Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

How Boards & Senior Executives 

Are Managing Cyber Risks 

Research Sponsors: 

! 

! 

Governance of Enterprise Security: 

CyLab 2012 Report 

Author: Jody R. Westby 

Adjunct Distinguished Fellow, CyLab 

CEO, Global Cyber Risk LLC 

May 16, 2012 

!

Carnegie Mellon CyLab 

! 

! 

© 2012 by Carnegie Mellon University & Jody R. Westby 

All rights reserved. No © 2012 part of by the Carnegie contents Mellon hereof University may be reproduced & Jody R. Westby in any form without the prior 

All rights reserved. No part of written the contents consent hereof of the may copyright be reproduced owners. in any form without the prior 

written consent of the copyright owners. 


Carnegie Mellon University CyLab 

Carnegie 5000 Forbes Mellon Avenue University 

Pittsburgh, 5000 Forbes PA Avenue 15213 

(412) 268-5090 Pittsburgh, • (412) PA 268-7675 15213 (Fax) 

Dean, College of (412) Engineering 268-5090 & Founder, • (412) CyLab: 268-7675 Pradeep (Fax) K. Khosla, Ph.D. 

Dean, College of Engineering Director, & Founder, CyLab: Virgil CyLab: Gligor Pradeep K. Khosla, Ph.D. 

Table of Contents 



Adjunct Distinguished Director, CyLab: Fellow: Virgil Jody Gligor R. Westby 

Adjunct Distinguished Fellow: Jody R. Westby 

Jody R. Westby, Esq. 

Jody R. Westby, CEO Esq. 

Global Cyber CEO Risk LLC 

5125 Global MacArthur Cyber Risk Blvd., LLC NW 

5125 MacArthur Third Floor Blvd., NW 

Washington, Third Floor DC 20016 

(202) 537-5070 Washington, • (202) DC 537-5073 20016 (Fax) 

(202) 537-5070 • (202) 537-5073 (Fax) 

""! 

""!



#$%&'!()!*(+,'+,- .................................................................................................................................................... """! 

/%%0'1"$,"(+- ............................................................................................................................................................"1! 

#$%&'!()!*(+,'+,- .................................................................................................................................................... """! 

/%(2,!*$0+'3"'!4'&&(+!*56$% .............................................................................................................................7! 

/%%0'1"$,"(+- ............................................................................................................................................................"1! 

/%(2,!8(95!:.!;'-,%5..............................................................................................................................................

Abbreviations 

Abbreviations 

ABA American Bar Association 

ABA 

ASIS American 

American 

Society 

Bar Association 

for Industrial Security 

CEO 

ASIS 

Chief 

American 

Executive 

Society 

Officer 

for Industrial Security 

CERT 

CEO 

Computer 

Chief Executive 

Emergency 

Officer 

Response Team 

CFO 

CERT Computer 

Chief Financial 

Emergency 

Officer 

Response Team 

CFO 

CIO Chief 

Chief 

Information 

Financial Officer 

Officer 

CISO 

CIO 

Chief 

Chief 

Information 

Information 

Security 

Officer 

Officer 

CMU 

CISO 

Carnegie 

Chief Information 

Mellon University 

Security Officer 

CMU 

CoE Council 

Carnegie 

of 

Mellon 

Europe 

University 

COO 

CoE 

Chief 

Council 

Operating 

of Europe 

Officer 

CPO 

COO Chief 

Chief 

Operating 

Privacy Officer 

Officer 

CRO 

CPO 

Chief 

Chief 

Risk 

Privacy 

Officer 

Officer 

CSO 

CRO 

Chief 

Chief 


Risk Officer 

Officer 

CSO 

CyLab Carnegie 

Chief Security 

Mellon 

Officer 

CyLab 

D&Os 


Directors 

Carnegie Mellon 

& Officers 


eGRC 

D&Os 

Enterprise 

Directors & 

Governance, 

Officers 

Risk, and Compliance 

EU 

eGRC 

European 

Enterprise 

Union 

Governance, Risk, and Compliance 

FDA 

EU 

Food 

European 

and Drug 

Union 

Administration 

FTC 

FDA 

Federal 

Food and 

Trade 

Drug 

Commission 

Administration 

GLBA 

FTC Federal 

Gramm-Leach-Bliley 

Trade Commission 

Act 

HITECH 

GLBA 

Act Health 

Gramm-Leach-Bliley 

Information Technology 

Act 

for Economic and Clinical Health Act 

HIPAA 

HITECH Act 

Health 

Health 

Insurance 

Information 

Portability 

Technology 

and 

for 

Accountability 

Economic and 

Act 

Clinical Health Act 

ISACA 

HIPAA 

Information 

Health Insurance 

Systems 

Portability 

Audit and 

and 

Control 

Accountability 

Association 

Act 

ISO 

ISACA 

International 

Information Systems 

Organization 

Audit 

for 

and 

Standardization 

Control Association 

ISSA 

ISO 

Information 

International 

Systems 

Organization 


for 

Association 

Standardization 

IT 

ISSA Information 

Information 

Systems 

Technology 

Security Association 

ITU 

IT 

International 


Telecommunication Union 

ITGI 

ITU International 


Telecommunication 

Governance 

Union 

Institute 

NIST 

ITGI 

National 

Information 

Institute 

Technology 

of Standards 

Governance 

& Technology 

Institute 

NSA 

NIST 

National 

National 


Institute 

Agency 

of Standards & Technology 

NSF 

NSA 

National 

National 

Science 


Foundation 

Agency 

PII 

NSF 

Personally 

National Science 

Identifiable 

Foundation 

Information 

PwC 

PII 

PricewaterhouseCoopers 

Personally Identifiable Information 

PwC 

R&D Research 

PricewaterhouseCoopers 

& Development 

SEC 

R&D 

Securities 

Research & 

and 

Development 

Exchange Commission 

SIEM 

SEC Securities 

Security Information 

and Exchange 

and 

Commission 

Event Management 

SIEM 

SOD Segregation 

Security Information 

of Duties 

and Event Management 

U.S. 

SOD 

United 

Segregation 

States 

of Duties 

U.S. United States 



! 

"1! 

"1!

About Carnegie Mellon CyLab 

About Carnegie Mellon CyLab 

Carnegie Mellon CyLab is one of the largest university-based cyber cybersecurity security research and education centers in 

Carnegie the U.S. CyLab Mellon is CyLab located is in one the of College the largest of Engineering university-based at Carnegie cyber security Mellon research University and and education has campuses centers in 

in 

the Silicon U.S. Valley Valley CyLab and is Pittsburgh. 

located in the College of Engineering at Carnegie Mellon University and has campuses in 

Silicon Valley and Pittsburgh. 

Carnegie Mellon Mellon CyLab is a bold and visionary effort, which establishes public-private public-private partnerships to 

Carnegie develop new Mellon technologies CyLab is for a bold measurable, and visionary secure, effort, available, which trustworthy, establishes public-private and sustainable partnerships computing to and 

develop communications new technologies systems. CyLab for measurable, is a world world secure, leader available, in both technological trustworthy, research research and sustainable and and the computing education of 

and 

communications professionals professionals in information systems. CyLab assurance, is a world security leader technology, in both technological business and research policy, as and well the as education security awareness 


professionals among cybercitizens in information of all ages. 

assurance, security technology, business and policy, as well as security awareness 

among cybercitizens of all ages. 

Building Building on more than than two decades decades of Carnegie Mellon leadership in Information Technology, CyLab is a 

Building university-wide on more initiative than two that decades involves of more Carnegie than Mellon 50 faculty leadership and 100 in graduate Information students Technology, from more CyLab than is six 

a 

different university-wide departments initiative and that schools. involves more than 50 faculty and 100 graduate students from more than six 

different departments and schools. 

CyLab is: 

CyLab • is: A National Science Foundation (NSF) CyberTrust Center 

• A Affiliated National with Science CERT, Foundation at the Software (NSF) Engineering CyberTrust Center Institute 

• Affiliated A key partner with in CERT, NSF-funded at the Software Center for Engineering Team Research Institute in Ubiquitous Secure Technology 

• A National key National partner Security in NSF-funded Agency (NSA) Center Center for Team of Academic Research Excellence in Ubiquitous in Information Secure Technology Assurance 

• A Education National and Security a Center Agency for Academic (NSA) Center Excellence of Academic in Research. 

Excellence in Information Assurance 

Education and a Center for Academic Excellence in Research. 

Carnegie Carnegie Mellon Mellon CyLab CyLab 


! 

! 

7! 

7!

About About Jody Jody R. R. Westby Westby 

About Jody R. Westby 

Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business 

experience, Ms. Westby provides consulting and legal services to public and private sector clients in the areas 

of privacy, security, cybercrime, breach management, and IT governance. Her services include governance 

assistance to boards and senior management, security risk assessments, global compliance reviews, security 

investigations, and high-value data protection evaluations. Her company, Global Cyber Risk LLC, is a 

preferred provider of privacy and security consulting services to Reed Smith. 

Ms. Westby serves as Adjunct Distinguished Fellow at Carnegie Mellon CyLab. She was lead author on 

Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, 1 Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business 






which was developed for boards and 


senior management, and its 2008 and 2010 Governance of Enterprise Security Survey reports. Ms. Westby’s work 

Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, 

for Carnegie Mellon on the governance responsibilities of boards and senior executives for the security of 

their organizations’ systems and data has been showcased by the CISO Executive Network and Bloomberg 

BNA’s Privacy & Security Law Report. 

Prior to founding Global Cyber Risk, Ms. Westby served as senior managing director for 

PricewaterhouseCoopers (PwC) where she was responsible for information security, privacy, information 

sharing, and critical infrastructure protection issues across the federal government. She also was co-lead in 

launching their outsourcing practice. Before joining PwC, Ms. Westby founded the Work-IT Group, and 

specialized in serving government and private sector clients on legal and regulatory issues associated with 

information technology and online business. Ms. Westby has advised government officials and industry in 

countries around the world on the development of their legal frameworks for e-commerce and security. 

Previously, Ms. Westby launched In-Q-Tel, an IT solutions/venture capital company founded by the CIA, 

was Senior Fellow & Director of IT Studies for the Progress & Freedom Foundation, and was Director of 

Domestic Policy for the U.S. Chamber of Commerce. She also practiced law with the New York firms of 

Shearman & Sterling and Paul, Weiss, Rifkind, Wharton & Garrison. 

Ms. Westby is a professional blogger for Forbes on cybersecurity and privacy issues. She is chair of the 

American Bar Association’s (ABA) Privacy and Computer Crime Committee and was chair, co-author and 

editor of its International Guide to Combating Cybercrime, International Guide to Cyber Security, International Guide to 

Privacy, and Roadmap to an Enterprise Security Program (endorsed by the Global CSO Council). She was editor 

and co-author of the 2010 UN publication, The Quest for Cyber Peace and is author of two books on legal issues 

associated with cyber security research. 

She is co-chair of the World Federation of Scientists’ Permanent Monitoring Panel on Information Security 

and was appointed to the United Nations’ ITU High Level Experts Group on Cyber Security. She also serves 

on the advisory board of The Intellectual Property Counselor and Bloomberg BNA’s Privacy and Security Law Report. 

Ms. Westby is a member of the bars of the District of Columbia, Colorado, and Pennsylvania, and of the 

ABA. She received her B.A., summa cum laude, from the University of Tulsa and her J.D., magna cum laude, 

from Georgetown University Law Center. She is a member of the Order of the Coif, the American Bar 

Foundation, and the Cosmos Club. 

1 Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business 







Carnegie Mellon’s Governing for Enterprise Security Implementation Guide, 

which was developed for boards and 





















associated with cyber security research. 


and was appointed to the United Nations’ ITU High Level Experts Group on Cyber Security. She also serves 






1 which was developed for boards and 





















associated with cybersecurity research. 


and was appointed to the United Nations’ ITU High Level Experts Group on Cybersecurity. She also serves 








! 

! 

About RSA 

About RSA 

Founded in 1982, RSA, The Security Division of EMC, is the premier provider of security, risk and 

compliance management solutions for business acceleration. RSA helps the world’s leading organizations 

Founded solve their in most 1982, complex RSA, The and Security sensitive Division security challenges. of EMC, is These the premier challenges provider include of managing security, risk organizational and 

compliance risk, safeguarding management mobile solutions access and for collaboration, business acceleration. proving compliance, RSA helps the and world’s securing leading virtual organizations and cloud 

solve environments. their most complex and sensitive security challenges. These challenges include managing organizational 

risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud 

environments. 

Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss 

Prevention, Continuous Network Monitoring, and Fraud Protection with industry-leading eGRC capabilities 

and Combining robust consulting business-critical services, controls RSA brings in identity visibility assurance, and trust encryption to millions & key of user management, identities, SIEM, the transactions Data Loss 

that Prevention, they perform, Continuous and the Network data that Monitoring, is generated. and Fraud Protection with industry-leading eGRC capabilities 

and 

RSA’s 

robust 

industry 

consulting 

leading-solutions 

services, RSA 

are 

brings 

designed 

visibility 

to work 

and 

together 

trust to 

to 

millions 

create a 


systematic 

user identities, 

approach 

the transactions 

to managing 

that 

security, 

they 

risk 

perform, 

and compliance 

and the data 

– eliminating 

that is generated. 

the hundreds of security and compliance silos that exist in most 

RSA’s organizations industry today. leading-solutions Our technology are designed solutions to for work physical, together virtual to create and cloud a systematic computing approach environments to managing 

security, include: risk and compliance – eliminating the hundreds of security and compliance silos that exist in most 

organizations 

• Authentication 

today. Our 

– A 

technology 

wide range 

solutions 

of strong 

for 

two-factor 

physical, 

authentication 

virtual and cloud 

solutions 

computing 

to help 

environments 

organizations 

include: 

assure user identities and meet compliance requirements. 

• Access 

Authentication 

Control – Access 

A wide 

control 

range of 

solutions 

strong two-factor 

manage access, 

authentication 

federate identities 

solutions 

and 

to help 

enforce 

organizations 

organizational 

policies 

assure user 

across 

identities 

multiple 

and 

web 

meet 

resources, 

compliance 

portals 

requirements. 

and applications. 

• Data 

Access 

Loss 

Control 

Prevention—Identify 

– Access control 

and 

solutions 

enforce 

manage 

policies 

access, 

to prevent 

federate 

the 

identities 

loss or misuse 

and enforce 

of sensitive 

organizational 

data – 

policies 

whether 

across 

at rest 

multiple 

in a data 

web 

center, 

resources, 

in motion 

portals 

over 

and 

the 

applications. 

network, or in use on a laptop or desktop. 

• 

Data 

Encryption, 

Loss Prevention—Identify 

Tokenization, and Key 

and 

Management— 

enforce policies 

Secures 

to prevent 

sensitive 

the 

data 

loss 

stored 

or misuse 

in file 


systems 

sensitive 

on 

data 

servers 

– 

and 

whether 

endpoints 

at rest 

and 

in a 

at 

data 

the 

center, 

point of 

in 

capture. 

motion over 

RSA 

the 

key 

network, 

management 

or in 

solutions 

use on a laptop 

simplify 

or 

the 

desktop. 

provisioning, 

• Encryption, distribution, Tokenization, and management and Key of Management— encryption keys. Secures sensitive data stored in file systems on servers 

• 

and 

Fraud 

endpoints 

Prevention—Reduces 

and at the point 

the risk 

of capture. 

of fraud and 

RSA 

identity 

key management 

theft by assuring 

solutions 

user 

simplify 

identities, 

the 

monitoring 

provisioning, 

distribution, 

for high-risk 

and 

activities, 

management 

and mitigating 

of encryption 

the damage 

keys. 

caused by external threats such as phishing, 

• pharming, Fraud Prevention—Reduces Trojans, and other the cyber risk of threats. fraud and identity theft by assuring user identities, monitoring 

• Enterprise 

for high-risk 

Governance, 

activities, 

Risk 

and 

and 

mitigating 

Compliance—Helps 

the damage 

to 

caused 

manage 

by 

the 

external 

lifecycle 

threats 

of corporate 

such as phishing, 

policies and 

objectives 

pharming, 

by 

Trojans, 

analyzing 

and 

and 

other 

responding 

cyber threats. 

to enterprise risk and demonstrating compliance with a real- 

• time Enterprise view Governance, into the state Risk of and compliance Compliance—Helps and risk level. to manage the lifecycle of corporate policies and 

• Network 

objectives 

security 

by analyzing 

monitoring—Provides 

and responding 

real-time 

to enterprise 

visibility 

risk 

into 

and 

network 

demonstrating 

traffic and 

compliance 

log event 

with 

activity 

a real- 

for 

a 

time 

precise 

view 

and 

into 

actionable 

the state of 

understanding 

compliance and 

of everything 

risk level. 

happening on the network. Enables 

• Network organizations security to monitoring—Provides identify, prioritize, and real-time remediate visibility complex into network IT risks, traffic gain efficiencies and log event in their activity incident for 

management a precise and process actionable and understanding improve their of overall everything operational happening effectiveness. on the network. Enables 

• Security 

organizations 

Information 

to identify, 

and Event 

prioritize, 

Management—Transforms 

and remediate complex 

raw log 

IT 

and 

risks, 

event 

gain 

data 

efficiencies 

into critical 

in their 

information 

incident 

management 

to help organizations 

process and 

simplify 

improve 

compliance, 

their overall 

identify 

operational 

and respond 

effectiveness. 

to high-risk events, and optimize IT 

• Security and network Information operations. and Event Management—Transforms raw log and event data into critical information 

For more 

to 

information, 

help organizations 

please visit 

simplify 

www.RSA.com 

compliance, 

and 

identify 

www.EMC.com. 

and respond to high-risk events, and optimize IT 

and network operations. 

