Why Boards of Directors Don't Get ItNew Study Examines How Senior Leaders Manage Cyber Risks
Boards of directors continue to overlook IT risk management, security and privacy among top agenda items, says Jody Westby of Carnegie Melon CyLab. Where are the organizational gaps that need to be filled?
According to Westby, it's more often than not talk vs. walk among organizations around managing IT risks. "That's quite concerning," she says in an interview with Information Security Media Group's Tom Field [transcript below].
Westby is the author of the new report, How Boards & Senior Executives Are Managing Cyber Risks, sponsored by RSA and Forbes. This study of 100-plus global Forbes 2000 organizations marks the third time CyLab has researched the topic - the first two surveys were conducted in 2008 and 2010.
According to the new report, typical oversights for boards of directors when it comes to information security and privacy include:
- Cyber insurance: Boards often don't understand that cyber insurance is separate from traditional insurance policies. "Most corporations, especially large global corporations, should understand that cyber risks generally are not within property and general corporate liability policies," Westby says.
- Best practices: Senior leaders overlook best practices around governing cyber risks, Westby says, including reviewing security budgets, approving roles and responsibilities for key personnel, reviewing top-level policies and regularly reviewing security program assessments.
- Governance structure: Boards are starting to have more risk committees assigned with responsibility for security and privacy. "But they're still overly reliant on the audit committee," Westby says. "That's really an unfortunate occurrence." It's a segregation of duties issue, she says, where a risk committee separate from the audit committee should be implemented.
- Engaging outside experts: Risk and IT technology committees engage outside experts the least, compared with audit, compensation and governance committees. "With the evolving and sophisticated nature of our threats today, I think all companies need to have on hand someone that they can have as a point person," Westby says.
In an exclusive interview about this new study, Westby discusses:
- Why senior leaders still fail to see IT risks as corporate risks;
- Six best practices for governing IT risk management;
- The top industries and global regions for IT risk management.
Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business experience, Westby provides consulting and legal services to public and private sector clients around the world in the areas of privacy, security, cybercrime, breach management and IT governance. She also serves as Adjunct Distinguished Fellow for Carnegie Mellon CyLab and is a professional blogger for Forbes. Westby is a member of the bars of the District of Columbia, Pennsylvania, and Colorado and serves as chair of the American Bar Association's Privacy and Computer Crime Committee. She co-chairs the World Federation of Scientists' (WFS) Permanent Monitoring Panel on Information Security and served on the ITU Secretary-General's High Level Experts Group on Cybersecurity. Ms. Westby led the development of the International Toolkit on Cybercrime Legislation and is an editor and co-author of the 2010 WFS-ITU publication, The Quest for Cyber Peace. Ms. Westby is co-author and editor of four books on privacy, security, cybercrime, and enterprise security programs and author of two books on legal issues associated with cybersecurity research. She speaks globally on these issues.
Overlooking Importance of IT Risks
TOM FIELD: Now you've just conducted your third study on governance and cyber risk.
JODY WESTBY: Correct. They're biannual studies and we've done them in 2008, 2010 and now we just released 2012.
FIELD: You and I had the opportunity to speak in 2008, and at the time the big takeaway was that boards and senior executives absolutely failed to see IT risks as corporate risks. Has that perception changed in four years time?
WESTBY: Sadly no, not really. It's still a big problem. Although 91 percent of the respondents indicated that risk management was a high priority, it was clear that they do not understand that IT risks have to be considered within risk management.
FIELD: Now at the time that we spoke, you said something that has stuck with me. You described what you said was a "gaping hole" as wide as the Grand Canyon. Has the hole shrunk any?
WESTBY: Only slightly in that we're seeing some areas of improvement, but they're only organizational. They're more talk than walk, so I still believe that these results show that there's a huge void between the C-suite and board level and the operational level where CIOs and CISOs tend to operate.
Cyber Risks Study
FIELD: Let's talk about the 2012 study. This is a global survey. What are the key findings of this research?
WESTBY: Among the key findings that we had - in addition to what you already mentioned - is risk management doesn't really consider IT risks as part of an enterprise security issue. Another finding was that boards are clearly lacking in understanding that insurance for cyber risk is separate from traditional insurance policies. Fifty-seven percent of the respondents said their boards are not reviewing insurance coverage for cyber risks, and it was especially high in a couple of industry sectors. Energy/utilities was 79 percent not reviewing insurance for cyber risks and IT telecom, 77 percent not reviewing. I think that's pretty stunning because most corporations, especially large global corporations, should understand that cyber risks generally are not within property and general corporate liability policies, or, for example, even at the D&O level. So I think that was one of the major findings that we saw in the report.
