Protecting a company’s digital assets continues to be a challenging component of a director’s and/or board member’s total fiduciary duties — and— with the growing number of regulations now imposing more specific privacy and cyber security related obligations on companies — answering the question of whether or not those directors are managing cyber risks responsibly begs the need to find out how well those directors are really doing…..
To that point, Carnegie Mellon University’s “CyLab” group recently released the results of a survey it conducted which examined data across geographical regions and by various industry sectors to find out how well directors and officers were doing in managing cyber threats and risks and governing the security of their organizations’ information, applications and networks —i.e. their digital assets.
The title of that survey is “The Carnegie Mellon Governance of Enterprise Security: CyLab 2012 Report” and was sponsored by RSA, The Security Division of EMC.
The results of this survey reveals that corporate boards and executives are taking risk management seriously, but there is still a gap in understanding the link between information technology (IT) risks and enterprise risk management, and, it appears that this gap also indicates that boards have a lack of understanding of how all business operations are supported by computer systems and digital data and how risks in these areas can undermine operations.
Additionally, the survey results indicate that North American boards lag behind European and Asian boards in undertaking key activities associated with privacy and security governance such as regular reviews involving annual budgets, roles and responsibilities, and top-level policies.
Some of the recommendations made in this report to significantly improve any organizations’ security posture and to mitigate or reduce cyber related risk(s) included:
- Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks.
- Recruit directors with security and IT governance and cyber risk expertise.
- Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned.
- Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.
- Require regular reports from senior management on privacy and security risks.
Click here to read the entire report, and, if applicable, please pass this information along to those risk management team members who may want to add this information to their resource library for further reference.