For Carnegie more information, Mellon CyLab please visit www.RSA.com and www.EMC.com. 

! 


! 

>! 

>!

About Forbes 

About Forbes 

Forbes Media encompasses Forbes and Forbes.com 

(www.forbes.com), the leading business site on the Web that reaches on average 

Forbes 30 million Media people encompasses monthly. The Forbes company and Forbes.com 

publishes Forbes, Forbes Asia and Forbes Europe, which together 

(www.forbes.com), reach a worldwide audience of more than six million the leading readers. business It also site publishes on the ForbesLife Web that reaches magazine, on average in 

addition 30 million to people licensee monthly. editions The in Africa, company Argentina, publishes Bulgaria, Forbes, China, Forbes Croatia, Asia and Czech Forbes Republic, Europe, Estonia, which together Georgia, 

India, reach a Indonesia, worldwide Israel, audience Kazakhstan, of more than Korea, six Latvia, million Middle readers. East, It also Poland, publishes Romania, ForbesLife Russia, magazine, Slovakia, in Turkey, 

addition and Ukraine. to licensee editions in Africa, Argentina, Bulgaria, China, Croatia, Czech Republic, Estonia, Georgia, 

India, Indonesia, Israel, Kazakhstan, Korea, Latvia, Middle East, Poland, Romania, Russia, Slovakia, Turkey, 

and Other Ukraine. Forbes Media Web sites are: 

ForbesWoman.com http://ForbesWoman.com 

Other Forbes Media Web sites are: 

RealClearPolitics.com http://RealClearPolitics.com 

ForbesWoman.com http://ForbesWoman.com 

RealClearMarkets.com http://RealClearMarkets.com 

RealClearPolitics.com http://RealClearPolitics.com 

RealClearSports.com http://RealClearSports.com 

RealClearMarkets.com http://RealClearMarkets.com 

RealClearWorld.com http://RealClearWorld.com. 

RealClearSports.com http://RealClearSports.com 

Together with Forbes.com, http://Forbes.com, these sites reach on average 36 million business decision 

makers 

RealClearWorld.com 

each month. 

http://RealClearWorld.com. 

Steve 

Together 

Forbes 

with 

serves 

Forbes.com, 

as Chairman 

http://Forbes.com, 

and Editor in Chief. 

these sites 

Mike 

reach 

Perlis 

on 

is 

average 

President 

36 

and 

million 

Chief 

business 

Executive 

decision 

Officer. 

makers 

Lewis D’Vorkin 

each month. 

is Chief Product Officer. Meredith Kopit Levien is Chief Revenue Officer. 

Steve Forbes serves as Chairman and Editor in Chief. Mike Perlis is President and Chief Executive Officer. 

Lewis D’Vorkin is Chief Product Officer. Meredith Kopit Levien is Chief Revenue Officer. 


! 


! 

@! 

@!

Executive Executive Summary Summary 

Executive Summary 

It has long been recognized recognized that that directors directors and 

officers officers have have a a fiduciary fiduciary duty duty to to protect protect the the assets assets 

It of has their long organizations. been recognized Today, that this directors duty duty extends extends and to 

digital officers digital assets, assets, have a and and fiduciary has has been been duty expanded expanded to protect by by the laws laws assets and and 

regulations of regulations their organizations. that that impose impose Today, specific specific this privacy privacy duty and and extends cyber to 

digital security cybersecurity assets, obligations and obligations has on been companies. on expanded companies. by laws and 

regulations that impose specific privacy and cyber 

This security This is is the the obligations third third biennial biennial on companies. survey survey that that Carnegie Carnegie 

Mellon CyLab has conducted on how boards boards of 

directors This directors is the and third senior biennial management management survey that are are Carnegie governing governing the 

security security Mellon CyLab of of their their has organizations’ organizations’ conducted on information, information, how boards of 

applications, applications, directors and and senior networks networks management (digital (digital are assets). governing First First the 

conducted conducted security of their in in 2008 2008 organizations’ and and carried forward information, in in 2010 and 

applications, 2012, 2012, the the surveys surveys and networks are are intended intended (digital to to measure measure assets). the the First extent extent to to which which cyber cyber governance governance is is improving. improving. The The 2012 2012 

conducted survey is the in first 2008 global and carried governance forward survey, in 2010 comparing and responses from industry sectors and geographical geographical 

regions. 2012, regions. the surveys are intended to measure the extent to which cyber governance is improving. The 2012 

survey is the first global governance survey, comparing responses from industry sectors and geographical 

regions. 

The The CyLab CyLab 2012 2012 survey survey is is based based upon upon results results received received from 108 108 

57% 57% of respondents are are not not 

respondents respondents at the the board board or senior senior executive executive level from from Forbes Forbes 

analyzing the adequacy of of Global The Global CyLab 2000 2000 2012 companies. companies. survey is Half Half based of of upon the the respondents respondents results received are board board from 108 

57% of respondents are not 

cyber insurance coverage or members, respondents members, and and at the the other other board half half or senior are non-director non-director executive level senior senior from executives. executives. Forbes 

analyzing the adequacy of Twenty-four Twenty-four Global 2000 companies. percent percent (24%) (24%) Half of of of the the the respondents respondents are are are board board board chairs chairs and and 

undertaking or undertaking key key activities 

cyber insurance coverage 44% 44% members, are are on on and board board the other Audit, Audit, half Governance, Governance, are non-director or Risk Risk senior Committees. Committees. executives. SeventySeventy- related activities to cyber related risk to cyber fivefive Twenty-four percent percent (75%) (75%) percent of of (24%) the the respondents respondents of the respondents are are from are critical critical board infrastructure 

infrastructure chairs and 

or undertaking key 

management risk management to help to them help companies. companies. 44% are on board Audit, Governance, or Risk Committees. Seventy- 

activities related to cyber 

manage them manage reputational reputational and 

five percent (75%) of the respondents are from critical infrastructure 

risk management to help For companies. For the the third third time, time, the the survey survey revealed revealed that that boards boards are not not actively actively 

financial and financial risks associated risks with 

addressing addressing cyber cyber risk risk management. management. While While placing placing high high importance importance 

them manage reputational 

the associated theft of confidential with the theft and of on For on risk risk the management management third time, the generally, generally, survey revealed there there is still still that a a boards gap gap in in are understanding understanding not actively the the 

and financial risks 

proprietary confidential data and and proprietary security linkage addressing linkage between between cyber information information risk management. technology technology While (IT) (IT) placing risks risks high and and enterprise enterprise importance risk risk 

associated with the theft of management. on management. risk management Although Although generally, there there have have there been been is still some some a gap measureable measureable in understanding the 

breaches. 

data and security breaches. 

confidential and proprietary improvements linkage improvements between since since information the the 2008 2008 technology and and 2010 2010 surveys, surveys, (IT) risks boards boards and enterprise still still are are not not risk 

undertaking key oversight activities related management. to cyber cyber risks, Although such as there reviewing have budgets, budgets, been some security security measureable program program 

data and security breaches. 

assessments, and and top-level top-level policies; assigning improvements roles roles and and responsibilities since the 2008 and for privacy 2010 surveys, and security; security; boards and still receiving 

are not 

regular undertaking regular reports reports key on on oversight breaches breaches activities and and IT IT risks. risks. related Involvement Involvement to cyber risks, in in such these these as areas areas reviewing would would budgets, help help them them security manage manage program reputational reputational 

and assessments, and financial financial and risks risks top-level associated associated policies; with with the the assigning theft theft of roles confidential confidential and responsibilities and proprietary proprietary for privacy data and and security security; breaches and receiving of 

personal regular personal reports information. information. on breaches and IT risks. Involvement in these areas would help them manage reputational 

and financial risks associated with the theft of confidential and proprietary data and security breaches of 

Improvements personal Improvements information. are are largely largely organizational. There has been a a noticeable noticeable increase increase in the the number of of boards boards with with 

Risk Committees responsible for for privacy privacy and and security security risks risks (48% in in 2012 2012 compared compared with with 8% 8% in in 2008) 2008) and and in 

the Improvements the number number of of companies companies are largely organizational. that that have have established established There cross-organizational cross-organizational has been a noticeable teams teams increase to to manage manage in the number privacy privacy and and of boards security security with 

risks Risk risks Committees (72% in 2012 responsible compared compared for with with privacy 17% 17% in and 2008). 2008). security Boards risks and (48% senior in 2012 management management compared are are with lagging, lagging, 8% in however, however, 2008) and in in 

the number of companies that have established cross-organizational teams to manage privacy and security 


risks (72% in 2012 compared with 17% in 2008). Boards and senior management are lagging, however, in E! 

! ! 


! 

E!

establishing key positions for privacy and security and appropriately assigning responsibilities. Less than two- 

establishing key positions for privacy and security and appropriately assigning responsibilities. Less than twothirds 

of the Forbes Global 2000 companies responding to the survey have full-time personnel in key roles for privacy and security 

thirds of the Forbes Global 2000 companies responding to the survey have full-time personnel in key roles for privacy and security 

(CISO/CSO, CPO, CRO) in a manner that is consistent with internationally accepted best practices and standards. An 

(CISO/CSO, CPO, CRO) in a manner that is consistent with internationally accepted best practices and standards. An 

amazing 82% of the respondents indicated that they did not have a CPO. In addition, the majority of CISOs 

amazing 82% of the respondents indicated that they did not have a CPO. In addition, the majority of CISOs 

(58%) and 47% of CSOs are assigned responsibility for both privacy and security and tend to report to the 

(58%) and 47% of CSOs are assigned responsibility for both privacy and security and tend to report to the 

CIO, creating segregation of duties (SOD) issues that are against best practices. 

CIO, creating segregation of duties (SOD) issues that are against best practices. 

Despite these organizational improvements, respondents indicated that Audit Committees and full boards are 

Despite these organizational improvements, respondents indicated that Audit Committees and full boards are 

still mostly responsible for oversight of risk. The report highlights the SOD issues that arise when Audit 

still mostly responsible for oversight of risk. The report highlights the SOD issues that arise when Audit 

Committees both oversee the development of security programs and also audit the controls and effectiveness 

Committees both oversee the development of security programs and also audit the controls and effectiveness 

of such programs. 

of such programs. 

Although most boards (89%) review risk assessments, less than half of them hire outside expertise to assist 

Although most boards (89%) review risk assessments, less than half of them hire outside expertise to assist 

with risk management. Only 16% of board Risk Committees and 16% of IT Committees hire outside 

with risk management. Only 16% of board Risk Committees and 16% of IT Committees hire outside 

experts. Despite 91% of the respondents indicating that risk management was being actively addressed by the 

experts. Despite 91% of the respondents indicating that risk management was being actively addressed by the 

board, the issues that received the least attention were IT operations (29%), computer and information 

board, the issues that received the least attention were IT operations (29%), computer and information 

security (33%), and vendor management (13%). The continuing low scores in these areas indicate that boards 

security (33%), and vendor management (13%). The continuing low scores in these areas indicate that boards 

do not understand that, today, all business operations are supported by computer systems and digital data, 

do not understand that, today, all business operations are supported by computer systems and digital data, 

and that risks in these areas can undermine operations. The low response for vendor management is 

and that risks in these areas can undermine operations. The low response for vendor management is 

concerning because it indicates that the privacy and security of data at cloud and software providers and 

concerning because it indicates that the privacy and security of data at cloud and software providers and 

outsource vendors are receiving little oversight. 

outsource vendors are receiving little oversight. 

Another positive sign from the survey was the importance that boards are placing “Another positive 

Another positive sign from the survey was the importance that boards are placing “Another positive 

upon IT and security/risk expertise in board recruitment. Results indicated that IT sign from the survey 

upon IT and security/risk expertise in board recruitment. Results indicated that IT sign from the survey 

expertise was very important or important for 37% of the respondents and somewhat 

expertise was very important or important for 37% of the respondents and somewhat was the importance 

important for 42%. Risk and security expertise was even more encouraging, with 64% was the importance 

important for 42%. Risk and security expertise was even more encouraging, with 64% that boards are 

of the respondents indicating that it was very important or important and 27% that boards are 

of the respondents indicating that it was very important or important and 27% 

indicating it was somewhat important. 

placing upon IT and 

indicating it was somewhat important. 

placing upon IT and 

security/risk 

security/risk 

INDUSTRY SECTOR COMPARISONS 

INDUSTRY SECTOR COMPARISONS 

expertise in board 

expertise in board 

recruitment.” 

Industry sector and regional comparisons from the survey provide interesting insights into recruitment.” 

how privacy and 

Industry sector and regional comparisons from the survey provide interesting insights into how privacy and 

security risks are managed among critical infrastructure industry sectors and across geographical regions. The 

security risks are managed among critical infrastructure industry sectors and across geographical regions. The 

survey confirmed the belief among security experts that, overall, the financial sector has better privacy and security practices than 

survey confirmed the belief among security experts that, overall, the financial sector has better privacy and security practices than 

other industry sectors. Respondents indicated that the financial sector paid more attention to IT and security 

other industry sectors. Respondents indicated that the financial sector paid more attention to IT and security 

issues and was more engaged in best practice activities, such as budget reviews, roles and responsibilities, and 

issues and was more engaged in best practice activities, such as budget reviews, roles and responsibilities, and 

top-level policies, than the energy/utilities, IT/telecom, and industrials industry sectors. The financial sector 

top-level policies, than the energy/utilities, IT/telecom, and industrials industry sectors. The financial sector 

also has a higher rate of (1) board IT/Technology Committees, and (2) Risk Committees separate from the 

also has a higher rate of (1) board IT/Technology Committees, and (2) Risk Committees separate from the 

Audit Committee that have responsibility for privacy and security. 

Audit Committee that have responsibility for privacy and security. 

The IT/telecom sector tends not to establish board IT/Technology Committees and assigns privacy and 

The IT/telecom sector tends not to establish board IT/Technology Committees and assigns privacy and 

security oversight responsibilities to their Audit Committees. The energy/utilities and industrials sector 

security oversight responsibilities to their Audit Committees. The energy/utilities and industrials sector 

respondents each indicated that their boards never (0%) address vendor management issues, whereas the 

respondents each indicated that their boards never (0%) address vendor management issues, whereas the 

financial and IT/telecom respondents said they do (28% and 15%, respectively). Energy/utilities 

financial and IT/telecom respondents said they do (28% and 15%, respectively). Energy/utilities 

respondents also ranked the lowest in establishing board Risk Committees separate from the Audit 

respondents also ranked the lowest in establishing board Risk Committees separate from the Audit 



! 

R! 

R!

Committee, but indicated that when they do form a Risk Committee, they assign it responsibility for privacy 

Committee, but indicated that when they do form a Risk Committee, they assign it responsibility for privacy 

and security. Only half of the energy/utilities and infrastructure sectors indicated that they have cross- 

and security. Only half of the energy/utilities and infrastructure sectors indicated that they have crossorganizational 

committees. 

organizational committees. 

Respondents indicated that all industry sectors surveyed are not properly assigning privacy responsibilities to 

Respondents indicated that all industry sectors surveyed are not properly assigning privacy responsibilities to 

CPOs. None of the IT/telecom respondents (0%) indicated that they had a CPO, even though they have 

CPOs. None of the IT/telecom respondents (0%) indicated that they had a CPO, even though they have 

some of the most stringent privacy and security compliance requirements, and only seven percent (7%) of the 

some of the most stringent privacy and security compliance requirements, and only seven percent (7%) of the 

energy/utilities respondents said they had a CPO. Just 13% of industrials sector respondents said they had a 

energy/utilities respondents said they had a CPO. Just 13% of industrials sector respondents said they had a 

CPO, and 17% of the financial sector respondents said they did. 

