Study looks at way US boards and CEOs manage risk

Dec 02, 2008

A recent Carnegie Mellon University CyLab survey of corporate board directors reveals a gap in board and senior executive oversight in managing cyber risks.

Based upon data from 703 individuals (primarily independent directors) serving on U.S-listed public company boards, only 36 percent of the respondents indicated that their board had any direct involvement with oversight of information security.

The survey also said that cybersecurity issues need to be seen as an enterprise risk management problem rather than an IT issue.

"Managing cyber risk is not just a technical challenge, but it is a managerial and strategic business challenge,'' said Pradeep K. Khosla, dean of Carnegie Mellon's College of Engineering and CyLab founder.

"There are real fiduciary duty and oversight issues involved here,'' said Jody Westby, adjunct distinguished fellow at Carnegie Mellon CyLab and the survey's lead author. "There is a clear duty to protect the assets of a company, and today, most corporate assets are digital.''

"We also found that boards were only involved about 31 percent of the time in assessment of risk related to IT or personal data — the data that triggers security breach notification laws,'' said Westby, who is also chair of the American Bar Association's Privacy and Computer Crime Committee.

Only 8 percent of survey respondents said their boards had a risk committee that is separate from the audit committee, according to Westby.

"Without the right organizational structure and interest from top officials, enterprise security can't be effective no matter how much money an organization throws at it,'' said Richard Power, co-author of the report and a distinguished fellow at Carnegie Mellon CyLab.

Power said the survey also shows that senior management has not budgeted for key positions requiring expertise in cybersecurity or privacy areas. "No wonder the number of security breaches has doubled in the past year — only 12 percent of the respondents have established functional separation of privacy and security, and most companies don't have C-level executives responsible for these areas," Power added, comparing the survey results to the breach chronology maintained by the Privacy Rights Clearinghouse (www.privacyrights.org/ar/ChronDataBreaches.htm).

To help company boards improve corporate governance of privacy and security, the survey recommends broad operational changes from establishing a board risk committee separate from the audit committee to reviewing existing top-level policies to creating a culture of security and respect for privacy.

Source: Carnegie Mellon University

Explore further: NTU and UNESCO to create mini-lab kits for youths in developing countries

add to favorites email to friend print save as pdf

Related Stories

Banks harvest callers' voiceprints to fight fraud

Oct 13, 2014

(AP)—The caller said her home had burned down and her husband had been badly hurt in the blaze. On the telephone with her bank, she pleaded for a replacement credit card at her new address.

S. Korea rumor crackdown jolts social media users

Oct 05, 2014

South Korea's president is cracking down on rumors in cyberspace in a campaign that threatens the popularity of Kakao Talk, the leading social media service in a country with ambitions to become a global ...

Unlocking the geoblock with VPNs

Oct 02, 2014

In recent months there have been many reports of Australians covertly signing up for the US streaming service Netflix, using fake postcodes and software workarounds to fool its geo-blocking system.

New generation is happy for employers to monitor them on social media

Aug 20, 2014

Will employers in the future watch what their staff get up to on social media? Allowing bosses or would-be employers a snoop around social media pages is a growing trend in the US, and now a new report from PricewaterhouseCoopers and the Said Business School suggest ...

Recommended for you

Cloning whistle-blower: little change in S. Korea

9 hours ago

The whistle-blower who exposed breakthrough cloning research as a devastating fake says South Korea is still dominated by the values that allowed science fraudster Hwang Woo-suk to become an almost untouchable ...

Color and texture matter most when it comes to tomatoes

Oct 21, 2014

A new study in the Journal of Food Science, published by the Institute of Food Technologists (IFT), evaluated consumers' choice in fresh tomato selection and revealed which characteristics make the red fruit most appealing.

How the lotus got its own administration

Oct 21, 2014

Actually the lotus is a very ordinary plant. Nevertheless, during the Qing dynasty (1644-1911) a complex bureaucratic structure was built up around this plant. The lotus was part of the Imperial Household, ...

User comments : 0