Corporate Boards Still Not Paying Attention to Cyber Risk

News last week that a NASA computer stolen in March 2011 contained unencrypted codes used to command and control the International Space Station has put the spotlight, once again, on the issue of cyber security. Are C-suite execs paying attention? Unfortunately, new research suggests they're not. The advanced findings from the latest 2012 Carnegie Mellon CyLab Governance survey of how corporate boards and executives are managing cyber risks reveal that the issue is still not getting adequate attention at the top. Sponsored by RSA, The Security Division of EMC, the survey results show that even though there are some improvements in key "regular" board governance practices formation of board Risk Committees and cross-organizational teams within certain organizations, significant areas of concern remain. For instance: Oversight is lacking. Boards and senior management are not engaging in key oversight activities, such as setting top-level policies and reviews of privacy and security budgets to help protect against breaches and mitigate financial losses. Most boards aren't taking responsibility. Less than one-third of the respondents indicate their boards and senior executives are undertaking basic responsibilities for cyber governance. Lack of personnel is a concern. Nearly half of the respondents indicated that their companies do not have full-time personnel in key privacy and security roles. Insurance coverage needs updating. More than half (58 percent) of the respondents said their boards are not reviewing their companies' insurance coverage for cyber-related risks. What can you do to help remedy the situation at your company? RSA suggests you: Get buy-in from the C-suite. Set the "tone from the top" for privacy and security through top-level policies. Establish policy, procedures and personnel. Review roles and responsibilities for privacy and security and ensure they are assigned to qualified full-time senior level professionals and that risk and accountability are shared throughout the organization. Secure paths for information flow. Ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches. Audit. Review annual IT budgets for privacy and security, separate from the CIO's budget. Assess. Conduct annual reviews of the enterprise security program and effectiveness of controls, review the findings and ensure gaps and deficiencies are addressed. Check insurance coverage. Evaluate the adequacy of cyber insurance coverage against the organization's risk profile. Of course, establishing new governance policies won't necessarily be easy especially considering the proliferation of cloud computing, the consumerization of technology and emerging concerns with shadow IT. "The models for creating, delivering and managing IT services are in a state of transformation driven by virtualization, cloud computing, the hyper-connectivity of people and organizations, and the emergence of a new class of big data' applications," explained Brian Fitzgerald, Vice President, Marketing, RSA. "With the convergence of these trends amid an increasingly complex compliance and threat landscape, executives and boards must be actively engaged in ensuring their organizations are addressing these risks while reaping the benefits of next generation IT." The final survey report, which will also analyze differences in responses from Asia, Europe and North America and responses by industry sector, is due for release this month.