In the survey of 66 board members and senior executives at Fortune 100 companies, released last week, none of the respondents said that improving computer and data security is a top board priority, even though 56 percent said improving risk management is, according to the report.
The finding suggests that there is a gap in understanding the relationship between IT risks and enterprise risk management, Jody Westby, a CyLab adjunct distinguished fellow and CEO of security risk advisory company Global Cyber Risk, told SCMagazineUS.com on Monday.
“Boards are paying attention to risk, but they don't understand information technology risk, and they need to learn how to exercise governance over the privacy and security of their digital assets,” Westby said.
The second annual "Governance of Enterprise Security" report also found that board participation on a number of IT security governance activities is worse than it has been in the past. For example, 61 percent of respondents said they have not reviewed or approved annual privacy and security risk management budgets – up from 40 percent who said the same in 2008, the last time the survey was conducted. Respondents also are reviewing fewer security and privacy reports.
Board involvement in IT security governance may have gone down because of the Great Recession, Westby said.
“Because of the economic downturn, the last thing boards want to focus on is information technology,” she said. “They don't understand the risks, and their focus has been on economic and financial bottom-line issues.”
Respondents also are receiving fewer security and privacy reports from senior management than the 2008 survey participants received.
Meanwhile, 98 percent of respondents said their boards are not “actively addressing” vendor management, indicating that data residing with outsourced vendors is receiving little supervision. In addition, 65 percent of those polled said that their boards are not reviewing their company's insurance for cybersecurity risks.
Westby said that stat is especially disturbing since most cyber-related incidents, such as data breaches or intellectual property theft, are not covered by general liability policies.
Additionally, many firms lack key positions for privacy and security, according to the report: 53 percent of respondents said their organization does not have a CISO, while 62 percent do not have a CISO, and 80 percent have no CPO.
And, a majority of boards have one committee tasked with both risk management and auditing, even though best practices and industry standards indicate that these functions should be separate, the report states. However, the percentage of respondents who said their board has separate audit and risk committees has risen from eight percent in 2008 to 14 percent in 2010.
Another silver lining of the report was that boards are placing a high amount of importance on IT security and risk expertise when recruiting new board members. Seventy-five percent of respondents said IT experience is important, and 86 percent said that risk and security expertise is, the survey found.
Organizations also are encouraging more cross-company communication about privacy and security risks, which is essential to addressing cybersecurity threats, closing governance gaps and reducing legal liability, the report states.
Despite the small wins, boards of directors and senior management must make strides in governing the security of their organizations' information, applications and networks, Westby said.
“Overall, the picture is still pretty grim, but I am encouraged,” she said. “Hopefully this report will continue to show them the importance and put value on this area.”