CPO, and 17% of the financial sector respondents said they did. 

Interestingly, none of the energy/utilities sector respondents (0%) indicated that they have a CRO even 

Interestingly, none of the energy/utilities sector respondents (0%) indicated that they have a CRO even 

though their risks are high. The energy/utilities sector also places a much lower value on board member IT 

though their risks are high. The energy/utilities sector also places a much lower value on board member IT 

experience than the other sectors, which is puzzling since their operations are so dependent upon complex 

experience than the other sectors, which is puzzling since their operations are so dependent upon complex 

supervisory control and data acquisition (SCADA) systems. 

supervisory control and data acquisition (SCADA) systems. 

The energy/utilities and IT/telecom sector boards also are not reviewing cyber insurance coverage (79% and 

The energy/utilities and IT/telecom sector boards also are not reviewing cyber insurance coverage (79% and 

77%, respectively) compared to the financial sector (52% not reviewing) and industrials sector (44% not 

77%, respectively) compared to the financial sector (52% not reviewing) and industrials sector (44% not 

reviewing) boards. The industrials sector respondents indicated that they exclusively (100%) rely upon 

reviewing) boards. The industrials sector respondents indicated that they exclusively (100%) rely upon 

insurance brokers to provide outside risk expertise, while the energy/utilities and IT/telecom sectors never 

insurance brokers to provide outside risk expertise, while the energy/utilities and IT/telecom sectors never 

do (0% for each). The financial sector respondents indicated that they seldom use insurance brokers for this 

do (0% for each). The financial sector respondents indicated that they seldom use insurance brokers for this 

purpose. 

purpose. 

REGIONAL COMPARISONS 

REGIONAL COMPARISONS 

Although Europe leads globally in privacy regulation and enforcement, few European organizations have a 

Although Europe leads globally in privacy regulation and enforcement, few European organizations have a 

CPO (3%), with Asia only slightly ahead at five percent (5%) and North America at 23%. European 

CPO (3%), with Asia only slightly ahead at five percent (5%) and North America at 23%. European 

companies, however, are more likely to have CISOs and CSOs (72%) than North American or Asian 

companies, however, are more likely to have CISOs and CSOs (72%) than North American or Asian 

organizations (58% and 52%, respectively). 

organizations (58% and 52%, respectively). 

North American boards lag behind European and Asian boards in undertaking key activities associated with 

North American boards lag behind European and Asian boards in undertaking key activities associated with 

privacy and security governance. European boards, however, pay less attention to IT operations and 

privacy and security governance. European boards, however, pay less attention to IT operations and 

computer and information security (19%) than North American and Asian boards (40% and 38%, 

computer and information security (19%) than North American and Asian boards (40% and 38%, 

respectively). 


Boards across geographical regions were even in their neglect to review cyber insurance coverage (56-58%). 

Boards across geographical regions were even in their neglect to review cyber insurance coverage (56-58%). 

Asian boards (76%) are much more likely to have a board Risk Committee responsible for privacy and 

Asian boards (76%) are much more likely to have a board Risk Committee responsible for privacy and 

security than North American and European boards (35% and 41%, respectively). Asian organizations (82%) 

security than North American and European boards (35% and 41%, respectively). Asian organizations (82%) 

are much more likely to have privacy responsibilities assigned to security personnel than North American and 

are much more likely to have privacy responsibilities assigned to security personnel than North American and 

European organizations (44% and 48%, respectively). Asian organizations are less likely to have the 

European organizations (44% and 48%, respectively). Asian organizations are less likely to have the 

CISO/CSO report to the CIO, however. 

CISO/CSO report to the CIO, however. 



! 

S! 

S!

RECOMMENDATIONS 




The survey survey revealed that governance of enterprise security is still lacking in most corporations, with gaps in 

critical areas. If boards boards and and senior senior management management take take the the following following 12 actions, actions, they could significantly significantly 

The survey revealed that governance of enterprise security is still lacking in most corporations, with gaps in 

improve improve their organizations’ security posture and reduce risk: 

critical areas. If boards and senior management take the following 12 actions, they could significantly 

improve 1. 1. Establish Establish their organizations’ a board Risk security Committee posture separate and reduce from risk: the Audit Committee and assign it responsibility for 

enterprise enterprise risks, risks, including including IT IT risks. risks. Recruit Recruit directors directors with with security security and and IT IT governance governance and and cyber cyber risk risk 

1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for 

expertise. 

enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk 

2. 2. Ensure expertise. Ensure that privacy and security roles within the organization are separated and that that responsibilities 

responsibilities 

are are appropriately assigned. assigned. The The CIO, CIO, CISO/CSO, CISO/CSO, and and CPO should should report report independently independently to senior senior 

2. Ensure that privacy and security roles within the organization are separated and that responsibilities 

management. 

are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior 

3. 3. Evaluate management. 

Evaluate the existing organizational organizational structure and establish a cross-organizational team that is 

required required to meet meet at at least least monthly monthly to coordinate coordinate and communicate communicate on privacy privacy and security issues. issues. 

3. Evaluate the existing organizational structure and establish a cross-organizational team that is 

This team should include senior management from human resources, public relations, legal, and 

required to meet at least monthly to coordinate and communicate on privacy and security issues. 

procurement, procurement, as well as the CFO, CFO, the CIO, CISO/CSO, CISO/CSO, CRO, the CPO, and business business line 

This team should include senior management from human resources, public relations, legal, and 

executives. executives. 

procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line 

4. 4. 4. executives. Review existing top-level policies to to create a culture of security and respect for privacy. 

Organizations can enhance their reputation by valuing cybersecurity cyber security and the protection of privacy 

4. Review existing top-level policies to create a culture of security and respect for privacy. 

and viewing it as a a corporate corporate social social responsibility. 

responsibility. 

Organizations can enhance their reputation by valuing cyber security and the protection of privacy 

5. 5. 5. Review and Review viewing assessments it as a corporate of the organization’s social responsibility. security program and ensure that the it comports program with comports best 

practices with best and practices standards and standards and includes and incident includes response, incident response, breach notification, breach notification, disaster recovery, disaster and 

5. Review assessments of the organization’s security program and ensure that it comports with best 

crisis recovery, communications and crisis communications plans. plans. 

practices and standards and includes incident response, breach notification, disaster recovery, and 

6. 6. 6. Ensure crisis Ensure communications that privacy and plans. security requirements for vendors (including cloud and software-as-a-service 

providers) are based upon key aspects of the organization’s security program, including annual audits 

6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service 

and and control requirements. requirements. Carefully Carefully review review notification notification procedures procedures in the event event of a breach breach or 

providers) are based upon key aspects of the organization’s security program, including annual audits 

security incident. 

and control requirements. Carefully review notification procedures in the event of a breach or 

7. 7. 7. Conduct security Conduct incident. an annual audit of the organization’s enterprise security program, to be reviewed by the 

Audit Audit Committee. Committee. 

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the 

8. 8. 8. Conduct Audit Conduct Committee. an annual review of the enterprise security program and effectiveness of controls, to be 

reviewed by the the board Risk Committee, and ensure that identified identified gaps or weaknesses are addressed. addressed. 

8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be 

9. 9. 9. Require reviewed Require regular by the reports reports board Risk from Committee, senior senior management management and ensure on that privacy privacy identified and security gaps or risks. risks. weaknesses are addressed. 


! 

10. 9. 10. 10. Require annual regular board reports review from of senior budgets management for privacy on and privacy security and risk security management. 

risks. 

10. 11. 11. 11. Require Conduct annual annual board privacy review compliance of budgets audits for and and privacy test review incident and incident security response, risk management. breach breach notification, disaster 

recovery, recovery, and crisis crisis communication communication plans. plans. 

11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster 

12. 12. 12. Assess recovery, Assess cyber and risks crisis and communication potential loss plans. valuations and review adequacy of cyber insurance coverage. 


! 

12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage. 

T! 

T!

Carnegie Mellon University’s Dean of Engineering and Founder of CyLab, Pradeep Khosla, sent personal 

About the Survey 

letters to board members and senior executives from the Forbes Global 2000 list of companies, asking them 

to complete a brief survey designed to help Carnegie Mellon understand how boards and business leaders are 

Carnegie managing Mellon risk, particularly University’s technology-related Dean of Engineering risks. and Only Founder one response of CyLab, per Pradeep company Khosla, was used sent in personal calculating 

letters response to board rates. members and senior executives from the Forbes Global 2000 list of companies, asking them 

to complete a brief survey designed to help Carnegie Mellon understand how boards and business leaders are 

managing The CyLab risk, 2012 particularly report on technology-related Governance of Enterprise risks. Security Only is one based response upon 108 per responses, company was representing used in calculating a 

response rates. rate of 5.4% out of a total of 1,989 surveys (based on one per company). One half of the 

respondents were board members: forty-eight percent (48%) were inside directors and two percent (2%) 

The were CyLab outside 2012 directors. report Twenty-four on Governance percent of Enterprise (24%) Security of these is based directors upon were 108 board responses, chairs. representing The remaining a half 

response of the respondents rate of 5.4% were out senior of a total executives, of 1,989 but surveys not a board (based member. on one per company). One half of the 

respondents were board members: forty-eight percent (48%) were inside directors and two percent (2%) 

were Since outside respondents directors. may serve Twenty-four on several percent boards, (24%) the survey of these asked directors them were to select board only chairs. one organization The remaining as half the 

of focus the of respondents their responses were and senior to base executives, all of their but not answers a board on member. that one organization. 

The Since findings respondents were analyzed may serve according on several to boards, actual responses, the survey i.e., asked percentages them to select reflect only the one number organization of participants as the 

who focus responded of their responses to the particular and to base question, all of their rather answers than the on total that number one organization. of participants. 

The Please findings note that were this analyzed survey is according exploratory to actual in nature responses, and is based i.e., percentages on voluntary reflect (rather the than number randomly of participants selected) 

who respondents, responded and to that the these particular findings question, do not rather purport than to the represent total number the entire of participants. population of directors. 

Please CyLab note and Jody that this Westby survey wish is exploratory to gratefully in acknowledge nature and is the based contribution on voluntary of Steve (rather Fienberg, than randomly Chair of selected) the 

respondents, Statistics Department and that and these Maurice findings Falk do not University purport Professor to represent of Statistics the entire and population Social Science, of directors. Carnegie Mellon 

University, and Benjamin McGrath, a CMU student, who assisted in the development of the survey, the 

CyLab calculation and of Jody the Westby survey wish results, to and gratefully finalization acknowledge of this report. 

the contribution of Steve Fienberg, Chair of the 

Statistics Department and Maurice Falk University Professor of Statistics and Social Science, Carnegie Mellon 

University, and Benjamin McGrath, a CMU student, who assisted in the development of the survey, the 

calculation of the survey results, and finalization of this report. 


! 


! 

About the Survey 

G! 

G!

I. I. Introduction 

Introduction 

I. Introduction 

PURPOSE OF OF THE THE GOVERNANCE SURVEY 

PURPOSE OF THE GOVERNANCE SURVEY 

CyLab’s CyLab’s first first biennial biennial Governance Governance of of Enterprise Enterprise Security Security Survey Survey (Governance (Governance Survey) Survey) was was conducted conducted in in 2008, 2008, and and 

CyLab’s the the second first in biennial 2010. The Governance surveys of have have Enterprise been been consistent Security Survey and (Governance designed designed to to determine: determine: Survey) was conducted in 2008, and 

the second in 2010. The surveys have been consistent and designed to determine: 

! ! Whether Whether the claims claims of of IT professionals professionals that that their their boards boards and and senior management management were were not not paying paying 

! attention Whether attention the to to the the claims security security of IT of of professionals their their organizations’ organizations’ that their data data boards and and information information and senior management technology technology (IT) (IT) were systems systems not paying were were 

attention valid valid to the security of their organizations’ data and information technology (IT) systems were 

valid 

! ! The The degree degree to to which which boards of directors and officers officers (D&Os) (D&Os) were actually managing privacy privacy and 

! The cybersecurity cybersecurity degree to risks risks which boards of directors and officers (D&Os) were actually managing privacy and 

cybersecurity risks 

! ! The board and organizational organizational structure for such governance governance 

! The board and organizational structure for such governance 

! The degree to which companies were following best practices for privacy and security. security. 

! The degree to which companies were following best practices for privacy and security. 

The results of the 2008 2008 and Governance 2010 Governance Survey confirmed Surveys confirmed that: that: 

The results of the 2008 Governance Survey confirmed that: 

! Boards and executives were not exercising adequate oversight oversight of of the the privacy privacy and and security of of their their 

! systems Boards systems and and executives data data were not exercising adequate oversight of the privacy and security of their 

systems and data 

! Most Most companies companies did did not have have privacy and security executives 

! Most companies did not have privacy and security executives 

! Most Most organizations organizations were were not not engaging engaging in in key key privacy privacy and and security security activities activities that that would would help help protect protect 

! the Most the organization organization organizations from from were risk. risk. not engaging in key privacy and security activities that would help protect 

the organization from risk. 

The CyLab 2010 and 2012 Governance Surveys asked asked similar similar questions questions to determine determine whether whether governance governance 

over The over CyLab digital digital assets assets 2010 and has has 2012 improved. improved. Governance The The 2012 2012 Surveys report report asked measures measures similar the the questions progress progress to made made determine and and identifies identifies whether areas governance where where 

boards boards over digital and and senior senior assets has executives executives improved. need The to improve 2012 report their measures oversight, oversight, the and progress compares, made where and identifies possible, the areas results where from 

2008 boards 2008 and and 2010. 2010. senior executives need to improve their oversight, and compares, where possible, the results from 

2008 and 2010. 

BACKGROUND: DUTY OF BOARDS & DIRECTORS 

The governance responsibilities of D&Os have been in the spotlight since 2002 with the fall of Enron and 

Arthur Andersen and the enactment of Sarbanes-Oxley. The economic collapse in 2008-09 drew even more 

attention to board and executive responsibility for the management of risk. In addition, (1) natural disasters 

that have disrupted operations, (2) headlines that have resulted from data breaches, and (3) the loss of 

confidential and proprietary information from sophisticated cyber attacks have caused D&Os to wonder if 

their operations and data are secure and if corporate response plans are adequate. 

The dependency of all organizations upon information systems and global networks has extended governance 

responsibilities to the use of IT. What is IT governance? The IT Governance Institute (ITGI) states that: 

IT governance is the responsibility of the board of directors and executive management. It is an 

integral part of enterprise governance and consists of the leadership and organizational structures 

and processes that ensure that the organization’s IT sustains and extends the organization’s 

strategies and objectives. 2 





























! 

! 

7I! 

7I!

Enterprise governance and IT governance increasingly encompass the security of IT systems and 

information. The American Society for Industrial Security (ASIS), the Information Systems Security 

Association (ISSA), and the Information Systems Audit and Control Association (ISACA) note in their 

report, Convergence of Enterprise Security Organizations, that: 

As new technologies emerge and threats become increasingly complex and unpredictable, 

senior security executives recognize the need to merge security functions throughout the 

entire enterprise. 3 

It has long been recognized that D&Os have a fiduciary duty to protect 

the assets of their organizations. 4 Today, this duty extends to “digital 

assets” – information, applications, and networks. This duty has been 

expanded by the enactment of state and federal laws and regulations 

that impose specific privacy and security requirements on targeted 

industry sectors and types of data. For example, the Gramm-Leach- 

Bliley Act (GLBA), the Health Insurance Portability and Accountability 

Act (HIPAA), the Health Information Technology for Economic and 

Clinical Health Act (HITECH Act), and state breach laws impose 

specific requirements pertaining to the security and privacy of data and 

networks. 

