.


surveys findings about which issues are actively addressed and governed by boards: the three areas that ranked lowest held the same position in the 2010 results: vendor management (13%), computer and data security (35%), and IT operations (29%). Most other issue areas were in the ninety percent range, including risk management (92%). There is still an apparent disconnect between boards and senior executives understanding that privacy and security and IT risks are part of enterprise risk management. This conclusion is bolstered by the lack of attention by boards to cyber insurance coverage. 58% of the respondents said their board did not review the organizations insurance coverage for cyber-related risks, compared with 65% in 2010. This slight improvement could be explained by the increase in respondents in 2012 that said they did not know or skipped the question.

Organizations also continued to show that they do not have full-time senior level personnel in place to appropriately manage privacy and security risks. Although every job category showed an improvement, except the Chief Privacy Officer role, the numbers are all below the two-thirds mark. Thus, less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards. Moreover, the common practice of assigning security personnel both privacy and security responsibilities creates segregation of duties issues at line responsibility levels.
Role Yes Oversee Privacy Oversee Security Oversee Both Neither/ Skipped

CISO CSO CPO CRO Signs of Progress

62% 49% 13% 54%

2% 0% 100% 0%

44% 54% 0% 23%

54% 43% 0% 53%

59% 76% 91% 93%

Board organizational structures are changing. Risk Committees are being formed to serve as the primary committee responsible for risk management, segregating these responsibilities from Audit Committees. In 2008, only 8% of respondents said their organization had a separate Risk Committee; in 2010, that percentage went up to 14%, and in 2012 it jumped to 46%. Audit Committee responsibility for oversight of risk dropped from 65% in 2008 to 35% in 2012. There are clear indications that boards are understanding the value of having directors with IT security expertise: 27% of respondents indicated that their board has an outside director with cyber security expertise, up from 18% in 2010. 94% of respondents indicated that their organization had a formal Enterprise Risk Management (ERM) program or structure for assessing, responding to, and reporting on risks that impact company operations, up from 85% in 2010 and 47% in 2008. 94% of respondents also indicated that their ERMs included an assessment of information technology risks, up from 76% in 2010 and 67% in 2008. One of the most encouraging signs was the continued increase in organizations that have crossorganizational committees or teams that manage privacy and security issues and risks: 70% of the 2012 respondents, compared with 65% in 2010 and 17% in 2008.

Jody R. Westby. All rights reserved. Sponsored by RSA.

Conclusions The 2012 CyLab Governance survey results indicate a serious lack of attention at the top. Although organizationally, boards are forming Risk Committees and establishing cross-organizational teams within their organizations, they are not regularly engaging in key cyber governance activities. Nearly half of the respondents indicated that their companies do not have personnel in key privacy and security roles, and 58% of the respondents said their boards are not reviewing their companies insurance coverage for cyber-related risks. In addition, only about one-third of the boards that are engaged with privacy and security issues are focusing on activities that would help protect against reputational or financial losses flowing from data breaches and theft of confidential and proprietary information. Recommendations Privacy and security are competitiveness issues, and companies that set the tone of a trusted workplace with their employees also convey the message of a trusted business to the marketplace. Effective governance enhances profitability through the mitigation of liabilities and losses associated with compliance costs, operational downtime, cybercrime, and theft of intellectual property. The following recommendations address the Advanced Findings of the CyLab 2012 Governance survey: Establish the tone from the top for privacy and security through top-level policies. Review roles and responsibilities for privacy and security and ensure they are assigned to qualified, full-time senior level professionals and that risk and accountability are shared throughout the organization. Ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches. Review annual IT budgets for privacy and security, separate from the CIOs budget. Conduct annual reviews of the enterprise security program and effectiveness of controls, review the findings, and ensure gaps and deficiencies are addressed. Evaluate the adequacy of cyber insurance coverage against the organizations risk profile.

Jody R. Westby. All rights reserved. Sponsored by RSA.