Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

More documents

Recommendations

Info

est practices for board involvement with respect to IT governance that strengthen the security posture of a company. When asked whether their boards receive information or are involved in activities related to these best practices, respondents indicated that boards are only occasionally, rarely or never engaged: Carnegie Mellon CyLab ! ! Review annual budgets. Fifty-three percent (53%) of respondents said their board rarely or never reviewed and approved annual budgets for privacy and IT security programs; 9% said they occasionally did. Only 31% of respondents indicated that their boards regularly reviewed and approved these budgets. ! Review roles and responsibilities. Fifty-six percent (56%) of respondents indicated their board rarely or never reviewed and approved roles and responsibilities of personnel responsible for privacy and security risks; an additional 18% said they occasionally did. Only 19% said they regularly reviewed privacy and security roles and responsibilities. ! Review top-level policies. Forty-one percent (41%) of respondents said their board rarely or never reviewed and approved top-level policies regarding privacy and security risks; an additional 28% said they occasionally did. Only one-quarter (25%) of the respondents said they regularly reviewed toplevel privacy and security policies. ! Receive reports on privacy and security risks. Twenty-six percent (26%) of respondents said their board rarely or never received reports from senior management regarding privacy and IT security risks; an additional 33% said they occasionally got such reports. Thirty-nine percent (39%) said they regularly received reports on privacy and IT security risks. These results were slightly better than the 2008 results (62% occasionally or rarely received reports and 15% never did). ! Receive reports on security breaches or loss of data. Thirty percent (30%) of respondents said their board rarely or never reviewed reports of security breaches or incidents involving the disclosure of personally identifiable information or theft of corporate data; another 30% said they occasionally received such reports. Thirty-one percent (31%) of the respondents said their boards regularly reviewed these reports. ! Review annual computer security program assessments. Thirty-six (36%) of respondents said their board rarely or never reviewed annual security program assessments; another 20% said they occasionally did. Only 35% of the respondents said they regularly reviewed such reports. There were only modest gains in each of the first four areas (breach reports and security program assessments were not asked for in the 2008 and 2010 surveys), particularly in regularly receiving reports from senior 7R!
management regarding privacy and security risks (20% in 2008 compared with 39% in 2012) and reviewing management budgets management (14% regarding in 2008 compared privacy and with security 31% in risks 2012). (20% in 2008 compared with 39% in 2012) and reviewing budgets management budgets (14% regarding in 2008 compared privacy and with security 31% in risks 2012). (20% in 2008 compared with 39% in 2012) and reviewing budgets Industry budgets (14% & Region in 2008 Comparison compared with Table: 31% Boards in 2012). Rarely or Never Undertaking Best Practice Activities Industry & Region Comparison Table: Boards Rarely or Never Undertaking Best Practice Activities Industry Percentage & of Region boards that Comparison rarely or never: Table: North Boards Europe Rarely Asia or Never Energy Undertaking Financial Best IT Practice / Activities Industrials America / Telecom Percentage of boards that rarely or never: North Europe Asia Utilities Energy Financial IT / Industrials Percentage of boards that rarely or never: North America North America Europe Asia Energy / Energy / Financial IT Telecom IT Telecom / Industrials Rarely/never review annual budgets 81% 44% 29% 71% 42% 62% 56% America / Utilities / Utilities Telecom Rarely/never review roles & 67% 53% 43% 79% 39% 69% 75% Rarely/never review annual budgets 81% 44% 29% Utilities 71% 42% 62% 56% responsibilities 71% 42% 62% 56% Rarely/never Rarely/never review review annual roles annual roles & budgets responsibilities 81% 67% 81% 67% 44% 53% 44% 53% 29% 43% 29% 43% 71% 79% 71% 79% 42% 39% 42% 39% 62% 69% 62% 69% 56% 75% 56% Rarely/never review top-level policies 