Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

More documents

Recommendations

Info

from IT IT security security experts, experts, and and 18% 18% said said insurance insurance brokers brokers provided provided outside outside expertise. expertise. In In the the 2010 2010 survey, survey, from 17% from 17% of of IT of the the security the respondents respondents experts, indicated indicated and indicated 18% that that said that IT insurance IT security security brokers experts experts provided provided outside outside expertise. expertise, expertise, while In while the 26% 2010 26% indicated indicated survey, 17% insurance 17% insurance of the brokers brokers respondents provided provided indicated these these services, that services, IT security just just the the experts opposite opposite provided of of the the 2012 outside 2012 survey. survey. expertise, It It is is important while important 26% to to indicated to note note that that insurance the insurance the the survey survey brokers did did not not not provided ask ask ask what what these topics topics services, the the the outside outside just experts the experts opposite were were asked of asked the to 2012 to address, address, survey. so so it It it is is is possible important possible that that to the note the Audit, Audit, that the full the full full survey board, board, did or or or other other not other ask committees committees what topics hired hired the computer computer outside computer experts security security were or or IT asked IT expertise. expertise. to address, so it is possible that the Audit, full board, or other committees hired computer security or IT expertise. Industry & Region Comparison Table: Board Board Use of Use of Outside of Outside Experts Experts Industry & Region Comparison Table: Board Use of Outside Experts Source of of outside North North Europe Asia Asia Energy / / Financial IT IT / IT / / Industrials Source risk Source risk risk expertise expertise of outside North America North America Europe Asia Energy Utilities Energy Utilities / Financial IT Telecom IT Telecom / Telecom Industrials risk Risk risk Risk Risk expertise Services Services Firm Firm America 36% 23% 30% Utilities 17% 40% Telecom 0% 0% 0% 20% 20% Risk Insurance Risk Insurance Services Broker Broker Firm 36% 45% 36% 45% 23% 8% 30% 15% 30% 15% 15% 17% 0% 0% 40% 10% 40% 10% 0% 0% 0% 100% 20% 100% 100% Insurance IT Insurance IT IT Security Security Broker Experts Experts 45% 36% 45% 36% 39% 8% 39% 15% 50% 0% 50% 10% 20% 10% 20% 33% 0% 33% 33% 100% 20% 20% IT Security Experts 36% 39% 15% 50% 20% 33% 20% The North American respondents indicated that they they are are clearly clearly more more reliant reliant upon upon insurance insurance brokers brokers to to The provide The provide North outside outside American expertise expertise respondents than than Europe Europe indicated or or Asia. Asia. that It they It is is interesting are interesting clearly to more to note, note, reliant however, however, upon that insurance that respondents respondents brokers from from to the the provide energy/utilities provide energy/utilities outside and and expertise and IT/telecom IT/telecom than Europe sectors sectors or said said Asia. they they It do do is do interesting not not use use insurance insurance to note, brokers brokers however, brokers at at all that all for for respondents outside outside expertise, expertise, from the energy/utilities while while 100% 100% of of the and the respondents IT/telecom respondents from sectors from the the said industrials industrials they do sector not sector use indicated indicated insurance that that brokers they they use at use all insurance insurance for outside brokers brokers expertise, for for this this purpose. while purpose. while purpose. 100% of the respondents from the industrials sector indicated that they use insurance brokers for this purpose. IT IT IT security security and risk experience becoming more valuable to to boards. IT security and risk experience becoming more valuable to boards. Twenty-seven Twenty-seven percent percent (27%) (27%) of of Twenty-seven of the the the respondents respondents percent indicated indicated (27%) that of that of that the their their respondents board board had had indicated an an outside outside director that director that director their with board with cybersecurity cyber had security an security outside expertise, director expertise, director expertise, with up up from cyber from 18% security 18% in in 2010. expertise, 2010. expertise, 2010. Seventy-three Seventy-three up from 18% percent percent in (73%) 2010. (73%) of Seventy-three of of the the the respondents respondents percent said said their (73%) their (73%) their boards boards of boards the had had respondents had an an an outside outside said director their director their director boards with with had risk risk an expertise, outside compared director compared director compared with with with risk 59% 59% expertise, in in in 2010. 2010. Fifty-one compared Fifty-one compared Fifty-one percent percent with percent 59% (51%) (51%) in 2010. of of of respondents Fifty-one respondents Fifty-one respondents percent indicated indicated (51%) that that of their respondents their respondents their boards boards retain retain indicated retain professional professional that search their search their search boards firms firms retain to to seek seek professional qualified qualified candidates search candidates search candidates firms for for to their seek their board. qualified board. candidates for their board. Not Not surprisingly, surprisingly, the the experience deemed most important in in recruiting directors was financial and management Not management Not management surprisingly, expertise. expertise. the experience IT IT expertise expertise deemed is is becoming becoming most important more more valuable, valuable, in recruiting however. however. directors When When was recruiting, recruiting, financial IT IT and IT expertise expertise was was very management very important important expertise. or or or important important IT expertise for for 37% 37% is of becoming of the the respondents respondents more valuable, and and somewhat somewhat however. important important When recruiting, for for for 42%. 42%. IT It It It is is expertise is encouraging encouraging was that very that that 64% important 64% of of the the respondents or respondents important indicated indicated for 37% that that risk of risk the and and respondents security security expertise expertise and was was somewhat either either very very important important or for or important important 42%. It and and is 27% encouraging 27% said said it it was that was that was somewhat somewhat 64% somewhat of the important. important. respondents indicated that risk and security expertise was either very important or important and 27% said it was somewhat important. Carnegie Carnegie Mellon Mellon CyLab CyLab Carnegie Mellon CyLab ! ! !