The other was that best practices still are not being followed at the governance level. Boards need to be more involved in key governance activities, and the best practices I'm referring to I picked out six that are really basic fundamental best practices. If boards were doing these six things, they would have their finger on the pulse of at least the privacy and security of their digital assets.
The six practices we looked at were reviewing and approving privacy and security budgets, reviewing and approving roles and responsibilities for key privacy and security personnel, reviewing and approving top-level policies on privacy and security, receiving reports on privacy and security risks, receiving reports on breaches or loss of data, and then regularly reviewing security program assessments. In those six areas we found still a large percentage of the respondents indicated that their boards were rarely or never engaging in these activities. That's quite concerning.
Also, we looked at the structure in how the board's organized and they're starting to have more risk committees and assigning those risk committees the responsibility for privacy and security, but still they're overly reliant on the audit committee. They're still at that point where the audit committee still has the most responsibility for risk. That's really an unfortunate occurrence because the audit committee will determine then what security or privacy needs the organization has and then next year they come back and audit their own work.
It's a segregation of duties issue at the board level. There should be a risk committee separate from the audit committee and they should both look at this and compare notes and hopefully they think and where they don't, those are deficiencies identified that would need to be addressed.
Also in the area of looking at using outside expertise, they really aren't relying on risk and IT security experts for assistance with this risk management. They're primarily looking to professional services firms, but when they do hire outside experts it's usually the audit committee, the compensation committee, governance committee, the usual suspects that bring in experts, but the risk committee and the IT technology committee hire experts the least. And with this evolving nature and sophisticated nature of our threats today, I think all companies need to have at least on tap, on hand, someone ready that they can have as a point person to call as an expert to assist them when there are instances and problems.
They're still also assigning the CISOs to report to the CIOs. That's problematic because what happens is the CIO first of all manages the money and only gives the CISO beneath him or her what they think they should have. I've seen them interfere in security procurements where they want another vendor to be used, or I've also seen then interfere with security configuration settings because they want the architecture to work a certain way, and obviously those are segregation of duty issues at the operational level. CISOs and CIOs should have independent reporting lines, but we also found it shocking the number of companies that said they didn't even have people in these key positions. Thirty-five percent said they didn't have a CISO and 47 percent said they didn't have a chief security officer.
The other finding that I just find completely baffling is 82 percent said they didn't have a chief privacy officer and in 2010 it was 80 percent and so this is still a consistent finding. It's not an anomaly and one of the things that we see though is that they're overlapping privacy and security roles and 58 percent of the CISOs were also responsible for privacy. That's another segregation of duty issue, where you have one person responsible for both privacy and security. It's interesting that they commonly overlap privacy and security with security personnel but they never do with privacy personnel. Zero percent in 2010 and 2012 assigned security to privacy people, but they commonly assign privacy to security people.
The last thing that I will mention is the cross-organizational communication and we're seeing a nice improvement here, where 72 percent of the organizations now have cross-organizational teams or committees that talk about privacy and security and work across the organization on managing these risks, and this is a big improvement. In 2008 it was 17 percent. It jumped to 65 percent in 2010 but now [it's] up to 72 percent, so I'm very happy about that.
Governing IT Risk Management
FIELD: Looking at the best organizations you've surveyed, how are they governing IT risk management appropriately?
WESTBY: I talk to different board people and invariably I get answers like this, "Oh yeah, we have really good people and they tell us that our systems are bulletproof. We ask about this. We're very aware of this. We ask questions about this and we regularly bring this up." But then when we start probing and [ask], "Have you looked at the policies? Does the board review the policies that are set," [they say], "Well, no." "Have you looked at the roles and responsibilities assigned to the key personnel for these areas?" [And they say], "Well, no." "On every board meeting, do you have a place on the agenda where you look at what were the risks or what were the security incidents that occurred in between those two periods of the board meeting?" [And they say], "No." So I say, "What kind of cyber insurance coverage do you have?" [And they say], "Well we haven't looked at that."
When I really probe, they aren't doing those things. The companies that are doing it right are doing those things. They're looking at the issues and they're linking it to their strategy; they're sharing their long range and strategic plans with their CIOs and CISOs to make sure that their IT infrastructure and security program can support their operations in the direction that they're heading, and they're consulting them on IT risks associated with mergers and acquisitions. They're actually incorporating due diligence efforts and MNA efforts in looking at the acquisition we're looking at - has their intellectual property already been stolen? Do they have huge security problems with their system? Maybe they have liabilities pending from breaches. There are a lot of areas in looking at MNA where you spill into the transaction space for boards that also take an active role. The companies that are doing it right have turned the light bulb on at the board level and they've gotten engaged and they regularly get information. They interact with the CISO and CIO just like they would interact with a business unit leader, and they understand that those business units are not going to be successful if the IT system fails.