56% 38% 33% 64% 19% 54% 63% 75% Rarely/never Rarely/never review review roles top-level roles top-level & responsibilities policies 67% 56% 67% 56% 53% 38% 53% 38% 43% 33% 43% 33% 79% 64% 79% 64% 39% 19% 39% 19% 69% 54% 69% 54% 75% 63% 75% Rarely/never receive privacy/security 23% 31% 24% 21% 11% 31% 50% 63% Rarely/never Rarely/never review receive review receive top-level privacy/security policies reports 56% 23% 56% 23% 38% 31% 38% 31% 33% 24% 33% 24% 64% 21% 64% 21% 19% 11% 19% 11% 54% 31% 54% 31% 63% 50% 63% reports 50% Rarely/never Rarely/never receive receive privacy/security breach/data privacy/security breach/data loss reports rpts 23% 14% 23% 14% 31% 44% 31% 44% 24% 52% 24% 52% 21% 36% 21% 36% 11% 22% 11% 22% 31% 31% 50% 44% 50% Rarely/never receive breach/data loss 14% 44% 52% 36% 22% 31% 44% 44% Rarely/never rpts Rarely/never receive review receive review security breach/data program loss rpts 14% 37% 14% 37% 44% 34% 44% 34% 52% 48% 52% 48% 36% 57% 36% 57% 22% 17% 22% 17% 31% 46% 31% 46% 44% 50% 44% 50% Rarely/never assessments Rarely/never Rarely/never Rarely/never assessments review review review security security security program program program 37% 37% 34% 34% 48% 48% 57% 57% 17% 17% 46% 46% 50% 50% assessments assessments assessments North North American American respondents respondents indicated indicated that that their their boards boards are are more more neglectful neglectful in undertaking undertaking key activities activities North associated North associated North associated American with with privacy privacy respondents and and security security indicated governance governance that their than than boards European European are more and and neglectful Asian Asian boards, boards, in undertaking except except for for key receiving receiving activities associated reports. associated reports. associated reports. European European with privacy respondents respondents and security are are worse worse governance worse governance at at undertaking undertaking than European best best practices practices and Asian than than boards, Asian Asian except respondents, respondents, for receiving except except for for reports. reviewing reports. reviewing reports. reviewing European breach breach reports reports respondents and and security security are worse program program at undertaking assessments. assessments. best In practices examining than sector Asian responses, respondents, the financial except for sector reviewing sector far outpaced breach outpaced breach reports other and industry security sectors program in every assessments. area, confirming In examining the view sector that they responses, lead in the good financial governance sector In sector governance examining far outpaced practices, sector other responses, although industry the budget sectors financial reviews in sector every should area, far outpaced improve. confirming other the industry view that sectors they lead in every in good area, governance confirming governance the practices, view that although they lead budget in good reviews governance should improve. practices, although budget reviews should improve. The The survey survey respondents respondents indicated indicated that that the the energy/utilities energy/utilities industry industry sector sector has has the the poorest poorest governance governance in in every The almost The area The almost survey except survey every respondents for respondents area. receiving indicated reports. that the energy/utilities industry sector has the poorest governance in almost every area. Board Committee Committee Structure Structure Board Committee Structure Some of of the the biggest biggest improvements improvements have have been been organizational. organizational. Traditionally, Traditionally, boards boards have have not not separated separated risk risk management Some management Some management of the biggest and and audit audit improvements responsibilities responsibilities have by by been establishing establishing organizational. separate separate Risk Risk Traditionally, and and Audit Audit boards Committees. Committees. boards Committees. have not Although Although separated the the risk majority management majority management majority of of companies companies and audit still still responsibilities tend tend to to place place by risk risk establishing responsibilities responsibilities separate with with Risk the the and Audit Audit Audit