Survey Shows IT Security Disconnect with Top Leaders

June 28, 2010

The boards and senior executives at many organizations are not adequately involved in enterprise privacy and security decisions, according to a report by Carnegie Mellon University's CyLab.

In the survey of 66 board members and senior executives at Fortune 100 companies, none of the respondents said that improving computer and data security is a top board priority, even though 56 percent said improving risk management is, according to the report. The finding suggests that there is a gap in understanding the relationship between IT risks and enterprise risk management.

The second annual "Governance of Enterprise Security" report also found that board participation on a number of IT security governance activities is worse than it has been in the past. For example, 61 percent of respondents said they have not reviewed or approved annual privacy and security risk management budgets – up from 40 percent who said the same in 2008, the last time the survey was conducted.

Respondents also are reviewing fewer security and privacy reports. Respondents also are receiving fewer security and privacy reports from senior management than the 2008 survey participants received. Meanwhile, 98 percent of respondents said their boards are not “actively addressing” vendor management, indicating that data residing with outsourced vendors is receiving little supervision. In addition, 65 percent of those polled said that their boards are not reviewing their company's insurance for cybersecurity risks.

Additionally, many firms lack key positions for privacy and security, according to the report: 53 percent of respondents said their organization does not have a CISO, while 62 percent do not have a CISO, and 80 percent have no CPO. And, a majority of boards have one committee tasked with both risk management and auditing, even though best practices and industry standards indicate that these functions should be separate, the report states. However, the percentage of respondents who said their board has separate audit and risk committees has risen from eight percent in 2008 to 14 percent in 2010.

Pandemics, Recessions and Disasters: Insider Threats During Troubling Times

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Industrial Cybersecurity: What Every Food & Bev Executive Needs to Know

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

Poll

Who has ownership or primary responsibility of video surveillance at your enterprise?

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Survey Shows IT Security Disconnect with Top Leaders

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

Survey Shows IT Security Disconnect with Top Leaders

Related Articles

The latest news and information

Content written for business-minded executives who manage enterprise risk and security