Carnegie Mellon University Survey Insights: Why Boards of Directors Don't Get it
This is the key takeaway from a new Carnegie Mellon University CyLab survey, which shows that there is a "gaping hole as wide as the Grand Canyon" in board and senior executive oversight of these critical business issues.
The report draws on data from 703 individuals (primarily independent directors) serving on U.S-listed public company boards. Only 36 percent of the respondents indicate that their board has any direct involvement with oversight of information security. Of those respondents, 22 percent of them are from the financial services industry, where federal regulations mandate board responsibilities.
"The board members and CEO of these companies don't understand that information security governance is really the Grand Canyon and not a crevice," says survey author Jody Westby, Adjunct Distinguished Fellow at CyLab and CEO at Global Cyber Risk. "They don't understand that IT risks are corporate risks."
The report is a confirmation of what many have been hearing from the IT side, Westby says -- that there isn't enough attention to real governance and oversight of IT information security. "IT people have been saying for a while now that they're not getting the funding, they're not getting the attention, and the people on the boards don't understand that risk includes technology."
Results confirm the belief among IT security professionals that boards and senior executives are not adequately involved in key areas related to the governance of enterprise security. Only 36 percent respond that their board has direct involvement with oversight of information security.
One of the first points made in the report is that 70 percent of critical infrastructure industry board members don't understand how critical IT governance is to risk management. "I think this is a significant point to make. It is a glaring hole, especially since we've been talking about the need for IT governance and risk management for critical infrastructure industries since 1996," Westby says.
When looking at the percentage of time spent by board members, Westby observes, "When they do talk about it, 'rarely or never' do they get information on budgets or roles and responsibilities. When they're not reviewing those things, it shows that whatever they are doing is just not at the areas that will reduce risk. These executives aren't paying attention to this, and if they are, they are paying minimal attention or in ways that are meaningless. I don't think they understand."
While the report does break down the percentage of respondents by industry, there isn't a comparison between industries, says Westby. "I would have said before this survey that the financial services industry is a leader, but now I'm not so sure."
The financial services sector is clearly one of the front runners in terms of managing critical infrastructure, "However that doesn't mean that I think the boards and CEOs of those financial institutions are paying attention to information security. They have been smart to hire some talented information security professionals to run their information security programs."
Financial institutions are one of the leaders when it comes to realizing the importance of information security and critical infrastructure, "But they are not leaders when it comes to corporate governance," Westby says. "They hold that leadership position because of the quality of people they've put in information security positions, of CIOs and CISOs, and CPOs."
She warns institutions, "It doesn't mean because they have good people in place that they have good governance. Three people in their own job capacities can't create the whole kingdom. There still needs to be oversight from the top, and there still needs to be good governance."
The report also reveals that boards are "overly reliant" on Audit Committees to manage IT risk areas. It found that most boards do not separate risk management from audit responsibilities, and only 8.5 percent say their board have a Risk Committee and, of those, only 54% of them have oversight of privacy and security.
Among the report's recommendations: