Study looks at way US boards and CEOs manage risk

Dec 02, 2008

A recent Carnegie Mellon University CyLab survey of corporate board directors reveals a gap in board and senior executive oversight in managing cyber risks.

Based upon data from 703 individuals (primarily independent directors) serving on U.S-listed public company boards, only 36 percent of the respondents indicated that their board had any direct involvement with oversight of information security.

The survey also said that cybersecurity issues need to be seen as an enterprise risk management problem rather than an IT issue.

"Managing cyber risk is not just a technical challenge, but it is a managerial and strategic business challenge,'' said Pradeep K. Khosla, dean of Carnegie Mellon's College of Engineering and CyLab founder.

"There are real fiduciary duty and oversight issues involved here,'' said Jody Westby, adjunct distinguished fellow at Carnegie Mellon CyLab and the survey's lead author. "There is a clear duty to protect the assets of a company, and today, most corporate assets are digital.''

"We also found that boards were only involved about 31 percent of the time in assessment of risk related to IT or personal data — the data that triggers security breach notification laws,'' said Westby, who is also chair of the American Bar Association's Privacy and Computer Crime Committee.

Only 8 percent of survey respondents said their boards had a risk committee that is separate from the audit committee, according to Westby.

"Without the right organizational structure and interest from top officials, enterprise security can't be effective no matter how much money an organization throws at it,'' said Richard Power, co-author of the report and a distinguished fellow at Carnegie Mellon CyLab.

Power said the survey also shows that senior management has not budgeted for key positions requiring expertise in cybersecurity or privacy areas. "No wonder the number of security breaches has doubled in the past year — only 12 percent of the respondents have established functional separation of privacy and security, and most companies don't have C-level executives responsible for these areas," Power added, comparing the survey results to the breach chronology maintained by the Privacy Rights Clearinghouse (www.privacyrights.org/ar/ChronDataBreaches.htm).

To help company boards improve corporate governance of privacy and security, the survey recommends broad operational changes from establishing a board risk committee separate from the audit committee to reviewing existing top-level policies to creating a culture of security and respect for privacy.

Source: Carnegie Mellon University

Explore further: Best of Last Week – quantum pigeonholing, a hoverbike drone project and the sun goes quiet

add to favorites email to friend print save as pdf

Related Stories

Quantum tech disappoints, but only because we don't get it

Jul 16, 2014

Over the next five years, the UK government will spend £270m on supporting research in "quantum technology". When budget announcements were made in 2013, provisions for offshore wind and shale gas extraction were received ...

States adopt anti-snooping laws

Jul 10, 2014

Worried about your boss prying into your personal business, poking around in aspects of your life you'd rather keep between friends and family - even as you share more of it on social media?

Data breaches create insurance costs

Jun 12, 2014

Cyber attacks. Data breaches. Cyber crime. They've made headlines, and dealing with them is a growing business expense that can run into the millions of dollars for bigger companies.

Recommended for you

Local education politics 'far from dead'

16 hours ago

Teach for America, known for recruiting teachers, is also setting its sights on capturing school board seats across the nation. Surprisingly, however, political candidates from the program aren't just pushing ...

First grade reading suffers in segregated schools

16 hours ago

A groundbreaking study from the Frank Porter Graham Child Development Institute (FPG) has found that African-American students in first grade experience smaller gains in reading when they attend segregated schools—but the ...

Violent aftermath for the warriors at Alken Enge

17 hours ago

Denmark attracted international attention in 2012 when archaeological excavations revealed the bones of an entire army, whose warriors had been thrown into the bogs near the Alken Enge wetlands in East Jutland ...

Why aren't consumers buying remanufactured products?

19 hours ago

Firms looking to increase market share of remanufactured consumer products will have to overcome a big barrier to do so, according to a recent study from the Penn State Smeal College of Business. Findings from faculty members ...

Expecting to teach enhances learning, recall

19 hours ago

People learn better and recall more when given the impression that they will soon have to teach newly acquired material to someone else, suggests new research from Washington University in St. Louis.

User comments : 0