FIELD: You mentioned earlier that this is the first time you had done this survey globally. What differences did you see by global region as well as by industry sector?
WESTBY: Globally, what I found most interesting was Americans tend to think that we know the most about security. We've given privacy to the Europeans. Okay, well you lead globally on privacy, but we understand security. And it's not true. When I looked at the findings, I really was amazed to find that when we looked at the best practices, the boards needing to be involved in those six key areas, the North American boards were last place. Asian boards faired best and European boards were next.
Then when we looked at the board committee structure with some of the biggest improvements at being organizational, again North America was last place. Twenty-eight percent had risk security committees vs. Asia with 95 percent. So it was again - Asia, Europe and North America. When we looked at board responsibility for risk, it was North America that was most reliant on the audit committee and Asians the least reliant. Now, I was very surprised about Europe where here they lead the stage globally with privacy, but only 3 percent of the European respondents indicated they have a chief privacy officer.
The other thing was that the Europeans gave least attention to linking enterprise risk with IT risk, which was interesting because North Americans had a better percentage in that area, giving more attention to linking IT risk with enterprise risk, except that doesn't sync when you look at the activity. That's talk vs. walk. North Americans say, "Oh yes, we link this stuff," but when we say, "What are you doing [with] the best practices," then no, we were in third place where the Asians were in first and Europeans second. Regionally, I think one of the key findings was just where North America ranked in comparison with its European and Asian counterparts.
On the industrial side, the key finding was that this report for the first time confirmed the belief by many of us in the security field who have always felt that the financial sector had the best governance and security programs, and across the board the financial sector did. It's not to say they're doing everything perfect. There are plenty of areas for them to have improvement. The four [industry sectors] that were compared were energy/utilities, industrial, IT telecom and financial. Seventy-five percent of the respondents were those four critical infrastructure sectors.
But what we found was that the energy/utilities and industrial sectors frequently came in last place. When we looked at the board committee structure with how many boards had risk security committees or IT technology committees, energy/utilities came in the lowest. When we looked at the value of IT and risk expertise on boards, when they're recruiting directors, the energy/utilities valued IT expertise the least with only 7 percent. When we looked at reporting lines of CISOs reporting to CIOs, the energy/utilities and financial had the most reporting to CIOs. So there's an area where you can pick out financial and here is an area where you do need to improve. You need to get independent reporting lines for your CISOs.
Also, when we looked at the cross-organizational teams, the energy/utilities and industrial sectors were last place. I found that extremely interesting because those two sectors are highly independent upon control systems, SCADA systems that operate their processes in addition to all of the commercial applications that every company has. IT really underpins those corporations' ability to even operate.
Recommendations for Organizations
FIELD: What are your top two or three recommendations for organizations and what's it going to take for these organizations to finally heed these recommendations so we see an appreciable difference by 2014?
WESTBY: I gave 12 recommendations in my report and I think if they do those 12 things they will be in good shape. I think it's most important that they do have a board risk committee separate from the audit committee that they assign the key privacy and security roles, and then they engage in those six best practices, because if they do those things they will be getting the critical information flows they need. They will be getting the oversight at the key points, where if something terrible is happening they would know. It would also help mitigate risk from compliance issues if they had a major event.
The other thing - some people say it's going to take a huge catastrophe for boards to wake up, and I don't agree with that. We're seeing that they're paying attention and I'm certainly seeing that they're interested in this. They just are clueless about how to approach this. I think they need to understand too that they really need to have independent advice because when an organization has been infiltrated with malware and we find that it's exfiltrating data, that's serious enough that it's going directly to the fiduciary duties those board directors and officers owe to their corporation to protect their assets. They need to have independent advice of what's really going on, because they sometimes don't get it. We sometimes see situations where the CISO's not really revealing how bad the situation is because, probably, they're afraid in a bad economy they might lose their job because the poor person has had all the risk put on their back, but I think boards are just starting to wake up that there's this incredibly sophisticated malware that's sneaking into their systems, hiding and stealing its confidential and proprietary data. When you start talking about theft of intellectual property that took tens or hundreds of millions of dollars to develop, you start talking about theft of confidential customer and pricing lists. You're looking at loss of market share; you're looking at loss of competitive edge and those are the kinds of things that boards really don't want to have happen.
I think that there's going to be an increased movement. I'm hoping this report will also push the effort along, but I believe that just the circumstances, the nature of the threat by itself, is going to raise awareness to cause boards to do more. I'm hopeful.