In its third survey on how boards and senior executives approach privacy and security in their organizations’ digital assets, which includes networks, systems and data, Carnegie Mellon CyLab completed the first ever global analysis of cyber governance of major corporations around the world. This year’s survey included international respondents, broadened the scope of inquiry and was sponsored by the RSA, the Security Division of EMC and provider of security and risk management solutions. Querying companies on the Forbes Global 2000 list, the survey collected responses primarily from company CEOs and presidents, representing 52 percent of respondents, as well as board chairs, comprising 24 percent, and corporate secretaries, contributing 15 percent of the replies.
One of the foremost pieces of information gathered was that boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets, though there has been some improvement since last year. Major areas of concern involved delegating responsibilities for information security. Among those surveyed, 42 percent of company boards rarely or never are required to approve top level policies on privacy and IT security risks; 66 percent of boards rarely or never review or approve the roles and responsibilities of lead personnel responsible for IT and security; and 54 percent rarely or never review annual budgets for privacy and security programs. “There is still an apparent disconnect between boards and senior executives understanding that privacy, security and IT risks are part of enterprise risk management,” writes Jody R. Westby, who prepared the study conclusions.
The study also uncovered a lack of attention to cyber insurance coverage. Nearly 60 percent of respondents reported not reviewing the organization’s coverage for digital assets and the associated risks, such as data breeching and identity theft. Though the percentage is still high, it is an improvement from last year’s report of 65 percent neglecting insurance.
Aside from these areas of concern, several encouraging signs of progress were found. The number of corporations with separate committees dedicated to risk management nearly quadrupled since 2010, meaning that more businesses are interested in delegating the handling of risks to one specific team. Also, companies are expressing more interest in having directors with IT security expertise. Nearly all respondents indicated having an official Risk Management program to help troubleshoot or prevent issues with the company networks and data.
Corporate privacy and security are sensitive issues that set the tone of a work environment. As with all other areas of business policy making, effective information management must come from the top tier of the business and branch out from there. Through regularly reviewing procedures, companies can ensure that private information remains private and security risks are minimal.