Boards, C-level Execs Not Adequately Involved in Governance Over IT Risks

Corporate boards and senior executives are becoming increasingly disconnected from their organizations' security and privacy decisions, according to new research from Carnegie Mellon University's CyLab.

That's more than a little disheartening to hear, considering that cyber attacks are increasingly common and increasingly effective. In fact, Symantec now estimates that attacks like these cost businesses an average of $2 million per year. They cause loss to productivity, efficiency, revenue, and customer trust.

CyLab's new research, which follows up on a 2008 study, included a survey of 66 business execs at the board or senior executive level from Fortune 1000 companies. Based on the data collected, CyLab was able to uncover several disturbing trends. For example:


61 percent of those polled this year say they never review budgets that's compared to only 40 percent from the study in 2008.



33 percent say they never review/approve top-level policies up 10 percent from the earlier survey.



43 percent of respondents say they never take part in reviewing or approving the roles and responsibilities of IT security personnel. Only 28 percent said so two years ago.



5 percent of respondents say their boards are not reviewing cybersecurity insurance at all.

Fortunately, not all the data in the report was as grim, and I was able to find a small handful of positive trends. For instance, 75 percent of the respondents indicated that IT experience was important or somewhat important when recruiting directors, and 86 percent said that risk/security expertise was important or somewhat important.

From the report:

"The Survey revealed that boards are taking risk management seriously, but there is still a gap in understanding the linkage between information technology ("IT") risks and enterprise risk management. Survey results confirmed for the second time the belief among IT security professionals that boards and senior executives are not adequately involved in key areas related to governance over IT risks. When asked to identify their boards' three top priorities, "improving computer and data security" was not selected by any respondent. 98% of the respondents indicated that their boards were not "actively addressing" IT operations and vendor management. Thus, privacy and security of data at outsource vendors are receiving little oversight."

The 28-page report, titled "Governance of Enterprise Security: CyLab 2010 Report," includes 10 recommendations to improve internet security at your organization and is available here. (Registration required.)