The advanced findings from the latest 2012 Carnegie Mellon CyLab Governance survey of how corporate boards and executives are managing cyber risks reveals the issue is still not getting adequate attention at the top. The survey, sponsored by RSA, was the third one conducted by CyLab Adjunct Distinguished Fellow, Jody Westby, and comparisons with the 2008 and 2010 data clearly show ongoing gaps in governance.
Using the Forbes Global 2000 list, the 2012 survey represents the first analysis of cyber governance postures of major corporations around the world.
One of the most important advance findings is that boards and senior management still are not engaging in key oversight activities, such as setting top-level policies and reviews of privacy and security budgets to help protect against breaches and mitigate financial losses.
Even though there are some improvements in key “regular” board governance practices, less than one-third of the respondents indicate their boards and senior executives are undertaking basic responsibilities for cyber governance.
Although improvements are shown in the formation of board Risk Committees and cross-organizational teams within their organizations, nearly half of the respondents indicated that their companies do not have full-time personnel in key privacy and security roles, and 58% of the respondents said their boards are not reviewing their companies’ insurance coverage for cyber-related risks.
Recommendations for organizations to undertake key governance activities, such as:
- Establish the “tone from the top” for privacy and security through top-level policies.
- Review roles and responsibilities for privacy and security and ensure they are assigned to qualified full-time senior level professionals and that risk and accountability are shared throughout the organization.
- Ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches.
- Review annual IT budgets for privacy and security, separate from the CIO’s budget.
- Conduct annual reviews of the enterprise security program and effectiveness of controls, review the findings, and ensure gaps and deficiencies are addressed.
- Evaluate the adequacy of cyber insurance coverage against the organization’s risk profile.
The final survey report, which will also analyze differences in responses from Asia, Europe and North America and responses by industry sector, will be released in March 2012.