• United States



Contributing writer

‘Clueless’ boards risk lawsuits, threaten national security

May 22, 20125 mins
CSO and CISOCybercrimeInternet Security

Energy/utilities sector ranks last on four of the best practices for cybersecurity, report exposes

For far too many boards of directors and senior management of critical infrastructure industry sectors, cybersecurity and privacy are less than afterthoughts. They are barely even thoughts.

That’s a key finding of “Governance of Enterprise Security: CyLab 2012 Report,” (View PDF) a global survey of industries by Carnegie Mellon CyLab and its sponsor, RSA, The Security Division of EMC.

Jody Westby, CEO of Global Cyber Risk and the author of the report, wrote in Forbes last week that boards of directors are essentially “clueless” about cybersecurity, saying 75% of the survey respondents were from critical infrastructure industry sectors — “primarily the financial, energy/utilities, IT/telcom and industrial.”

“When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two,” Westby wrote.

“According to the survey results, 71% of their boards rarely or never review privacy and security budgets; 79% rarely or never review roles and responsibilities; 64% rarely or never review top-level policies and; 57% rarely or never review security program assessments.”

Beyond this, Westby says 79% of boards in the energy/utilities sector were not conducting cyber insurance reviews. “What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity.”

“What are these people thinking?” she asked, adding that such inattention to security is the digital version of failing to lock the R&D lab door.

The consequences for loss of data, she says, can range from shareholder lawsuits for failure to protect the assets of the corporation to government sanctions for compliance failures.

And, when it comes to defense and critical infrastructure, national security could be at risk from hostile nation states that have concluded that attacking U.S. cyber vulnerabilities is cheaper and has a much greater chance of success than a military encounter.

Westby told CSO things are indeed as bad as the report results suggest, although she says the financial sector has made much more progress in security than others. Too many in those other sectors, she says, “aren’t even doing the basics.”

Whose fault is that? Some experts say it is the “Cool Hand Luke” problem — a failure to communicate by CISOs.

“We in the security community have done a poor job of communicating the issues to executive management,” says Mark Baldwin, CISSO and principal researcher at InfosecStuff. “CEOs and boards are business people. Too frequently, infosec professionals speak in terms of threats or vulnerabilities or technology. They need to learn to speak in terms that business leaders understand, and the one thing they understand is risk.”

The CISO of a major corporation on the West Coast, who declined to be identified, doesn’t blame the CEOs or boards. He says if a company has a CISO, “and [his or her] job is to own your information security, whose fault is it if the board is clueless?”

He agrees with Baldwin that some CISOs “don’t understand how to talk in risk language.”

But even though that criticism is coming from CISOs themselves, Westby doesn’t think it is entirely fair. Some CEOs and boards “don’t want to hear from them no matter how well they communicate,” she says. “And some CIOs and CISOs never see long-term strategic plans. How can they be expected to do anything if they don’t know the plan?”

She says too many CEOs fail to understand that “IT risks are enterprise risks,” and assume that if they have hired competent security people, there will not be a problem. “Their attitude is, ‘Take care of it — don’t bother me,'” she says.

That may be because corporate leaders and boards of directors are focused on what they view as much more important problems: such as how to survive and prosper in a hyper-competitive environment. Gary Long, CSO of ITWorks Operations at Cerner, says the corporate vision “often focuses on bookings, analyst opinions, and quarterly projections,” not security.

And Long thinks there may be a level of denial about the risk for some CEOs if there has not yet been a major data breach. “Their attitude is, ‘Why should I do anything if it’s never happened before?'”

[See also: Industry on Cybersecurity Act of 2012: Not so fast]

If there is a solution, it will come through better communication, not legislation, says Westby, who calls the various cybersecurity bills pending in Congress “stupid.” Members of Congress don’t understand cybersecurity, she says, and cannot be expected to improve it.

Long says real improvement is possible if corporations take security policy outside of IT, “which focuses on cost rather than risk. IT would still implement and run the necessary solutions, but the security organization would be responsible for presenting risks and strategy to the CEO/board.”

If that makes boards and executives start paying attention “it would be better,” Westby says. “That’s where you’re going to have the real action and traction. It should be a no-brainer. We’ve talked about it since 1999.”