Carnegie Mellon CyLab has issued the third in a series of reports examining information security governance from the standpoint of corporate Boards of Directors.
The report, which utilized a data pool selected from the Forbes Global 2000 list, shows that little has changed in the way of a concerted focus on cyber security by those at the highest levels of leadership in some of the world's largest corporate entities.
"Today, cyber attacks have moved to a new level: corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks has alarmed both industry leaders and government officials around the world," the CyLab report states.
"[Yet] Boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets. Even though there are some improvements in key “regular” board governance practices, less than one-third of the respondents are undertaking basic responsibilities for cyber governance. The 2012 gains against the 2010 and 2008 findings are not significant and appear to be attributable to slight shifts," the report notes.
The findings indicate that around half of the respondents indicate that the Boards of Directors rarely or never engage in policy reviews for IT security, assessments of the roles and responsibilities for senior level security managers, or actively exercise oversight of annual security budgets.
In addition, only about a third of respondents regularly or occasionally receive and review reports regarding the state of enterprise information security risk management.
"These findings are consistent with complaints by CISO/CSOs that they cannot get the attention of their senior management and boards and their budgets are inadequate. These views are further supported by the survey’s findings about which issues are actively addressed and governed by boards: the three areas that ranked lowest held the same position in the 2010 results: vendor management (13%), computer and data security (35%), and IT operations (29%). Most other issue areas were in the ninety percent range, including risk management (92%). There is still an apparent disconnect between boards and senior executives understanding that privacy and security and IT risks are part of enterprise risk management," CyLab concludes.
The report also found that on average less than two-thirds of the corporations examined did not have senior level security and privacy personnel in place, such as a CSO or CISO, and only about thirteen percent had a Chief Privacy Officer in place.
The lack of a CPO at many of the enterprises means that the duties normally assigned to such a position were the responsibility of the those who should be concentrating strictly on security issues, complicating the personnel's measurable effectiveness.
"Thus, less than two-thirds of the Forbes Global 2000 companies surveyed have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards. Moreover, the common practice of assigning security personnel both privacy and security responsibilities creates segregation of duties issues," the report states.
Overall, the report did show slight improvements over the results from the 2008 and 2010 studies, but the long and short of it is that corporate Boards of Directors have still not embraced privacy and security matters adequately, even in the wake of well publicized and obviously damaging security events.
"Although organizationally, boards are forming Risk Committees and establishing cross-organizational teams within their organizations, they are not regularly engaging in key cyber governance activities... In addition, only about one-third of the boards that are engaged with privacy and security issues are focusing on activities that would help protect against reputational or financial losses flowing from data breaches and theft of confidential and proprietary information," CyLab concluded.
The lack of urgency in addressing enterprise security issues ultimately leaves companies and their stakeholders at risk of impact from a catastrophic data loss event.