Sarbanes-Oxley requires both management and external auditors to 

attest to the effectiveness of internal controls that provide meaningful 

assurance about the security of information assets. 5 In late 2011, the 

Securities and Exchange Commission (SEC) issued guidelines that require public companies to disclose the 

risk of cyber incidents if they materially affect a registrant’s products, services, relationships with customers or 

suppliers, or competitive conditions, or if they make an investment in the company speculative or risky. 6 

The pressure on critical infrastructure industry sectors to secure their systems according to best practices and 

standards persists, with the U.S. energy sector already subject to regulations. 7 Today, the tone in Washington 

has moved from persuasive to compulsory, with numerous bills pending in Congress that mandate security 

measures for corporate systems if enacted. 8 

In addition, the reputational and financial consequences of a breach can be significant. When a company is 

the victim of an attack on its information systems – whether from an insider or an outside bad actor – studies 

have shown that this can result in a lack of confidence in the company and even a drop in the company stock 

price. 9 Breaches of personally identifiable information (PII) are expensive and frequently result in civil and 

class action lawsuits and investigation by state attorneys general or the Federal Trade Commission. The 2011 

U.S. Cost of a Data Breach Study, conducted by Symantec and the Ponemon Institute, calculated that data 

breaches cost companies an average of USD5.5 million per incident. 10 Another recent Ponemon survey 

found that brand and reputation can decline 17-31% after a breach, and that it may take an organization more 

than a year to recover its corporate image. 11 

Enterprise governance and IT governance increasingly encompass the security of IT systems and 

information. The American Society for Industrial Security (ASIS), the Information Systems Security 

Association (ISSA), and the Information Systems Audit and Control Association (ISACA) note in their 

report, Convergence of Enterprise Security Organizations, that: 

As new technologies emerge and threats become increasingly complex and unpredictable, 

senior security executives recognize the need to merge security functions throughout the 

entire enterprise. 

“Corporate data is at a 

higher risk of theft or 

misuse than ever before, 

and the systemic nature 

of recent attacks has 

alarmed both industry 

leaders and government 

officials around the 

world.” 

Corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks 

has alarmed both industry leaders and government officials around the world. Managing these cyber risks now 

3 

It has long been recognized that D&Os have a fiduciary duty to protect 

the assets of their organizations. 4 Today, this duty extends to “digital 

assets” – information, applications, and networks. This duty has been 

expanded by the enactment of state and federal laws and regulations 

that impose specific privacy and security requirements on targeted 

industry sectors and types of data. For example, the Gramm-Leach- 

Bliley Act (GLBA), the Health Insurance Portability and Accountability 

Act (HIPAA), the Health Information Technology for Economic and 

Clinical Health Act (HITECH Act), and state breach laws impose 

specific requirements pertaining to the security and privacy of data and 

networks. 

Sarbanes-Oxley requires both management and external auditors to 

attest to the effectiveness of internal controls that provide meaningful 

assurance about the security of information assets. 5 In late 2011, the 

Securities and Exchange Commission (SEC) issued guidelines that require public companies to disclose the 

risk of cyber incidents if they materially affect a registrant’s products, services, relationships with customers or 

suppliers, or competitive conditions, or if they make an investment in the company speculative or risky. 6 

The pressure on critical infrastructure industry sectors to secure their systems according to best practices and 

standards persists, with the U.S. energy sector already subject to regulations. 7 Today, the tone in Washington 

has moved from persuasive to compulsory, with numerous bills pending in Congress that mandate security 

measures for corporate systems if enacted. 8 

In addition, the reputational and financial consequences of a breach can be significant. When a company is 

the victim of an attack on its information systems – whether from an insider or an outside bad actor – studies 

have shown that this can result in a lack of confidence in the company and even a drop in the company stock 

price. 9 Breaches of personally identifiable information (PII) are expensive and frequently result in civil and 

class action lawsuits and investigation by state attorneys general or the Federal Trade Commission. The 2011 

U.S. Cost of a Data Breach Study, conducted by Symantec and the Ponemon Institute, calculated that data 

breaches cost companies an average of USD5.5 million per incident. 10 Another recent Ponemon survey 

found that brand and reputation can decline 17-31% after a breach, and that it may take an organization more 

than a year to recover its corporate image. 11 

“Corporate data is at a 

higher risk of theft or 

misuse than ever before, 

and the systemic nature 

of recent attacks has 

alarmed both industry 

leaders and government 

officials around the 

world.” 

Corporate data is at a higher risk of theft or misuse than ever before, and the systemic nature of recent attacks 

has alarmed both industry leaders and government officials around the world. Managing these cyber risks now 



! 

! 

77! 

77!

equires active oversight by boards and senior executives. Failure to properly govern cybersecurity and privacy may 

result in shareholder derivative suits against D&Os for breach of fiduciary duty as a result of losses on stock 

price, decrease in market share, or damage to brand caused by inadequate attention to the security of the 

company’s data, applications, and networks. Although Delaware case law provides strong protections to 

D&Os under the business judgment rule and recent case law, 12 requires active oversight by boards and senior executives. Failure to properly govern cybersecurity and privacy may 

result in shareholder derivative suits against D&Os for breach of fiduciary duty as a result of losses on stock 

price, decrease in market share, or damage to brand caused by inadequate attention to the security of the 

company’s data, applications, and networks. Although Delaware case law provides strong protections to 

D&Os under the business judgment rule and recent case law, harm caused by security breaches may receive 

stricter scrutiny because: 

12 harm caused by security breaches may receive 

stricter scrutiny because: 


! 

! Security best practices and standards are well-developed, harmonized, and widely available; 

! Many privacy and security laws require organizations to have an enterprise security program that is 

regularly reviewed and tested; 

! The Council of Europe Convention on Cybercrime, 13 which has been signed by 47 countries and 

ratified by 33 (including the U.S.), holds companies civilly, administratively, or criminally liable for 

cybercrimes that benefit the company and were made possible due to the lack of supervision or 

control by someone in a senior management position, such as an officer or director. Article 9 of the 

European Union’s (EU) Council Framework Decision on attacks against information systems, 14 

! The Council of Europe Convention on Cybercrime, 

which applies to all 27 EU member countries, mirrors the CoE language. 

13 which has been signed by 47 countries and 

ratified by 33 (including the U.S.), holds companies civilly, administratively, or criminally liable for 

cybercrimes that benefit the company and were made possible due to the lack of supervision or 

control by someone in a senior management position, such as an officer or director. Article 9 of the 

European Union’s (EU) Council Framework Decision on attacks against information systems, 14 

which applies to all 27 EU member countries, mirrors the CoE language. 

Thus, D&O duties with respect to privacy and security may be more prescribed in this area and negligence 

more easily proven. There are also situations where higher standards apply to directors and officers, such as 

acquisitions, takeovers, responses to shareholder suits, and distribution of assets to shareholders in preference 

over creditors. In these circumstances, directors and officers are required to obtain professional assistance or 

perform adequate analyses to mitigate the risks that ordinarily accompany these activities. Some information 

assurance experts assert that a “higher degree of care will also be required of Directors and Officers regarding 

the complex nature of issues involved in information assurance.” 15 

Thus, D&O duties with respect to privacy and security may be more prescribed in this area and negligence 

more easily proven. There are also situations where higher standards apply to directors and officers, such as 

acquisitions, takeovers, responses to shareholder suits, and distribution of assets to shareholders in preference 

over creditors. In these circumstances, directors and officers are required to obtain professional assistance or 

perform adequate analyses to mitigate the risks that ordinarily accompany these activities. Some information 

assurance experts assert that a “higher degree of care will also be required of Directors and Officers regarding 

the complex nature of issues involved in information assurance.” 15 

In addition, securities laws and regulations also require public corporations to adequately disclose the risks 

relevant to the corporation and its assets in their public filings. The Independent Director put this in the context 

of information systems by reporting that: 

Management of information risk is central to the success of any organization operating 

today. For Directors, this means that Board performance is increasingly being judged by 

how well their company measures up to internationally accepted codes and guidelines on 

preferred Information Assurance practice. .16 

Management of information risk is central to the success of any organization operating 

today. For Directors, this means that Board performance is increasingly being judged by 

how well their company measures up to internationally accepted codes and guidelines on 

preferred Information Assurance practice. .16 

Clearly, directors and officers need to undertake a certain level of involvement and oversight in ensuring that 

the organization is properly secured and data is protected. 

Fortunately, boards and senior executives have access to standards and best practices that guide them in 

fulfilling their governance responsibilities. The IT Governance Institute has an excellent collection of 

materials, as does ISACA, and Carnegie Mellon University. In addition, the International Organization for 

Standardization (ISO) has released ISO 38500, the international standard for corporate governance of IT, and 

the National Institute of Standards and Technology (NIST) has produced world-class materials on privacy 

and security best practices and guidance – including risk management – that are available at no cost. 

7

II. Findings and Conclusions 

II. Findings and Conclusions 

WHO WE ASKED 

WHO WE ASKED 

The Governance Survey respondents were half board members, half senior executives. 

Forty-eight The Governance percent Survey (48%) respondents of respondents were were half inside board directors members, and half two senior percent executives. (2%) were outside directors. 

Twenty-four Forty-eight percent (48%) (24%) of of respondents these directors were were inside board directors chairs. and The two remaining percent (2%) half of were the outside respondents directors. were 

Twenty-four senior executives, percent but (24%) not a board of these member. directors were board chairs. The remaining half of the respondents were 

senior The respondents executives, also but indicated not a board that: member. 

The respondents also indicated that: 

! 13% of respondents were Audit 

! 13% Committee of respondents members; were Audit 

Committee members; 

! 12% of respondents were a 

! 12% Governance, of respondents Compliance, were a or Ethics 

Governance, Committee member; Compliance, and or Ethics 

Committee member; and 

! 19% of respondents were Risk 

! 19% Committee of respondents members. were Risk 

Committee members. 

Internal respondents were holding positions as: 

Internal respondents CEO or President were holding (53%) positions as: 

CEO CFO (19%) or President (53%) 

CFO COO (19%) (9%) 

COO Corporate (9%) Secretary (15%). 

Corporate Secretary (15%). 

The majority of Governance Survey respondents (75%) were from critical infrastructure industry sectors 

which The majority increasingly of Governance face government Survey pressure respondents and/or (75%) regulatory were compliance from critical requirements infrastructure with industry respect to sectors the 

which security increasingly of their IT face systems government and data. pressure These survey and/or respondents regulatory compliance represented: requirements with respect to the 

security of their IT systems and data. These survey respondents represented: 



! 

! 

! Energy and utility companies – 13% 

! 

Energy and utility companies – 13% 

Financial sector – 33% 

! 

Financial sector – 33% 

Health care – 2% 

! 

Health care – 2% 

Industrials – 15% 

! 

Industrials – 15% 

IT and telecommunications companies – 12%. 

! IT and telecommunications companies – 12%. 

The remaining 25% of respondents represented consumer, 

The materials, remaining professional 25% of services, respondents retailing, represented and other consumer, types of 

materials, companies. professional services, retailing, and other types of 

companies. 

Responses from four industrial sectors are compared in this report: energy/utilities, financial, IT/telecom, 

Responses and industrials. 

from four industrial sectors are compared in this report: energy/utilities, financial, IT/telecom, 

and industrials. 

7>! 

7>!

Survey respondents represented large to very large corporations. Since the respondent pool was drawn 

from the Forbes Global 2000 list, the respondents represented large or very large corporations. Almost half 

(49%) of respondents were from very large corporations with annual revenues greater than USD10 billion. 

Thirty-seven percent (37%) of the Governance Survey respondents came from large companies with annual 

revenues ranging between USD2.5 billion and USD10 billion, and 9% of respondents represented companies 

with revenues between USD1 billion and USD2.5 billion. Six percent (6%) of the respondents had revenues 

of USD500 million to less than USD1 billion. 

Using the Forbes Global 2000 list, the 2012 survey represents the 

first analysis of cyber governance postures of major corporations 

around the world. Regions were aligned with those used by Internet 

World Stats to enable analysis of responses against Internet usage. 17 

Using the Forbes Global 2000 list, the 2012 survey represents the 

first analysis of cyber governance postures of major corporations 

around the world. Regions were aligned with those used by Internet 

World Stats to enable analysis of responses against Internet usage. 

Responses were primarily from three geographical regions: North 

America (40%), Europe (30%), and Asia (19%), although a few 

responses were also received from Latin America, Australia and 

Oceania, the Middle East, and Africa. Responses from three regions 

are compared in this report, with key countries noted below by 

Internet usage: 

17 

Responses were primarily from three geographical regions: North 

America (40%), Europe (30%), and Asia (19%), although a few 

responses were also received from Latin America, Australia and 

Oceania, the Middle East, and Africa. Responses from three regions 

are compared in this report, with key countries noted below by 

Internet usage: 

North America: United States and Canada. 

Europe: EU countries, Russia, Turkey, Ukraine, and Switzerland. 

Asia: China, India, Japan, Indonesia, South Korea, Philippines, Vietnam, Pakistan, and Thailand. 

FINDINGS 

Oversight & Governance 

For the third time, the survey revealed that boards are actively addressing risk management, but that 

there is still a gap in understanding the linkage between IT risks and enterprise risk management. 


! 

Although 91% of respondents 

indicated that risk management was 

being actively addressed by their 

board, the areas receiving the least 

attention were IT operations (29%), 

computer and information security 

(33%), and vendor management 

(13%). The lack of attention to 

vendor management is particularly 

concerning since this includes 

outsourcing of IT operations and 

business processes, most of which is 

dependent upon IT systems. These 

three issue areas held the same 

position in the 2010 results. 

7@!

Industry & Region Comparison Table: Issues Actively Addressed By Boards 

European respondents gave the least attention to computer and information security (19%), compared to 

North American and Asian respondents at 40% and 38% respectively. Europe also was lowest in the 

attention given to IT operations (19%), compared to 30% for North America and 24% for Asia. 

The financial sector showed the greatest degree of attention to these critical issues related to cyber risk 

management. One of the most revealing gaps is the lack of attention given to these issues by the 

energy/utilities and industrials sectors, particularly considering the 

degree to which operations and processes are controlled by IT 

systems. 

Even though risk management is a high priority, most boards 

are not reviewing their company’s insurance coverage for cyberrelated 

risks.! 

Although cyber incidents are not covered by general liability policies, 

57% of the respondents indicated that their boards are not reviewing 

insurance coverage for cyber related risks, compared with 65% in 

2010. This slight improvement, however, is due to the increase in 

respondents in 2012 that said they did not know. The response was 

consistent across geographical regions. 

Industry & Region Comparison Table: Boards NOT Reviewing Cyber Insurance Coverage 

It was surprising that a much higher percentage of respondents from the two “consequential” infrastructure 

sectors 


7E! 

18 Industry & Region Comparison Table: Issues Actively Addressed By Boards 

Issue Addressed North Europe Asia Energy / Financial IT / Industrials 

By Boards 

America 

Utilities 

Telecom 

Vendor Mgmt 12% 9% 10% 0% 28% 15% 0% 

Computer & Info Sec 40% 19% 38% 29% 44% 31% 13% 

IT Operations 30% 19% 24% 14% 36% 31% 19% 








systems. 



risks.! 








Board reviews cyber North Europe Asia Energy / Financial IT / Industrials 

insurance coverage? America 

Utilities 

Telecom 

No 58% 56% 57% 79% 52% 77% 44% 


sectors – energy/utilities and IT/telecom – indicated that their boards did not review insurance coverage of 

cyber risks: Seventy-nine percent (79%) of the energy/utilities respondents indicated that their boards do not 

review coverage and 77% of the IT/telecom sector respondents said the same. 

For the third time, the Governance Survey confirmed the belief among IT security professionals that 

boards and senior executives still are not involved in key areas related to governance over privacy and 

security. Although 89% of respondents said their boards review annual risk assessment reports and 91% of 

these cover computer systems and data, this activity alone is not adequate oversight. 

Respondents indicated that boards are not focusing on important activities that would help protect the 

organization from some of its highest risks: the reputational and financial losses flowing from theft of 

confidential or proprietary data or security breaches involving the disclosure of PII. There are a number of 




By Boards 

America 

Utilities 

Telecom 

Vendor Mgmt 12% 9% 10% 0% 28% 15% 0% 


IT Operations 30% 19% 24% 14% 36% 31% 19% 








systems. 



risks.! 










Utilities 

Telecom 

No 58% 56% 57% 79% 52% 77% 44% 













7E! 

18 Issue Industry Addressed & Region North Comparison Europe Table: Asia Issues Energy Actively / Financial Addressed IT / By Boards Industrials 

By Boards 

America 

Utilities 

Telecom 

Vendor Mgmt 12% 9% 10% 0% 28% 15% 0% 


IT Operations 30% 19% 24% 14% 36% 31% 19% 








systems. 



risks.! 