Industry & Region Comparison Table: Experience Valuable When Recruiting Board Members Industry & Region Comparison Table: Experience Valuable When Recruiting Board Members When recruiting board members, how North Europe Asia Energy / Financial IT / Industrials valuable When valuable recruiting is: board members, how America North America Europe Asia Utilities Energy Utilities / Financial Telecom IT Telecom / Industrials IT valuable IT experience is: – Very imp or imp America 42% 22% 48% Utilities 7% 42% Telecom 62% 31% Risk/security IT Risk/security experience experience – Very imp – or Very imp imp or imp 63% 42% 63% 56% 22% 56% 62% 48% 62% 50% 7% 75% 42% 75% 69% 62% 69% 50% 31% 50% Risk/security experience – Very imp or imp 63% 56% 62% 50% 75% 69% 50% Only 22% of European respondents indicated that IT experience was very important or important in recruiting Only recruiting 22% board of European members, respondents while 42% indicated of North that American IT experience and 48% was of very Asian important respondents or important indicated in it was very recruiting very important board or members, important. while Only 42% 7% of of North the respondents American and from 48% the of energy/utilities Asian respondents sector indicated found IT it was experience very experience important to be or very important. important Only or important, 7% of the respondents while other sectors from the ranked energy/utilities it quite high, sector especially found the IT IT/telecom experience IT/telecom to sector. be very important or important, while other sectors ranked it quite high, especially the IT/telecom sector. Internal Organizational Roles & Responsibilities Internal Organizational Roles & Responsibilities Boards and senior management are lagging in establishing key positions for privacy and security or appropriately appropriately Boards appropriately and senior assigning management responsibilities. are lagging in establishing key positions for privacy and security or appropriately Best practices call assigning for clear responsibilities. roles and responsibilities with respect to privacy and security. The delineation of responsibilities Best responsibilities practices call should for clear serve roles as a and check responsibilities and balance and with protect respect the to company privacy and against security. SOD The issues delineation that could of increase responsibilities increase risk. There should is a serve general as a belief check that and most balance companies and protect do not the understand company against this and SOD are not issues creating that could the needed increase needed roles risk. or There are inappropriately is a general belief combining that most responsibilities. companies do not So disparate understand disparate are this the and approaches are not creating to IT security, the that needed that titles roles for or personnel are inappropriately responsible combining for privacy responsibilities. and security span So four disparate possibilities: are the chief approaches privacy to officer IT security, (CPO), chief that chief titles information for personnel security responsible officer (CISO), for privacy chief and security security officer span (CSO), four possibilities: and chief risk chief officer privacy (CRO). officer (CPO), chief information security officer (CISO), chief security officer (CSO), and chief risk officer (CRO). Organizations Organizations continued to show that they do not have full-time, senior-level personnel in place to Organizations appropriately appropriately manage continued privacy to show and that security they risks. do not have full-time, senior-level personnel in place to appropriately manage privacy and security risks. ! 35% of the respondents said their ! organizations 35% organizations of the respondents did not have said a CISO their ! 47% organizations 47% said they did did not not have have a a CISO CSO ! ! 47% 82% said said they they did did not not have have a a CSO CPO ! ! 82% 42% said their they their did organizations not have a did CPO ! not 42% not have said a their CRO. organizations did not have a CRO. The CRO title is being used by security savvy The savvy CRO companies title is being that understand used by security the need savvy need to companies integrate IT, that IT, physical, understand and the personnel need personnel to integrate risks and IT, manage physical, them and through personnel through one risks position. and manage Less than them two- through thirds of the one Forbes position. Global Less 2000 than companies two- responding to the survey have full-time personnel in key roles responsible for privacy thirds and security of the Forbes in a manner Global that 2000 is consistent companies with responding with internationally to the survey accepted have best full-time practices personnel and standards. in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards. It is possible that some respondents indicated that they did not have someone in a particular position because the It the is person possible in that their some organization respondents did not indicated have that that specific they did title. not have This, someone however, in does a particular not comport position with because best practices the practices person and in standards. their standards. organization Any organization did not have large that enough specific to be included title. This, in the however, Forbes Global does 2000 not list comport should have with have a best CIO, CISO/CSO, practices CISO/CSO, and CPO, standards. and CRO. Any The organization percentage large of enough of companies to be included without in the these Forbes positions Global 2000 was also list should high in have in the a CIO, 2008 and CISO/CSO, and 2010 surveys, CPO, although and although CRO. the The number percentage of organizations of companies that without do have these CISOs positions jumped was from also 30% high in in 2008 the 2008 and and 2010 surveys, although the number of organizations that do have CISOs jumped from 30% in 2008 and Carnegie Mellon CyLab Carnegie Mellon CyLab ! !
Page 1 and 2: How Boards & Senior Executives Are
Page 3 and 4: Table of Contents Table of Contents
Page 5 and 6: About Carnegie Mellon CyLab About C
Page 7 and 8: About RSA About RSA Founded in 1982
Page 9 and 10: Executive Executive Summary Summary
Page 11 and 12: Committee, but indicated that when
Page 13 and 14: Carnegie Mellon University’s Dean
Page 15 and 16: Enterprise governance and IT govern
Page 17 and 18: II. Findings and Conclusions II. Fi
Page 19 and 20: Industry & Region Comparison Table:
Page 21 and 22: management regarding privacy and se
Page 23: esponsible for risk 65% of the time
Page 27 and 28: Industry & Region Comparison Table:
Page 29 and 30: Regional Regional Conclusions Carne
Page 31 and 32: Endnotes !!!!!!!!!!!!!!!!!!!!!!!!!!

Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?