Top execs show 'lack of attention' on privacy, security risks

SAN FRANCISCO--Board members and top executives have yet to associate privacy and IT risks with the overall enterprise risk management, which showed in their "serious lack of attention" to these issues, according to a new RSA study. There were signs of improvements in areas such as hiring directors with IT security expertise and setting up cross-organizational committees to manage privacy and security risks, though. 

The 2012 Carnegie Mellon CyLab Governance survey, released here on Tuesday, revealed that less than one-third of respondents had undertaken basic responsibilities for cyber governance. Only 23 percent indicated that they regularly review and approve top-level policies on privacy and IT security risks, while just 28 percent stated that they regularly review and approve annual budgets for privacy and IT security programs.

These findings are consistent with complaints by chief information security officers (CISOs) and chief security officers (CSOs), who said they cannot get the attention of their senior management and were given inadequate budgets, the report noted. Furthermore, in terms of issues actively addressed by the board, vendor management at 13 percent, IT operations at 29 percent, and computer data security at 35 percent, came in last, it noted.

"There is hence a gap because boards and senior executives still don't understand that privacy and IT risks are part of enterprise risk management," noted Jody Westby, CEO of global risk & adjunct distinguished fellow at Canegie Mellon CyLab. She was speaking at the press briefing held in conjunction with the release of the report on Tuesday.

This year's survey was the first time organizations outside of the United States were polled and, using the Forbes Global 2000 list, the first time it looked at cyber governance postures of major corporates around the world, added Westby, who conducted the research. The survey, which polled respondents ranging from CEOs or presidents and board chairmen to corporate secretaries, was sponsored by RSA, the security division of EMC.

With regard to having dedicated personnel for key privacy and security roles, nearly half of the respondents indicated that their companies do not have such people onboard to manage these risks, the report noted.

Westby pointed out that while the creation of job categories such as CISO, CSO, and chief risk officer (CRO), had showed slight improvements when compared to past years' findings, the numbers are still below the two-thirds mark. As for the role of chief privacy officer (CPO), this has not grown, which she said indicated a lack of importance placed on privacy of digital assets.

"Less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards. Moreover, the common practice of assigning security personnel both privacy and security responsibilities creates segregation of duties issues at line responsibility levels, she stated separately in the report.

Signs of progress
That said, Westby maintained there were "signs of progress" and observed improvement by top management in being involved with enterprise security and privacy matters as compared to previous years.

For example, it was found that 46 percent of respondents said their organizations had a separate risk committee this year, segregated from the responsibilities of the audit committee. This was an improvement compared to 2008's findings of only 8 percent, and 2010's 14 percent, she noted.

Company boards also showed signs of understanding the value of directors with IT security expertise, with 27 percent of respondents stating that their board had an outside director with cybersecurity expertise, Westby added. This percentage is up from 18 percent in 2010.

More companies have also set up cross-organizational committees or teams to manage privacy and security issues and risks this year, with 70 percent of organizations indicating that their organizations have created such a team, compared with 65 percent in 2010 and 17 percent in 2008, she added.

Managing risks from top down
To better align with industry best practices, Westby called on companies to revise the roles and responsibilities for privacy and security officers to ensure those assigned are qualified and experienced. She added that risk and accountability should be share throughout the organization.

There should also be reviews of annual IT budgets for privacy and security and this must be separate from the CIO's budget, while companies are advised to take stock of their enterprise security programs and address existing gaps and deficiencies, she said.

Westby also urged top management in companies to be actively involved in securing their organizations' digital assets. "No security vendor is responsible for ensuring the safety of every business, because the responsibility belongs to the businesses themselves. It's just like how every country's law enforcement is not responsible for the security of people who do not lock their doors," she said.

Ellyne Phneah of ZDNet Asia reported from the RSA Conference 2012 in San Francisco, USA.