Board Industry reviews & cyber Region North Comparison Europe Table: Asia Boards Energy NOT / Financial Reviewing IT / Cyber Insurance Industrials Coverage 


Utilities 

Telecom 

No 58% 56% 57% 79% 52% 77% 44% 

It was surprising – energy/utilities that a much and IT/telecom higher percentage – indicated of respondents that their boards from the did two not “consequential” review insurance infrastructure coverage of 

cyber sectors risks: Seventy-nine percent (79%) of the energy/utilities respondents indicated that their boards do not 












By Boards 

America 

Utilities 

Telecom 

Vendor Mgmt 12% 9% 10% 0% 28% 15% 0% 


IT Operations 30% 19% 24% 14% 36% 31% 19% 








systems. 



risks.! 










Utilities 

Telecom 

No 58% 56% 57% 79% 52% 77% 44% 













7E! 

18 Issue Addressed North Europe Asia Energy / Financial IT / Industrials 

By Industry Boards & Region America Comparison Table: Issues Utilities Actively Addressed Telecom By Boards 

Vendor Mgmt 12% 9% 10% 0% 28% 15% 0% 


IT Operations 30% 19% 24% 14% 36% 31% 19% 








systems. 



risks.! 








Industry insurance coverage? & Region America Comparison Table: Boards Utilities NOT Reviewing Telecom Cyber Insurance Coverage 

No 58% 56% 57% 79% 52% 77% 44% 

– energy/utilities and IT/telecom – indicated that their boards did not review insurance coverage of 

It cyber was risks: surprising Seventy-nine that a much percent higher (79%) percentage of the energy/utilities of respondents respondents from the two indicated “consequential” that their infrastructure boards do not 

sectors review coverage and 77% of the IT/telecom sector respondents said the same. 








18 Issue Addressed North Europe Asia Energy / Financial IT / Industrials 

By Boards 

America 

Utilities 

Telecom 

Vendor Mgmt 12% 9% 10% 0% 28% 15% 0% 


IT Operations 30% 19% 24% 14% 36% 31% 19% 



Utilities 

Telecom 

No 58% 56% 57% 79% 52% 77% 44% 

– energy/utilities and IT/telecom – indicated that their boards did not review insurance coverage of 










! ! 

! ! 


! 

7E! 

7E! 

7E!

est practices for board involvement with respect to IT governance that strengthen the security posture of a 

company. 

When asked whether their boards receive information or are involved in activities related to these best 

practices, respondents indicated that boards are only occasionally, rarely or never engaged: 


! 

! Review annual budgets. Fifty-three percent (53%) of respondents said their board rarely or never 

reviewed and approved annual budgets for privacy and IT security programs; 9% said they 

occasionally did. Only 31% of respondents indicated that their boards regularly reviewed and 

approved these budgets. 

! Review roles and responsibilities. Fifty-six percent (56%) of respondents indicated their board rarely 

or never reviewed and approved roles and responsibilities of personnel responsible for privacy and 

security risks; an additional 

18% said they occasionally 

did. Only 19% said they 

regularly reviewed privacy 

and security roles and 

responsibilities. 

! Review top-level policies. 

Forty-one percent (41%) 

of respondents said their 

board rarely or never 

reviewed and approved 

top-level policies regarding 

privacy and security risks; 

an additional 28% said 

they occasionally did. Only one-quarter (25%) of the respondents said they regularly reviewed toplevel 

privacy and security policies. 

! Receive reports on privacy and security risks. Twenty-six percent (26%) of respondents said their 

board rarely or never received reports from senior management regarding privacy and IT security 

risks; an additional 33% said they occasionally got such reports. Thirty-nine percent (39%) said they 

regularly received reports on privacy and IT security risks. These results were slightly better than the 

2008 results (62% occasionally or rarely received reports and 15% never did). 

! Receive reports on security breaches or loss of data. Thirty percent (30%) of respondents said their 

board rarely or never reviewed reports of security breaches or incidents involving the disclosure of 

personally identifiable information or theft of corporate data; another 30% said they occasionally 

received such reports. Thirty-one percent (31%) of the respondents said their boards regularly 

reviewed these reports. 

! Review annual computer security program assessments. Thirty-six (36%) of respondents said their 

board rarely or never reviewed annual security program assessments; another 20% said they 

occasionally did. Only 35% of the respondents said they regularly reviewed such reports. 

There were only modest gains in each of the first four areas (breach reports and security program assessments 

were not asked for in the 2008 and 2010 surveys), particularly in regularly receiving reports from senior 

7R!

management regarding privacy and security risks (20% in 2008 compared with 39% in 2012) and reviewing 

management budgets management (14% regarding in 2008 compared privacy and with security 31% in risks 2012). (20% in 2008 compared with 39% in 2012) and reviewing 

budgets management budgets (14% regarding in 2008 compared privacy and with security 31% in risks 2012). (20% in 2008 compared with 39% in 2012) and reviewing 

budgets Industry budgets (14% & Region in 2008 Comparison compared with Table: 31% Boards in 2012). 

Rarely or Never Undertaking Best Practice Activities 

Industry & Region Comparison Table: Boards Rarely or Never Undertaking Best Practice Activities 

Industry Percentage & of Region boards that Comparison rarely or never: Table: North Boards Europe Rarely Asia or Never Energy Undertaking Financial Best IT Practice / Activities 

Industrials 

America 

/ 

Telecom 

Percentage of boards that rarely or never: North Europe Asia Utilities 

Energy Financial IT / Industrials 

Percentage of boards that rarely or never: 

North America North 

America Europe Asia Energy / Energy 

/ Financial IT Telecom IT Telecom / 

Industrials 

Rarely/never review annual budgets 81% 44% 29% 71% 42% 62% 56% 

America 

/ Utilities / 

Utilities 

Telecom 

Rarely/never review roles & 

67% 53% 43% 79% 39% 69% 75% 

Rarely/never review annual budgets 81% 44% 29% Utilities 

71% 42% 62% 56% 


71% 42% 62% 56% 

Rarely/never Rarely/never review review annual roles annual roles & budgets responsibilities 81% 67% 81% 67% 44% 53% 44% 53% 29% 43% 29% 43% 71% 79% 71% 79% 42% 39% 42% 39% 62% 69% 62% 69% 56% 75% 56% 

Rarely/never review top-level policies 56% 38% 33% 64% 19% 54% 63% 75% 

Rarely/never Rarely/never review review roles top-level roles top-level & responsibilities policies 67% 56% 67% 56% 53% 38% 53% 38% 43% 33% 43% 33% 79% 64% 79% 64% 39% 19% 39% 19% 69% 54% 69% 54% 75% 63% 75% 

Rarely/never receive privacy/security 23% 31% 24% 21% 11% 31% 50% 

63% 

Rarely/never Rarely/never review receive review receive top-level privacy/security policies reports 56% 23% 56% 23% 38% 31% 38% 31% 33% 24% 33% 24% 64% 21% 64% 21% 19% 11% 19% 11% 54% 31% 54% 31% 63% 50% 63% 

reports 

50% 

Rarely/never Rarely/never receive receive privacy/security breach/data privacy/security breach/data loss reports rpts 23% 14% 23% 14% 31% 44% 31% 44% 24% 52% 24% 52% 21% 36% 21% 36% 11% 22% 11% 22% 31% 31% 50% 44% 50% 

Rarely/never receive breach/data loss 14% 44% 52% 36% 22% 31% 44% 44% 

Rarely/never 

rpts 

Rarely/never receive review receive review security breach/data program loss rpts 14% 37% 14% 37% 44% 34% 44% 34% 52% 48% 52% 48% 36% 57% 36% 57% 22% 17% 22% 17% 31% 46% 31% 46% 44% 50% 44% 

50% 

Rarely/never assessments Rarely/never 

Rarely/never 

Rarely/never assessments review 

review 

review security 

security 

security program 

program 

program 

37% 37% 34% 34% 48% 48% 57% 57% 17% 17% 46% 46% 50% 

50% 

assessments 

assessments 

assessments 

North North American American respondents respondents indicated indicated that that their their boards boards are are more more neglectful neglectful in undertaking undertaking key activities activities 

North associated North associated North 

associated American with with privacy privacy respondents and and security security indicated governance governance that their than than boards European European are more and and neglectful Asian Asian boards, boards, in undertaking except except for for key receiving receiving activities 

associated reports. associated reports. associated 

reports. European European with privacy respondents respondents and security are are worse worse governance 

worse 

governance at at undertaking undertaking than European best best practices practices and Asian than than boards, Asian Asian except respondents, respondents, for receiving 

except except for 

for 

reports. reviewing reports. reviewing reports. 

reviewing European breach breach reports reports respondents and and security security are worse program program at undertaking assessments. 

assessments. best In practices examining than sector Asian responses, respondents, the financial except for 

sector reviewing sector far outpaced breach 

outpaced 

breach reports other and industry security sectors program in every assessments. area, confirming In examining the view sector that they responses, lead in the good financial 

governance sector In sector 

governance examining far outpaced practices, sector other responses, although industry the budget sectors financial reviews in sector every should area, far outpaced improve. confirming other the industry view that sectors they lead in every in good 

area, 

governance confirming governance the practices, view that although they lead budget in good reviews governance should improve. 

practices, although budget reviews should improve. 

The The survey survey respondents respondents indicated indicated that that the the energy/utilities energy/utilities industry industry sector sector has has the the poorest poorest governance governance in in every 

The almost The area The 

almost survey except survey every respondents for respondents area. receiving indicated reports. that the energy/utilities industry sector has the poorest governance in 

almost every area. 

Board Committee Committee Structure 

Structure 

Board Committee Structure 

Some of of the the biggest biggest improvements improvements have have been been organizational. organizational. Traditionally, Traditionally, boards boards have have not not separated separated risk 

risk 

management Some management Some 

management of the biggest and and audit audit improvements responsibilities responsibilities have by by been establishing establishing organizational. separate separate Risk Risk Traditionally, and and Audit Audit boards Committees. Committees. boards 

Committees. have not Although Although separated the the risk 

majority management majority management 

majority of of companies companies and audit still still responsibilities tend tend to to place place by risk risk establishing responsibilities responsibilities separate with with Risk the the and Audit Audit Audit Committee, Committee, Committees. the the Governance Governance Although the 

Surveys majority Surveys majority Surveys show show of companies this this is is changing. changing. still tend How How to place a a board board risk responsibilities is is organized organized and and with how how the it it Audit assigns assigns Audit 

assigns Committee, committee committee the responsibilities responsibilities Governance 

can 

can 

significantly Surveys significantly Surveys 

significantly show influence influence this is changing. the the effectiveness effectiveness How a board of of its its management management is 

management 

is organized and activities activities how it and and assigns security security committee posture. posture. responsibilities can 

significantly influence the effectiveness of its management activities and security posture. 

Respondents Respondents indicated indicated that that only only 48% 48% of of boards boards have have a a Risk Risk Committee Committee that that is is separate separate from from an an Audit Audit 

Committee Committee Respondents Committee – – indicated and and of of these, these, that 81% 81% only of of 48% of these these of boards Risk Risk boards 

Risk Committees Committees have a Risk oversee oversee Committee privacy privacy that and and is security. security. separate These These from an results results Audit 

Committee represent represent Committee 

represent a a significant significant – and of these, improvement improvement 81% of since since these the the Risk 2008 2008 Committees survey, survey, when when oversee only only privacy 8% 8% of of boards boards and security. had had Risk Risk These Committees Committees 

results 

represent and represent and represent 

and only only 53% 53% a significant of of those those improvement oversaw oversaw privacy privacy since and and the security, security, 2008 survey, and and the the when 2010 2010 only survey, survey, 8% of which of 

which boards indicated indicated had Risk 14% 14% Committees 

of of boards boards had 

had 

a and a and a Risk Risk only Committee Committee 53% of those and and of of oversaw those, those, privacy 67% 67% privacy 

67% of of and them them security, had had oversight oversight and the of of 2010 privacy privacy survey, and and which security. security. indicated 14% of boards had 

a Risk Committee and of those, 67% of them had oversight of privacy and security. 

Industry & & Region Region Comparison Comparison Table: Table: Risk Risk Committees Committees Responsible Responsible for for Privacy Privacy & & Security 


Industry Risk Committee & Region Comparison North Table: Europe Risk Asia Committees Energy Responsible / Financial for IT Privacy / & Industrials Security 

Risk Committee 

North North Europe Europe Asia Asia Energy Energy / Financial IT IT / / Industrials 

Risk Separate Risk Separate Risk Separate Committee 

from Audit? 

America North America North 

America Europe Asia / Energy Utilities Energy Utilities / 

Financial Telecom IT Telecom IT Telecom / 

Industrials 

Separate Yes Separate Yes from Audit? 

America 

35% 41% 76% Utilities 

Utilities 

35% 78% Telecom 

31% 44% 

Yes If Yes If yes, does the Risk Committee 35% 35% 41% 41% 76% 76% 35% 35% 78% 78% 31% 31% 44% 

44% 

If oversee If oversee yes, does privacy the Risk 

& security? Committee 

oversee Yes oversee Committee oversee Yes privacy & security? 

93% 85% 75% 100% 79% 75% 57% 

Yes oversee Yes privacy & 

93% 85% 75% 100% 79% 75% 57% 

security? 

Yes 93% 85% 75% 100% 79% 75% 57% 



Carnegie ! Carnegie Mellon CyLab 

! 

! 

7S! 

7S! 

7S!

The survey indicates that Asia is far ahead of North America and Europe in understanding the importance of 

having a Risk Committee separate from the board Audit Committee, but more North American companies 

assign privacy and security risks to these Risk Committees than Asian companies. 

The financial sector respondents indicated that they are much farther ahead in establishing Risk Committees 

(78%), but only about three-fourths of them (79%) are responsible for privacy and security. Even though the 

energy sector was next to last in establishing Risk Committees (35%), 100% of them are assigned privacy and 

security oversight. 

Board Board committee structures are starting to form 

around around security and technology risks. 

Not surprisingly, 96% of the survey population said 

their boards have an Audit Committee and 78% of 

them have a Governance, Compliance, or Ethics 

Committee. When polled about the types of 

committees their boards have, respondents indicated 

that 56% of boards have a Risk/Security Committee 

and 23% have an IT/Technology Committee. This 

shows improvement from the 2010 survey results, 

which indicated that only 12% of respondents had a 

Risk/Security Committee and 6% had an 

IT/Technology Committee. 

Industry & Region Comparison Table: Board Committee Structures 

Asian respondents indicated that their boards are way ahead of North America and Europe in understanding 

the need for both Risk/Security Committees (95%) and IT/Technology Committees (38%), while North 

America surprisingly lags behind at 28% and 16% respectively. The energy/utilities sector respondents 

indicated that they have the fewest Risk/Security Committees, but IT/telecom respondents revealed that 

their sector does not have any (0%) IT/Technology Committees. This is surprising on both counts, since 

energy/utility companies are critical infrastructure subject to security regulations and the IT/telecom industry 

relies upon technology and IT systems for its revenue. Not surprisingly, the financial sector again led the way 

in understanding the need for these board 

committees. 

When When asked who was most responsible for 

the the oversight of risk, about one-third of the 

respondents respondents (35%) indicated the Audit 

Committee, Committee, while an equal number of 

respondents respondents (35%) indicated that the full 

board board was responsible. The 2008 survey 

revealed that the Audit Committee was 


! 

Boards have these committees? North 

Europe Asia Energy / 

Financial IT / 

Industrials 

America 

Utilities 

Telecom 

Have Risk/Security Committee 28% 59% 95% 36% 86% 46% 63% 

Have IT/Technology 

16% 21% 38% 14% 39% 0% 13% 

Committee 

7T!

esponsible for risk 65% of the time and the full board 22%, while the 2010 survey indicated the Audit 

Committee had responsibility for risk 53% of the time and the full board had responsibility 22% of the time. 

The 2012 results indicate a clear shift away from assigning the Audit Committee the most 

responsibility for risk. The 2012 survey indicates the Risk Committee has responsibility for risk 30% of the 

respondents, whereas in 2010 it was only 5% and in 2008 it was 4%. Best practices and industry standards 

separate the audit and risk functions. The 2008 and 2010 surveys indicated an over-reliance upon Audit 

Committees to manage risk issues, creating segregation of duties (SOD) issues at the board level since the 

same committee that exercised oversight of operational aspects of privacy and security also oversaw audits in 

these areas. Carnegie Mellon’s Governing for Enterprise Security Implementation Guide provides step-by-step 

guidance on Risk Committee responsibilities for managing IT security risks. 19 

responsible for risk 65% of the time and the full board 22%, while the 2010 survey indicated the Audit 









guidance on Risk Committee responsibilities for managing IT security risks. 