Committee, Committee, Committees. the the Governance Governance Although the Surveys majority Surveys majority Surveys show show of companies this this is is changing. changing. still tend How How to place a a board board risk responsibilities is is organized organized and and with how how the it it Audit assigns assigns Audit assigns Committee, committee committee the responsibilities responsibilities Governance can can significantly Surveys significantly Surveys significantly show influence influence this is changing. the the effectiveness effectiveness How a board of of its its management management is management is organized and activities activities how it and and assigns security security committee posture. posture. responsibilities can significantly influence the effectiveness of its management activities and security posture. Respondents Respondents indicated indicated that that only only 48% 48% of of boards boards have have a a Risk Risk Committee Committee that that is is separate separate from from an an Audit Audit Committee Committee Respondents Committee – – indicated and and of of these, these, that 81% 81% only of of 48% of these these of boards Risk Risk boards Risk Committees Committees have a Risk oversee oversee Committee privacy privacy that and and is security. security. separate These These from an results results Audit Committee represent represent Committee represent a a significant significant – and of these, improvement improvement 81% of since since these the the Risk 2008 2008 Committees survey, survey, when when oversee only only privacy 8% 8% of of boards boards and security. had had Risk Risk These Committees Committees results represent and represent and represent and only only 53% 53% a significant of of those those improvement oversaw oversaw privacy privacy since and and the security, security, 2008 survey, and and the the when 2010 2010 only survey, survey, 8% of which of which boards indicated indicated had Risk 14% 14% Committees of of boards boards had had a and a and a Risk Risk only Committee Committee 53% of those and and of of oversaw those, those, privacy 67% 67% privacy 67% of of and them them security, had had oversight oversight and the of of 2010 privacy privacy survey, and and which security. security. indicated 14% of boards had a Risk Committee and of those, 67% of them had oversight of privacy and security. Industry & & Region Region Comparison Comparison Table: Table: Risk Risk Committees Committees Responsible Responsible for for Privacy Privacy & & Security Security Industry Risk Committee & Region Comparison North Table: Europe Risk Asia Committees Energy Responsible / Financial for IT Privacy / & Industrials Security Risk Committee North North Europe Europe Asia Asia Energy Energy / Financial IT IT / / Industrials Risk Separate Risk Separate Risk Separate Committee from Audit? America North America North America Europe Asia / Energy Utilities Energy Utilities / Financial Telecom IT Telecom IT Telecom / Industrials Separate Yes Separate Yes from Audit? America 35% 41% 76% Utilities Utilities 35% 78% Telecom 31% 44% Yes If Yes If yes, does the Risk Committee 35% 35% 41% 41% 76% 76% 35% 35% 78% 78% 31% 31% 44% 44% If oversee If oversee yes, does privacy the Risk & security? Committee oversee Yes oversee Committee oversee Yes privacy & security? 93% 85% 75% 100% 79% 75% 57% Yes oversee Yes privacy & 93% 85% 75% 100% 79% 75% 57% security? Yes 93% 85% 75% 100% 79% 75% 57% Carnegie Mellon CyLab Carnegie Mellon CyLab Carnegie ! Carnegie Mellon CyLab ! ! 7S! 7S! 7S!
Page 1 and 2: How Boards & Senior Executives Are
Page 3 and 4: Table of Contents Table of Contents
Page 5 and 6: About Carnegie Mellon CyLab About C
Page 7 and 8: About RSA About RSA Founded in 1982
Page 9 and 10: Executive Executive Summary Summary
Page 11 and 12: Committee, but indicated that when
Page 13 and 14: Carnegie Mellon University’s Dean
Page 15 and 16: Enterprise governance and IT govern
Page 17 and 18: II. Findings and Conclusions II. Fi
Page 19: Industry & Region Comparison Table:
Page 23 and 24: esponsible for risk 65% of the time
Page 25 and 26: Industry & Region Comparison Table:
Page 27 and 28: Industry & Region Comparison Table:
Page 29 and 30: Regional Regional Conclusions Carne
Page 31 and 32: Endnotes !!!!!!!!!!!!!!!!!!!!!!!!!!

Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

Create successful ePaper yourself

Delete template?

Save as template?