Governance of Enterprise Security Still a Low Priority for the Board: Report

Boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets.

This stark conclusion comes from the Carnegie Mellon CyLab 2012 report. Professor Jody R. Westby released the advanced key findings of the report at the RSA Conference 2012 on Tuesday (27 February) in San Francisco.

“Even though there are some improvements in key “regular” board governance practices, less than one third of the respondents are undertaking basic responsibilities for cyber governance,” she said, citing the report.

Sponsored by RSA and using the Forbes Global 2000 list, the 2012 survey represents the first analysis of cyber governance postures of major corporations around the world. The survey participants were CEOs/presidents (52 percent), corporate secretaries (15 percent) and Board Chairs (24 percent).

The survey also found that there is still an apparent disconnect between boards and senior executives understanding that privacy and security and IT risks are part of enterprise risk management.

“This conclusion is bolstered by the lack of attention by boards to cyber insurance coverage,” the report said.

“IT risks are enterprise risks. Boards need to understand that,” Westby said.

Another discouraging sign is that out of those surveyed, only 13 percent companies had chief privacy officers. This is important because the common practice of assigning security personnel both privacy and security responsibilities creates segregation of duties at line responsibility levels.

But Westby noted that there were some encouraging signs too. For example, board organisational structures are changing. Risk committees are being formed to serve as the primary committee responsible for risk management, segregating these responsibilities fro Audit Committees. Also, there are clear indications that boards are understanding the value of having directors with IT security expertise.