Industry & Region Comparison Table: Most Responsibility for Cyber Risks 

Who has most responsibility North Europe Asia Energy / Financial IT / Industrials 

for risk? 

America 

Utilities 

Telecom 

Full Board 33% 34% 48% 43% 31% 23% 44% 

Audit Committee 42% 41% 14% 43% 11% 54% 25% 

Risk Committee 23% 22% 38% 14% 58% 23% 25% 

19 













for risk? 

America 

Utilities 

Telecom 

Full Board 33% 34% 48% 43% 31% 23% 44% 



19 













for risk? 

America 

Utilities 

Telecom 

Full Board 33% 34% 48% 43% 31% 23% 44% 



19 



for risk? 

America 

Utilities 

Telecom 

Full Board 33% 34% 48% 43% 31% 23% 44% 



Interestingly, 54% of the IT/telecom sector respondents indicated that the Audit Committee has the most 

Interestingly, responsibility Interestingly, 54% for 54% risk, of of the while the IT/telecom the financial sector sector respondents indicated indicated just indicated the opposite, that that the the Audit with Audit 58% Committee of the respondents has has the the most 

responsibility saying responsibility that the for most for risk, responsibility while the the financial for risk sector falls sector to indicated the Risk just Committee. just the the opposite, with 58% of of the the respondents 

saying that that the the most responsibility for for risk risk falls falls to to the the Risk Committee. 

Board Risk and IT Committees rarely hire outside expertise. 

Board Risk and and IT IT Committees rarely hire hire outside expertise. 

Although 68% of the respondents indicated that 

Although their Although boards 68% engage of of the the outside respondents consultants, indicated legal that that 

their counsel, their boards or other engage experts, outside they consultants, also said these legal 

counsel, experts counsel, are or or primarily other experts, hired they by they the also also Audit, said said these 

experts Compensation, experts are are primarily or Governance hired by by the the Committees Audit, 

or by 

Compensation, the Compensation, full board. Risk or or Governance and Governance IT/Technology Committees or or by by 

only the the full hire full board. outside board. expertise Risk and and 16% IT/Technology and 10% of Committees the Committees time, 

only respectively. only hire hire outside The expertise lower expertise percentage, 16% and and 10% however, of of the the time, time, may 

respectively. be respectively. due to the The The small lower number percentage, of board however, Risk and may may IT 

be Committees. be be due due to to the the This small is number some number improvement, of of board Risk though. and and IT IT 

Committees. In Committees. 2010, only This 5% This of is is some the some respondents improvement, indicted though. 

In their In In 2010, Risk only Committee only 5% 5% of of the hired the respondents outside expertise. indicted 

their Risk Committee hired outside expertise. 

Less than half of boards hire outside experts to 

help Less with than risk half half assessments of of boards hire hire and outside risk management. experts to to 

Although help help with 89% risk risk of assessments the respondents and and risk indicated risk management. 

their 

Although boards Although reviewed 89% of of risk the the assessment respondents reports, indicated only their 

46% of 

boards the boards respondents reviewed said risk risk that assessment their boards reports, hire only outside 46% of of 

the expertise the the respondents to assist said said with that that risk their assessments boards hire hire and outside 

risk 

expertise management. expertise to to assist Less with than risk risk one assessments third (30%) and of and the risk risk 

management. respondents management. indicated Less than this one one expertise third (30%) came of from of the the risk 

respondents services respondents firms, indicated 27% of this the this respondents expertise came said from it came risk risk 

services firms, 27% of of the the respondents said said it it came 



! 

! ! 

7G! 

7G! 7G!

from IT IT security security experts, experts, and and 18% 18% said said insurance insurance brokers brokers provided provided outside outside expertise. expertise. In In the the 2010 2010 survey, survey, 

from 17% from 17% of of IT of the the security the respondents respondents experts, indicated indicated and indicated 18% that that said that IT insurance IT security security brokers experts experts provided provided outside outside expertise. expertise, expertise, while In while the 26% 2010 26% indicated indicated 

survey, 

17% insurance 17% insurance of the brokers brokers respondents provided provided indicated these these services, that services, IT security just just the the experts opposite opposite provided of of the the 2012 outside 2012 survey. survey. expertise, It It is is important while important 26% to to indicated to note note that 

that 

insurance the insurance the the survey survey brokers did did not not not provided ask ask ask what what these topics topics services, the the the outside outside just experts the experts opposite were were asked of asked the to 2012 to address, address, survey. so so it It it is is is possible important possible that that to the note the Audit, 

Audit, that 

the full the full full survey board, board, did or or or other other not other ask committees committees what topics hired hired the computer computer outside computer experts security security were or or IT asked IT expertise. 

expertise. to address, so it is possible that the Audit, 

full board, or other committees hired computer security or IT expertise. 

Industry & Region Comparison Table: Board Board Use of Use of Outside of Outside Experts Experts 

Industry & Region Comparison Table: Board Use of Outside Experts 

Source of of outside 

North North 

Europe Asia Asia Energy / / Financial IT IT / IT / / Industrials 

Source risk Source risk risk expertise expertise 

of outside North America North America 

Europe Asia Energy Utilities Energy Utilities / Financial IT Telecom IT Telecom / Telecom Industrials 

risk Risk risk Risk Risk expertise Services Services Firm Firm America 36% 23% 30% Utilities 17% 40% Telecom 0% 0% 0% 20% 20% 

Risk Insurance Risk Insurance Services Broker Broker Firm 36% 45% 36% 45% 23% 8% 30% 15% 30% 15% 15% 17% 0% 0% 40% 10% 40% 10% 0% 0% 0% 100% 20% 100% 100% 

Insurance IT Insurance IT IT Security Security Broker Experts Experts 45% 36% 45% 36% 39% 8% 39% 15% 50% 0% 50% 10% 20% 10% 20% 33% 0% 33% 33% 100% 20% 20% 

IT Security Experts 36% 39% 15% 50% 20% 33% 20% 

The North American respondents indicated that they they are are clearly clearly more more reliant reliant upon upon insurance insurance brokers brokers to 

to 

The provide The provide North outside outside American expertise expertise respondents than than Europe Europe indicated or or Asia. Asia. that It they It is is interesting are interesting clearly to more to note, note, reliant however, however, upon that insurance that respondents respondents brokers from from to the 

the 

provide energy/utilities provide energy/utilities outside and and expertise and IT/telecom IT/telecom than Europe sectors sectors or said said Asia. they they It do do is do interesting not not use use insurance insurance to note, brokers brokers however, brokers at at all that all for for respondents outside outside expertise, 

expertise, from the 

energy/utilities while while 100% 100% of of the and the respondents IT/telecom respondents from sectors from the the said industrials industrials they do sector not sector use indicated indicated insurance that that brokers they they use at use all insurance insurance for outside brokers brokers expertise, for for this 

this 

purpose. while purpose. while purpose. 100% of the respondents from the industrials sector indicated that they use insurance brokers for this 

purpose. 

IT IT IT security security and risk experience becoming more valuable to to boards. 

IT security and risk experience becoming more valuable to boards. Twenty-seven Twenty-seven percent percent (27%) (27%) 

of of Twenty-seven of the the the respondents respondents percent indicated indicated (27%) 

that of that of that the their their respondents board board had had indicated an an outside 

outside 

director that director that director their with board with cybersecurity 

cyber had security an security outside 

expertise, director expertise, director expertise, with up up from cyber from 18% security 18% in 

in 

2010. expertise, 2010. expertise, 2010. Seventy-three Seventy-three up from 18% percent 

percent in 

(73%) 2010. (73%) of Seventy-three of of the the the respondents respondents percent said 

said 

their (73%) their (73%) their boards boards of boards the had had respondents had an an an outside outside said 

director their director their director boards with with had risk risk an expertise, 

outside 

compared director compared director compared with with with risk 59% 59% expertise, in in in 2010. 

2010. 

Fifty-one compared Fifty-one compared Fifty-one percent percent with percent 59% (51%) (51%) in 2010. of of of 

respondents Fifty-one respondents Fifty-one respondents percent indicated indicated (51%) that 

that of 

their respondents their respondents their boards boards retain retain indicated retain professional 

professional that 

search their search their search boards firms firms retain to to seek seek professional qualified 

qualified 

candidates search candidates search candidates firms for for to their seek their board. 

qualified board. 

candidates for their board. 

Not Not surprisingly, surprisingly, the the experience deemed most important in in recruiting directors was financial and 

management Not management Not management surprisingly, expertise. expertise. the experience IT IT expertise expertise deemed is is becoming becoming most important more more valuable, valuable, in recruiting however. however. directors When When was recruiting, recruiting, financial IT IT and IT expertise expertise was 

was 

very management very important important expertise. or or or important important IT expertise for for 37% 37% is of becoming of the the respondents respondents more valuable, and and somewhat somewhat however. important important When recruiting, for for for 42%. 42%. IT It It It is is expertise is encouraging encouraging was 

that very that that 64% important 64% of of the the respondents or respondents important indicated indicated for 37% that that risk of risk the and and respondents security security expertise expertise and was was somewhat either either very very important important or for or important important 42%. It and and is 27% encouraging 27% said said it 

it 

was that was that was somewhat somewhat 64% somewhat of the important. important. respondents indicated that risk and security expertise was either very important or important and 27% said it 

was somewhat important. 



! ! 

! 

Industry & Region Comparison Table: Experience Valuable When Recruiting Board Members 

Industry & Region Comparison Table: Experience Valuable When Recruiting Board Members 

When recruiting board members, how 

North 



Industrials 

valuable 

When 

valuable 

recruiting 

is: 

board members, how 

America 

North 

America 

Europe Asia 

Utilities 

Energy 

Utilities 

/ Financial 

Telecom 

IT 

Telecom 

/ Industrials 

IT valuable IT experience is: – Very imp or imp America 42% 22% 48% Utilities 7% 42% Telecom 62% 31% 

Risk/security IT Risk/security experience experience – Very imp – or Very imp imp or imp 63% 42% 63% 56% 22% 56% 62% 48% 62% 50% 7% 75% 42% 75% 69% 62% 69% 50% 31% 50% 

Risk/security experience – Very imp or imp 63% 56% 62% 50% 75% 69% 50% 

Only 22% of European respondents indicated that IT experience was very important or important in 

recruiting Only recruiting 22% board of European members, respondents while 42% indicated of North that American IT experience and 48% was of very Asian important respondents or important indicated in it was 

very recruiting very important board or members, important. while Only 42% 7% of of North the respondents American and from 48% the of energy/utilities Asian respondents sector indicated found IT 

it was 

experience very experience important to be or very important. important Only or important, 7% of the respondents while other sectors from the ranked energy/utilities it quite high, sector especially found the 

IT 

IT/telecom experience IT/telecom to sector. 

be very important or important, while other sectors ranked it quite high, especially the 

IT/telecom sector. 

Internal Organizational Roles & Responsibilities 

Internal Organizational Roles & Responsibilities 

Boards and senior management are lagging in establishing key positions for privacy and security or 

appropriately appropriately Boards appropriately and senior assigning management responsibilities. 

are lagging in establishing key positions for privacy and security or 

appropriately Best practices call assigning for clear responsibilities. 

roles and responsibilities with respect to privacy and security. The delineation of 

responsibilities Best responsibilities practices call should for clear serve roles as a and check responsibilities and balance and with protect respect the to company privacy and against security. SOD The issues delineation that could 


increase responsibilities increase risk. There should is a serve general as a belief check that and most balance companies and protect do not the understand company against this and SOD are not issues creating that could the 

needed increase needed roles risk. or There are inappropriately is a general belief combining that most responsibilities. companies do not So disparate understand disparate are this the and approaches are not creating to IT security, 

the 

that needed that titles roles for or personnel are inappropriately responsible combining for privacy responsibilities. and security span So four disparate possibilities: are the chief approaches privacy to officer IT security, (CPO), 

chief that chief titles information for personnel security responsible officer (CISO), for privacy chief and security security officer span (CSO), four possibilities: and chief risk chief officer privacy (CRO). 

officer (CPO), 

chief information security officer (CISO), chief security officer (CSO), and chief risk officer (CRO). 

Organizations Organizations continued to show that they do not have full-time, senior-level personnel in place to 

Organizations appropriately appropriately manage continued privacy to show and that security they risks. 

do not have full-time, senior-level personnel in place to 

appropriately manage privacy and security risks. 

! 35% of the respondents said their 

! organizations 35% organizations of the respondents did not have said a CISO 

their 

! 47% organizations 47% said they did did not not have have a a CISO CSO 

! ! 47% 82% said said they they did did not not have have a a CSO CPO 

! ! 82% 42% said their they their did organizations not have a did 

CPO 

! not 42% not have said a their CRO. 

organizations did 

not have a CRO. 

The CRO title is being used by security 

savvy The savvy CRO companies title is being that understand used by security the 

need savvy need to companies integrate IT, that IT, physical, understand and 

the 

personnel need personnel to integrate risks and IT, manage physical, them 

and 

through personnel through one risks position. and manage Less than them two- 

through thirds of the one Forbes position. Global Less 2000 than companies 

two- 

responding to the survey have full-time personnel in key roles responsible for privacy thirds and security of the Forbes in a manner Global that 2000 is consistent 

companies 

with responding with internationally to the survey accepted have best full-time practices personnel and standards. 

in key roles responsible for privacy and security in a manner that is consistent 

with internationally accepted best practices and standards. 

It is possible that some respondents indicated that they did not have someone in a particular position because 

the It the is person possible in that their some organization respondents did not indicated have that that specific they did title. not have This, someone however, in does a particular not comport position with because best 

practices the practices person and in standards. their standards. organization Any organization did not have large that enough specific to be included title. This, in the however, Forbes Global does 2000 not list comport should have with have a best CIO, 

CISO/CSO, practices CISO/CSO, and CPO, standards. and CRO. Any The organization percentage large of enough of companies to be included without in the these Forbes positions Global 2000 was also list should high in have in the a CIO, 2008 

and CISO/CSO, and 2010 surveys, CPO, although and although CRO. the The number percentage of organizations of companies that without do have these CISOs positions jumped was from also 30% high in in 2008 the 2008 and 

and 2010 surveys, although the number of organizations that do have CISOs jumped from 30% in 2008 and 



! 

! 

39% 

39% 

39% 

39% 

in 

in 

in 

in 

2010 

2010 

2010 

2010 

to 

to 

to 

to 

64% 

64% 

64% 

64% 

in 

in 

in 

in 

2012. 




The 

The 

The 

The 

number 

number 

number 

number 





organizations 

organizations 

organizations 

organizations 

that 

that 

that 

that 

have 

have 

have 

have 

CSOs 

CSOs 

CSOs 

CSOs 

also 

also 

also 

also 

gained 

gained 

gained 

gained 

from 

from 

from 

from 

16% 

16% 

16% 

16% 

in 

in 

in 

in 

2008 

2008 

2008 

2008 

and 

and 

and 

and 

36% 

36% 

36% 

36% 

in 

in 

in 

in 

2010 

2010 

2010 

2010 

to 

to 

to 

to 

51% 

51% 

51% 

51% 

in 

in 

in 

in 





The 

The 

The 

The 

CPO 

CPO 

CPO 

CPO 

position 

position 

position 

position 

is 

is 

is 

is 

the 

the 

the 

the 

most 

most 

most 

most 

baffling. 

baffling. 

baffling. 

baffling. 

Only 

Only 

Only 

Only 

7% 

7% 

7% 

7% 





the 

the 

the 

the 

respondents 

respondents 

respondents 

respondents 

indicated 

indicated 

indicated 

indicated 

they 

they 

they 

they 

had 

had 

had 

had 

a CPO 

CPO 

CPO 

CPO 

in 

in 

in 

in 

2008, 

2008, 

2008, 

2008, 

18% 

18% 

18% 

18% 

said 

said 

said 

said 

they 

they 

they 

they 

did 

did 

did 

did 

in 

in 

in 

in 

2010, 

2010, 

2010, 

2010, 

and 

and 

and 

and 

only 

only 

only 

only 

11% 

11% 

11% 

11% 

did 

did 

did 

did 

in 

in 

in 

in 





Clearly, 

Clearly, 

Clearly, 

Clearly, 

this 

this 

this 

this 

is 

is 

is 

is 

an 

an 

an 

an 

area 

area 

area 

area 

that 

that 

that 

that 

requires 

requires 

requires 

requires 

more 

more 

more 

more 

board 

board 

board 

board 

attention. 

attention. 

attention. 

attention. 

