Many boards still don’t address security risks – survey

29 Feb 2012

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Cyber risk still isn’t getting sufficient attention from top executives and company boards, according to new preliminary research from RSA.

The findings show that 42pc of boards rarely or never reviewed and approved top-level policies on privacy and IT security risks, while just 23pc did so regularly. Exactly two-thirds of organisations rarely or never approved the roles and responsibilities of the lead people tasked with looking after privacy and security; this only happens in 19pc of cases.

Budgetary approval for security and privacy programmes are decided below board level in 54pc of organisations, the survey found, while only one in four boards gets regular reports from senior management about risks to IT security and privacy.

The report noted some improvements in moves like the formation of board risk committees and cross-organisational teams. Nearly half of the respondents indicated that their companies do not have full-time personnel in key privacy and security roles. Almost three out of five respondents (58pc) said their boards are not reviewing their companies’ insurance coverage for cyber risks.

Rather than just show up security shortcomings, the research also included recommendations for organisations to undertake key governance activities, including:

  • Establish the ‘tone from the top’ for privacy and security through top-level policies
  • Review roles and responsibilities for privacy and security and ensure they are assigned to qualified full-time senior level professionals and that risk and accountability are shared throughout the organisation
  • Ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches
  • Review annual IT budgets for privacy and security, separate from the CIO’s budget
  • Conduct annual reviews of the enterprise security programme and effectiveness of controls, review the findings, and ensure gaps and deficiencies are addressed
  • Evaluate the adequacy of cyber insurance coverage against the organisation’s risk profile.

RSA, the security arm of storage giant EMC, conducted the research with Carnegie Mellon CyLab, surveying from a list of Forbes Global 2000 of CEOs, CFOs, CROs and board members of governance practices. The full research is due to be released next month.