Industry 

Industry 

Industry 

Industry 

& Region 

Region 

Region 

Region 

Comparison 

Comparison 

Comparison 

Comparison 

Table: 

Table: 

Table: 

Table: 

Organizations 

Organizations 

Organizations 

Organizations 

with 

with 

with 

with 

Privacy 

Privacy 

Privacy 

Privacy 

& Security 




Personnel 

Personnel 

Personnel 

Personnel 

Percentage of companies North Europe Asia Energy / Financial IT / Industrials 

Percentage of companies 

North 



Industrials 

that have: 

America 

Utilities 

Telecom 

that have: 

America 

Utilities 

Telecom 

CISO 58% 72% 52% 50% 81% 69% 50% 

CISO 58% 72% 52% 50% 81% 69% 50% 

CSO 47% 63% 38% 50% 75% 69% 50% 

CSO 47% 63% 38% 50% 75% 69% 50% 

CPO 23% 3% 5% 7% 17% 0% 13% 

CPO 23% 3% 5% 7% 17% 0% 13% 

CRO 49% 56% 57% 57% 89% 54% 25% 

CRO 49% 56% 57% 57% 89% 54% 25% 

With 

With 

With 

With 

the 

the 

the 

the 

European 

European 

European 

European 

Union’s 

Union’s 

Union’s 

Union’s 

strong 

strong 

strong 

strong 

emphasis 

emphasis 

emphasis 

emphasis 

on 

on 

on 

on 

privacy, 

privacy, 

privacy, 

privacy, 

it 

it 

it 

it 

is 

is 

is 

is 

interesting 

interesting 

interesting 

interesting 

to 

to 

to 

to 

note 

note 

note 

note 

that 

that 

that 

that 

23% 

23% 

23% 

23% 





the 

the 

the 

the 

North 

North 

North 

North 

American 

American 

American 

American 

respondents 

respondents 

respondents 

respondents 

indicated 

indicated 

indicated 

indicated 

that 

that 

that 

that 

their 

their 

their 

their 

organization 

organization 

organization 

organization 

has 

has 

has 

has 

a CPO, 

CPO, 

CPO, 

CPO, 

while 

while 

while 

while 

only 

only 

only 

only 

3% 

3% 

3% 

3% 





the 

the 

the 

the 

European 

European 

European 

European 

respondents 

respondents 

respondents 

respondents 

indicated 

indicated 

indicated 

indicated 

that 

that 

that 

that 

they 

they 

they 

they 

do, 

do, 

do, 

do, 

but 

but 

but 

but 

Europe 

Europe 

Europe 

Europe 

had 

had 

had 

had 

a higher 

higher 

higher 

higher 

percentage 

percentage 

percentage 

percentage 





CISOs 

CISOs 

CISOs 

CISOs 

and 

and 

and 

and 

CSOs 

CSOs 

CSOs 

CSOs 

than 

than 

than 

than 

North 

North 

North 

North 

America. 

America. 

America. 

America. 

The 

The 

The 

The 

low 

low 

low 

low 

rate 

rate 

rate 

rate 





CISOs/CSOs 

CISOs/CSOs 

CISOs/CSOs 

CISOs/CSOs 

for 

for 

for 

for 

the 

the 

the 

the 

energy/utilities 




sector 

sector 

sector 

sector 

is 

is 

is 

is 

also 

also 

also 

also 

puzzling, 

puzzling, 

puzzling, 

puzzling, 

since 

since 

since 

since 

they 

they 

they 

they 

are 

are 

are 

are 

a highly 

highly 

highly 

highly 

regulated 

regulated 

regulated 

regulated 

critical 

critical 

critical 

critical 

infrastructure 




sector, 

sector, 

sector, 

sector, 

with 

with 

with 

with 

energy 

energy 

energy 

energy 

grids 

grids 

grids 

grids 

subject 

subject 

subject 

subject 

to 

to 

to 

to 

mandatory 

mandatory 

mandatory 

mandatory 

security 

security 

security 

security 

regulations. 

regulations. 

regulations. 

regulations. 

It 

It 

It 

It 

is 

is 

is 

is 

also 

also 

also 

also 

surprising 

surprising 

surprising 

surprising 

that 

that 

that 

that 

the 

the 

the 

the 

IT/telecom 

IT/telecom 

IT/telecom 

IT/telecom 

respondents 

respondents 

respondents 

respondents 

indicated 

indicated 

indicated 

indicated 

that 

that 

that 

that 

none 

none 

none 

none 





them 

them 

them 

them 

have 

have 

have 

have 

CPOs 

CPOs 

CPOs 

CPOs 

since 

since 

since 

since 

they 

they 

they 

they 

are 

are 

are 

are 

subject 

subject 

subject 

subject 

to 

to 

to 

to 

numerous 

numerous 

numerous 

numerous 

privacy 

privacy 

privacy 

privacy 

laws 

laws 

laws 

laws 

and 

and 

and 

and 

regulations. 

regulations. 

regulations. 

regulations. 

Organizations tend to overlap privacy and security responsibilities, not understanding the inherent 

SOD issues. 

It is important that privacy and security 

responsibilities be separated to prevent a 

single point of failure, which can occur 

(a) when security personnel do not 

understand compliance requirements or 

needed privacy controls, or (b) when 

privacy personnel do not understand the 

technical security configuration or 

technical controls. 20 Organizations tend to overlap privacy and security responsibilities, not understanding the inherent 

SOD issues. 









technical controls. 

The 2012 survey 

respondents indicated that 58% of 

CISOs and 47% of CSOs are responsible 

for both privacy and security. Forty-four 

percent (44%) of CROs have both areas 

of responsibility. Interestingly, none (0%) of the respondents assigned security responsibilities to their CPO. 

20 Organizations tend to overlap privacy and security responsibilities, not understanding the inherent 

SOD issues. 
















20 Organizations tend to overlap privacy and security responsibilities, not understanding the inherent 

SOD issues. 
















20 The 2012 survey 






There 

There 

There 

There 

are 

are 

are 

are 

few 

few 

few 

few 

differences 

differences 

differences 

differences 

between 

between 

between 

between 

the 

the 

the 

the 

2008 

2008 

2008 

2008 

and 

and 

and 

and 

2010 

2010 

2010 

2010 

survey 

survey 

survey 

survey 

results 

results 

results 

results 

on 

on 

on 

on 

overlapping 

overlapping 

overlapping 

overlapping 





that 

that 

that 

that 

are 

are 

are 

are 

noteworthy. 

noteworthy. 

noteworthy. 

noteworthy. 

The 

The 

The 

The 

percentage 

percentage 

percentage 

percentage 





CISOs 

CISOs 

CISOs 

CISOs 

and 

and 

and 

and 

CSOs 

CSOs 

CSOs 

CSOs 

responsible 

responsible 

responsible 

responsible 

for 

for 

for 

for 

both 

both 

both 

both 

privacy 

privacy 

privacy 

privacy 

and 

and 

and 

and 

security 

security 

security 

security 

has 

has 

has 

has 

remained 

remained 

remained 

remained 

very 

very 

very 

very 

high. 

high. 

high. 

high. 



! 

Industry & Region Comparison Table: Security Personnel Also Responsible for Privacy 

Industry & Region Comparison Table: Security Personnel Also Responsible for Privacy 

Industry Person also & assigned 

Region Comparison North 

Europe Table: Asia Security Energy Personnel / 

Financial Also Responsible IT / 

Industrials 

for Privacy 

privacy 

Person 

privacy 

Person also 


also 


assigned 

America 

North 

America 

North Europe Asia Utilities 

Energy 

Utilities 

Energy / 

Financial Telecom 

IT 

Telecom 

IT / 

Industrials 

privacy 

CISO Person 

privacy 

CISO also 


assigned 

America 

North 

America 

44% Europe 48% Asia 

Utilities 

82% Energy 

Utilities 

43% / Financial 

Telecom 

76% IT 

Telecom 

78% / Industrials 25% 

CISO 

CSO privacy CISO 

CSO responsibilities America 44% 48% 82% 35% 40% 63% Utilities 43% 76% 38% 63% Telecom 78% 25% 

67% 33% 

CSO 

CRO CISO CSO 35% 

CRO 48% 44% 35% 40% 

48% 22% 48% 40% 63% 

22% 67% 82% 63% 38% 

67% 43% 38% 63% 

0% 56% 76% 63% 67% 

56% 86% 78% 67% 33% 

86% 25% 33% 

0% 

CRO CSO CRO 48% 35% 48% 22% 40% 22% 67% 63% 67% 38% 0% 56% 63% 56% 86% 67% 86% 33% 0% 

CRO 48% 22% 67% 0% 56% 86% 0% 

Asian respondents indicated that their CISOs, CSOs, and CROs, are much more likely to be responsible for 

Asian respondents indicated that their CISOs, CSOs, and CROs, are much more likely to be responsible for 

both privacy and security than those in North America and Europe. The financial and IT/telecom industry 

both Asian both privacy respondents and security indicated than that those their in CISOs, North America CSOs, America and and CROs, Europe. are much The financial more likely and to IT/telecom be responsible industry 

for 

sectors also are especially likely to double up on privacy and security responsibilities. Interestingly, neither the 

sectors both sectors privacy also are and especially security than likely those to double in North up on America privacy and and Europe. security responsibilities. The financial and Interestingly, IT/telecom neither industry the 

energy/utilities or industrials industry sectors ever assign privacy responsibilities to their CROs. 

energy/utilities sectors energy/utilities also are or especially or industrials likely industry to double sectors up on ever privacy assign and privacy security responsibilities responsibilities. to their Interestingly, CROs. 

neither the 

energy/utilities or industrials industry sectors ever assign privacy responsibilities to their CROs. 

There are also SOD issues at line responsibility 

There are also SOD issues at line responsibility 

levels when CISOs/CSOs report to chief 

levels There levels when are also CISOs/CSOs SOD issues report at line to responsibility 

to chief 

information officers (CIOs) because the CIO then 

information levels information when CISOs/CSOs officers (CIOs) report because to chief the CIO then 

controls the budget for the security program and 

controls information controls the officers budget for (CIOs) the security because program the CIO and 

then 

may override security configuration decisions or 

may controls may override the budget security for configuration the security program decisions and or 

policies in favor of his/her own infrastructure 

policies may policies override in favor security of his/her configuration own infrastructure 

decisions or 

architecture preferences, thereby compromising 

architecture policies architecture in favor preferences, of his/her thereby own infrastructure 

compromising 

security. In addition, the CIO may interfere with 

security. architecture security. In addition, preferences, addition, the thereby CIO may compromising interfere with 

security procurements by favoring certain vendors 

security security. security procurements In addition, the by CIO favoring may certain interfere vendors 

with 

or products without understanding the 

or security or products procurements without understanding by favoring certain the 

vendors 

technological differences between the products. 

technological or technological products without differences understanding between the the products. 

Although such reporting relationships are against best 

Although technological Although such reporting differences relationships between are the against products. best 

practices, 38% of the respondents indicated that the CISO/CSO reported to the CIO in their organization. Twenty-two 

practices, Although practices, 38% such reporting of the respondents relationships indicated are against that the best CISO/CSO reported to the CIO in their organization. Twenty-two 

percent (22%) of the respondents indicated that the CISO/CSO reported to the CEO and 13% indicated that 

percent practices, percent (22%) 38% (22%) of of the the respondents respondents indicated indicated that the that CISO/CSO that the CISO/CSO reported to reported the CIO in to their the organization. CEO and 13% Twenty-two indicated that 

the CISO/CSO reported to the CFO. 

the percent the CISO/CSO (22%) of reported the respondents to the CFO. 

indicated that the CISO/CSO reported to the CEO and 13% indicated that 

the CISO/CSO reported to the CFO. 

Industry & Region Comparison Table: CISO/CSO Reporting Lines 



CISO/CSO 

North 



Industrials 

reporting 

CISO/CSO 

reporting 

CISO/CSO 

to 

America 

North 

America 

North Europe Asia Utilities 

Energy 

Utilities 

Energy / 

Financial Telecom 

IT 

Telecom 

IT / 

Industrials 

reporting to America 

Utilities 

Telecom 

CIO CISO/CSO 

to America 

CIO North 44% Europe 50% Asia 

Utilities 

19% Energy 50% / Financial 

Telecom 

42% IT 15% / Industrials 25% 

CIO 44% 50% 19% 50% 42% 15% 25% 

CEO reporting CEO to America 44% 50% 19% 

5% 13% 57% Utilities 50% 42% 

7% 28% Telecom 15% 25% 

54% 19% 

CEO 5% 13% 57% 7% 28% 54% 19% 

CFO CIO CFO 23% 44% 5% 13% 

23% 50% 57% 

3% 19% 5% 14% 50% 7% 28% 

14% 42% 54% 

3% 15% 19% 

8% 44% 25% 44% 

CFO CEO CFO 23% 5% 13% 3% 57% 5% 14% 7% 28% 3% 54% 8% 44% 19% 44% 

CFO 23% 3% 5% 14% 3% 8% 44% 

While almost half of North American (44%) and European (50%) respondents indicated that their 

While almost half of North American (44%) and European (50%) respondents indicated that their 

organizations’ CISO/CSOs reported to the CIO, Asia showed a clear preference not to establish such 

organizations’ While organizations’ almost half CISO/CSOs of North American reported to (44%) the CIO, and European Asia showed (50%) a clear respondents preference indicated not to establish that their such 

reporting lines, with 57% of the CISO/CSOs reporting to the CEO. The North American respondents 

reporting organizations’ reporting lines, CISO/CSOs with 57% of reported the CISO/CSOs to the CIO, reporting Asia showed to the CEO. a clear The preference North American not American to establish respondents 

such 

indicated that the CFO is a favored second choice for CISO/CSO reporting, but Europe preferred the CEO. 

indicated reporting indicated that lines, that the with CFO 57% is of a favored the CISO/CSOs second choice reporting for CISO/CSO to the CEO. reporting, The North but American Europe preferred respondents the CEO. 

The IT/telecom industry also favored CEO reporting with 54% of their CISO/CSOs reporting to the CEO 

The indicated The IT/telecom that the industry CFO is also a favored favored second CEO choice reporting for CISO/CSO with 54% of reporting, their CISO/CSOs but Europe reporting preferred to the the CEO 

CEO. 

and only 8% to the CFO. The industrials sector showed a leadership role with 44% of CISO/CSOs 

and The and only IT/telecom 8% to the industry CFO. also The favored industrials CEO sector reporting showed with a leadership 54% of their role CISO/CSOs with 44% of reporting CISO/CSOs 

to the CEO 

reporting to the CFO and 19% reporting to the CEO. 

reporting and reporting only 8% to the to the CFO CFO. and 19% The 19% industrials reporting to sector the CEO. 

showed a leadership role with 44% of CISO/CSOs 

reporting to the CFO and 19% reporting to the CEO. 




! 

! 

! 

! 

! 

! 

! 

!

Organizations are showing significant gains in cross-organizational communication. 

One Organizations of the most are significant showing improvements significant gains from in the cross-organizational 2008 and 2010 Governance communication. Surveys is in the 

establishment One of the most of internal significant cross-organizational improvements from groups the 2008 for communicating and 2010 Governance about privacy Surveys and is in security the issues. 

In establishment 2008, only 17% of internal of the cross-organizational respondents indicated groups that their for communicating organizations had about a cross-organizational privacy and security team; issues. in 

2010, In 2008, 65% only of 17% the organizations of the respondents did; and indicated in 2012, that 72% their of the organizations respondents had indicated a cross-organizational that such a committee team; in had 

2010, been established. 65% of the organizations This is very encouraging did; and in 2012, and indicates 72% of that the respondents companies are indicated learning that that such cross-organizational 

a committee had 

communication been established. is This essential is very to addressing encouraging insider and indicates threats, combating that companies external are learning attacks, closing that cross-organizational 

governance gaps, 

and communication reducing legal is essential liability. to addressing insider threats, combating external attacks, closing governance gaps, 

and reducing legal liability. 

Industry & Region Comparison Table: Cross-Organizational Committees 

Industry & Region Comparison Table: Cross-Organizational Committees 

Organizations with cross- North Europe Asia Energy / Financial IT / Industrials 

Organizational committee America 

Utilities 

Telecom 

Organizations with cross- North Europe Asia Energy / Financial IT / Industrials 

72% 72% 71% 50% 86% 92% 50% 

Organizational committee America 

Utilities 

Telecom 

72% 72% 71% 50% 86% 92% 50% 

The benefit of cross-organizational committees is realized across the globe; all geographic regions indicated 

that The 71% benefit or of more cross-organizational organizations have committees a cross-organizational is realized across team. the It globe; is a different all geographic story within regions industry indicated 

sectors, that 71% however. or more organizations The energy/utilities have a and cross-organizational industrials sectors team. each indicated It is a different that only story 50% within of the industry 

organizations sectors, however. have The such energy/utilities teams. and industrials sectors each indicated that only 50% of the 

organizations have such teams. 

CONCLUSIONS 

CONCLUSIONS 

The following conclusions can be drawn from the findings of the 2012 CyLab Governance Survey: 

The following conclusions can be drawn from the findings of the 2012 CyLab Governance Survey: 

! Boards are actively addressing risk management, but there is still a gap in understanding the linkage 

! between Boards are cybersecurity actively addressing risks and risk enterprise management, risk management. but there is still a gap in understanding the linkage 

! Boards between are cybersecurity not undertaking risks and key governance enterprise risk activities management. that would help protect their organizations 

! from Boards some are not of the undertaking highest risks: key the governance reputational activities and financial that would losses help flowing protect from their theft organizations of 

confidential from some of and the proprietary highest risks: data the or reputational security breaches and financial involving losses personally flowing identifiable from theft information. of 

! Organizationally, confidential and proprietary improvements data are or security seen in (1) breaches the increased involving number personally of boards identifiable with Risk information. 

! Committees Organizationally, responsible improvements for privacy are and seen security in (1) the risks, increased and (2) number the high of percentage boards with of Risk companies that 

Committees have established responsible cross-organizational for privacy and committees security risks, to focus and on (2) privacy the high and percentage security risks. of companies that 

! Although have established most boards cross-organizational hire outside expertise, committees less to than focus half on hire privacy it for assistance and security with risks. risk assessments 

! and Although risk management. most boards There hire outside is a higher expertise, reliance less upon than IT half security hire it for experts assistance than risk with services risk assessments firms. 

! and The risk majority management. of boards There are not is evaluating a higher reliance the adequacy upon IT of security their organizations’ experts than insurance risk services coverage firms. for 

! cyber The majority risks. of boards are not evaluating the adequacy of their organizations’ insurance coverage for 

! Boards cyber risks. are recognizing that IT security and risk expertise are important skills when recruiting board 

! members. Boards are recognizing that IT security and risk expertise are important skills when recruiting board 

! members. Less than two-thirds of the Forbes Global 2000 companies responding to the survey have full-time 

! personnel Less than two-thirds in key roles of responsible the Forbes for Global privacy 2000 and companies security in responding a manner that to the is consistent survey have with full-time 

internationally personnel in key accepted roles responsible best practices for privacy and standards. and security For organizations in a manner that that is do consistent have these with roles 

assigned, internationally there accepted is a serious best lack practices of functional and standards. separation For of organizations privacy and security that do responsibilities. 

have these roles 

! assigned, CISO/CSOs there still is a tend serious to report lack of to functional CIOs more separation than to CEOs of privacy or CFOs. and security responsibilities. 



! 

! 

! CISO/CSOs still tend to report to CIOs more than to CEOs or CFOs. 

Regional Regional Conclusions 

Carnegie Carnegie Mellon Mellon CyLab 


! 

! ! European European boards pay less attention to IT operations operations and and computer computer and and information information security security than 

than 

North North American American and Asian boards. 

! ! Other Other than than receiving receiving privacy/security privacy/security and and breach/data breach/data loss loss reports, reports, North North American American boards boards lag 

lag 

behind behind European European and and Asian Asian boards boards in in undertaking undertaking key key activities activities associated associated with with privacy privacy and and security 

security 

governance. 

governance. 

! ! Asian Asian boards boards are are much much more more likely likely to to have have board board Risk Risk Committees Committees responsible responsible for for privacy privacy and 

and 

security security than than North North American American and European European boards. 

! ! Across Across all all regions, regions, 56-58% 56-58% of of boards boards are not reviewing their organization’s cyber cyber insurance insurance coverage. 

coverage. 

! ! North North American American boards boards are much more reliant upon insurance broker risk expertise than risk 

services services firms firms or or IT IT security security experts experts when when seeking seeking assistance assistance with with risk risk assessments assessments and and risk 

management. 

management. 

! ! North North American American and and Asian Asian boards boards value value board board member member IT IT experience experience much much more more highly highly than 

than 

European European boards. boards. All All geographical geographical regions regions value value risk and security expertise. 

! ! Although Although Europe Europe leads leads globally globally in in privacy privacy regulation regulation and and enforcement, enforcement, few few European European organizations 

organizations 

have have a a CPO CPO (3%), (3%), with with Asia Asia only only slightly slightly ahead ahead (5%). (5%). European European companies, companies, however, however, have have a a higher 

higher 

percentage percentage of of CISOs CISOs and and CSOs CSOs than than North North American American or or Asian Asian organizations. 

organizations. 

! ! Asian Asian organizations organizations (82%) (82%) are are much much more more likely likely to to have have privacy privacy and and security security responsibilities responsibilities assigned 

assigned 

to to key key personnel personnel than than North North American American and and European European organizations organizations (44% (44% and and 48%, 48%, respectively). 


Asians Asians are are less less likely, likely, however, however, to to have have the the CISO/CSO CISO/CSO report report to to the the CIO. 

CIO. 

Industry Industry Sector Conclusions 

! ! The The financial financial sector sector has has better better privacy privacy and and security security governance governance practices practices than than the the energy/utilities, 

energy/utilities, 

IT/telecom, IT/telecom, and and industrials industrials industry industry sectors. sectors. It It also also has has a a high high rate rate of of board board IT/Technology 

IT/Technology 

Committees Committees and and Risk Risk Committees Committees separate separate from from the the Audit Audit Committee, Committee, which which are are assigned assigned oversight 

oversight 

of of privacy privacy and and security. 

security. 

! ! Unlike Unlike the the financial financial sector, sector, the the IT/telecom IT/telecom sector sector tends tends to to assign assign the the Audit Audit Committee Committee responsibility 

responsibility 

for for cybersecurity cyber security and and privacy privacy risks. 

risks. 

! ! The The IT/telecom IT/telecom industry industry sector sector respondents respondents indicated indicated that that none none of of their their organizations organizations have have a a board 

board 

IT/Technology IT/Technology Committee. 

Committee. 

! ! The The energy/utilities energy/utilities and and IT/telecom IT/telecom respondents respondents indicated indicated that that their their organizations organizations never never (0%) (0%) rely 

rely 

upon upon insurance insurance brokers brokers to to provide provide outside outside risk risk expertise, expertise, while while the the industrials industrials sector sector relies relies upon 

upon 

them them 100%. 100%. The The financial financial sector sector seldom seldom does. 

does. 

! ! Energy/utilities Energy/utilities and and IT/telecom IT/telecom sector sector boards boards are are not not adequately adequately reviewing reviewing cyber cyber insurance 

insurance 

coverage. 

coverage. 

! ! The The energy/utilities energy/utilities sector sector places places a a much much lower lower value value on on board board member member IT IT experience experience than than financial, 

financial, 

IT/telecom, IT/telecom, and and industrials industrials industry industry sectors. 

sectors. 

Carnegie Carnegie Carnegie Mellon Mellon Mellon CyLab CyLab 

! 

! Zero Zero percent (0%) of of the the IT/telecom industry sector sector said they have CPOs, even even though though they have 

some some of of the the most stringent stringent privacy compliance requirements. requirements. Likewise, Likewise, none (0%) of the 

respondents from the the energy/utilities and and industrials industrials sectors sectors indicated they have CROs. CROs. 

III. Recommendations 

Recommendations 

! 

The survey revealed that governance of of enterprise security is still lacking in most most corporations, corporations, with with gaps gaps gaps in 

critical critical areas. areas. If If If boards boards and and senior senior management management take take the the following following 12 12 actions, actions, actions, they they could could significantly significantly 

improve improve their their organizations’ organizations’ security security security posture posture and and reduce reduce risk: risk: 

1. Establish Establish a board Risk Committee Committee separate from the Audit Committee and assign it responsibility responsibility for 

enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk 

expertise. expertise. 

2. 2. 2. Ensure that privacy and security security roles roles within within the organization organization organization are separated and that responsibilities 

are appropriately appropriately assigned. assigned. assigned. The The The CIO, CIO, CISO/CSO, CISO/CSO, and and CPO CPO CPO should should report report independently independently to senior senior 

management. 

management. 

3. 3. Evaluate the existing organizational structure and establish establish establish a a cross-organizational cross-organizational team that that is is is 

required to meet meet meet at at least least monthly monthly to to coordinate coordinate coordinate and and communicate communicate on on privacy privacy and security security issues. 

This team should include include include senior senior senior management management from from human human resources, resources, public relations, legal, and 

procurement, as well as the CFO, CFO, the CIO, CIO, CISO/CSO, CISO/CSO, CRO, CRO, the CPO, and business line line 

executives. executives. 

4. 4. Review Review existing existing top-level top-level policies policies to to create create a a culture culture of of of security security and and respect respect for for privacy. privacy. 

Organizations can enhance their their their reputation by valuing valuing cybersecurity cyber security and and the protection of privacy 

and viewing it as a corporate corporate social social social responsibility. 

responsibility. 

5. 5. Review Review assessments assessments of of the the organization’s organization’s security security program program and and ensure ensure that that that the it comports program with comports best 

practices with best and practices standards and standards and includes and incident includes response, incident response, breach notification, breach breach notification, notification, disaster recovery, disaster and 

crisis recovery, communications and crisis communications plans. plans. 

6. 6. Ensure Ensure that that privacy privacy and and security security requirements requirements for for vendors vendors (including (including cloud cloud and and software-as-a-service 

software-as-a-service 

providers) are based upon key aspects aspects of the the organization’s organization’s security security program, including annual audits 

and and control requirements. Carefully review notification procedures procedures in the event event of of of a a breach breach or or or 

security security incident. 

7. 7. Conduct an annual audit of the the the organization’s organization’s organization’s enterprise enterprise security program, to be reviewed reviewed by the the 

Audit Audit Committee. 

8. 8. Conduct an annual annual review review of of the the enterprise enterprise security security program program program and effectiveness effectiveness of of controls, controls, to to be 

reviewed by the board board Risk Risk Committee, and ensure that identified gaps gaps or weaknesses weaknesses weaknesses are are addressed. addressed. 

9. 9. 9. Require regular reports reports from senior senior management management on on privacy privacy and and security security risks. 

10. 10. Require Require annual annual board board review review of of budgets budgets for for privacy privacy and and security security risk management. 

management. 

11. 11. Conduct Conduct annual privacy compliance compliance audits and review test incident response, breach breach notification, notification, disaster 

recovery, and crisis communication communication plans. plans. 

12. 12. Assess Assess cyber cyber risks risks and and potential potential loss loss valuations valuations and and and review review adequacy adequacy of of cyber cyber insurance insurance coverage. 

coverage. 

Endnotes 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

1 Jody R. Westby & Julia Allen, Governing for Enterprise Security Implementation Guide, Carnegie Mellon University, 

Software Engineering Institute, Technical Note CMU/SEI-2000-TN-020, 2007, 

http://www.sei.cmu.edu/publications/documents/07.reports/07tn020.html (hereinafter “Westby & Allen”). 

2 Board Briefing on IT Governance, 2 nd ed., IT Governance Institute, 2003 at 10, 

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Board-Briefing-on-IT- 

Governance-2nd-Edition.aspx (emphasis added). 

3 Convergence of Enterprise Security Organizations, American Society for industrial Security, Information Systems 

Security Association, and Information Systems Audit and Control Association, 2003 at 2, 

www.asisonline.org/newsroom/alliance.pdf. ! 

4 See Jody R. Westby, Testimony Before the House Committee on Government Reform, Subcommittee on 

Technology, Information Policy, Intergovernmental Relations and the Census, Sept. 22, 2004, 

http://www.cccure.org/Documents/Governance/westby1.pdf . For a discussion regarding the fiduciary 

duty of boards and officers and the extension of that duty to protect the digital assets of their organizations, 

see Jody R. Westby, ed., International Guide to Cyber Security, American Bar Assn., Privacy & Computer Crime 

Committee, 2004 at 189-93. 

5 Sarbanes-Oxley Act of 2002, Pub. Law 107-204, Sections 302, 404, 

http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf. The SEC has taken a narrow 

interpretation of Sarbanes-Oxley to the point that information security and risk management pertain only to 

the financial statements of a company. The Federal Reserve has countered this by saying a broader 

interpretation is needed to include all of the operational risks since there are many aspects that can impact the 

financial standing of an organization that can affect the integrity and accuracy of the financials. 

6 “CF Disclosure Guidance: Topic 2, Cybersecurity,” Securities and Exchange Commission, Division of 

Corporate Finance, Oct. 13, 2011, http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 

7 “Legal Resources,” Critical Energy Infrastructure Information (CEII) Regulations, Federal Energy 

Regulatory Commission, http://www.ferc.gov/legal/maj-ord-reg/land-docs/ceii-rule.asp. 

8 See, e.g., Jody Westby, “Cyber Legislation Will Cost Businesses and Hurt Economy,” Feb. 27, 2012, 

Forbes.com, http://www.forbes.com/sites/jodywestby/2012/02/27/cyber-legislation-will-cost-businesses-and-hurt-economy/. 

9 Kevin Coleman, “Battle Damage Increases From Widespread Attacks,” Defense Systems, Aug. 1, 2011, 

http://defensesystems.com/Articles/2011/07/18/Digital-Conflict-cyberattacks-economysecurity.aspx?Page=1; 

Brian Cashell, William D. Jackson, Mark Jickling, Baird Webel, The Economic Impact of 

Cyber-Attacks,” Congressional Research Service, RL32331, Apr. 1, 2004, 

www.cisco.com/warp/public/779/.../images/CRS_Cyber_Attacks.pdf; A. Marshall Acuff, Jr., “Information 

Security Impacting Securities Valuations: Information Technology and the Internet Changing the Face of 

Business,” Salomon Smith Barney, 2000, at 3-4. 


! 

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

10 2011 Cost of Data Breach Study: United States, Ponemon Research Institute & Symantec Corp., Mar. 2012, 

http://www.symantec.com/about/news/release/article.jsp?prid=20120320_02. 

11 Reputation Impact of a Data Breach: U.S. Study of Executives & Managers, Ponemon Research Institute & 

Experian Corp., Nov. 2011, http://www.experian.com/blogs/data-breach/2012/01/17/how-data-breachesharm-reputations/. 

12 In re Citigroup Inc. Shareholder Derivative Action, No. 3338-CC, 2009 WL 481906 (Del. Ch. Feb. 24, 2009), 

http://www.delawarelitigation.com/uploads/file/int99(1).pdf ; Stone v. Ritter, 911 A.2d 362, 366–67 (Del. 

2006), http://caselaw.lp.findlaw.com/data2/delawarestatecases/93-2006.pdf. 

13 Council of Europe Convention on Cybercrime – Budapest, 23.XI.2001 (ETS No. 185) (2002), 

http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CL=ENG, Council of Europe 

Convention on Cybercrime Explanatory Report, Nov. 8, 2001, 

http://conventions.coe.int/Treaty/en/Reports/Html/185.htm. 

14 Proposal for a Council Framework Decision on attacks against information systems, Commission of the European 

Communities, Article 9, Apr. 19, 2002, COM(2002) 173 final, 2002/0086 (CNS), http://europa.eu.int/eurlex/en/com/pdf/2002/com2002_0173en01.pdf; 

see also Proposal for a Directive of the European Parliament and of 

the Council on attacks against information systems and repealing Council Framework Decision 2005/222/JHA, European 

Commission, COM(2010) 517, http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/10/463. 

15 John H. Nugent, “Corporate Officer and Director Information Assurance (IA) Liability Issues: A Layman’s 

Perspective,” Dec. 15, 2002. 

16 Id. (citing Dr. Andrew Rathmell, Chairman of the Information Assurance Advisory Council, “Information 

Assurance: Protecting your Key Asset,” http://www.iaac.ac.uk). 

17 See Internet World Stats, http://www.internetworldstats.com. 

18 Jody R. Westby, ed., International Guide to Cyber Security, ABA Publishing, American Bar Assn., 2004 at 18 

(consequential infrastructure includes the information and communication systems that, when manipulated, 

could cause a catastrophic event with enormous consequences). 

19 Westby & Allen at 57-58. 

20 For a full discussion on the appropriate assignment of roles and responsibilities for all organizational 

personnel and boards of directors, see Westby and Allen at 19-31, Appendix C. 


!

Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

Create successful ePaper yourself

Delete template?

Save as template?