Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

More documents

Recommendations

Info

Organizations are showing significant gains in cross-organizational communication. One Organizations of the most are significant showing improvements significant gains from in the cross-organizational 2008 and 2010 Governance communication. Surveys is in the establishment One of the most of internal significant cross-organizational improvements from groups the 2008 for communicating and 2010 Governance about privacy Surveys and is in security the issues. In establishment 2008, only 17% of internal of the cross-organizational respondents indicated groups that their for communicating organizations had about a cross-organizational privacy and security team; issues. in 2010, In 2008, 65% only of 17% the organizations of the respondents did; and indicated in 2012, that 72% their of the organizations respondents had indicated a cross-organizational that such a committee team; in had 2010, been established. 65% of the organizations This is very encouraging did; and in 2012, and indicates 72% of that the respondents companies are indicated learning that that such cross-organizational a committee had communication been established. is This essential is very to addressing encouraging insider and indicates threats, combating that companies external are learning attacks, closing that cross-organizational governance gaps, and communication reducing legal is essential liability. to addressing insider threats, combating external attacks, closing governance gaps, and reducing legal liability. Industry & Region Comparison Table: Cross-Organizational Committees Industry & Region Comparison Table: Cross-Organizational Committees Organizations with cross- North Europe Asia Energy / Financial IT / Industrials Organizational committee America Utilities Telecom Organizations with cross- North Europe Asia Energy / Financial IT / Industrials 72% 72% 71% 50% 86% 92% 50% Organizational committee America Utilities Telecom 72% 72% 71% 50% 86% 92% 50% The benefit of cross-organizational committees is realized across the globe; all geographic regions indicated that The 71% benefit or of more cross-organizational organizations have committees a cross-organizational is realized across team. the It globe; is a different all geographic story within regions industry indicated sectors, that 71% however. or more organizations The energy/utilities have a and cross-organizational industrials sectors team. each indicated It is a different that only story 50% within of the industry organizations sectors, however. have The such energy/utilities teams. and industrials sectors each indicated that only 50% of the organizations have such teams. CONCLUSIONS CONCLUSIONS The following conclusions can be drawn from the findings of the 2012 CyLab Governance Survey: The following conclusions can be drawn from the findings of the 2012 CyLab Governance Survey: ! Boards are actively addressing risk management, but there is still a gap in understanding the linkage ! between Boards are cybersecurity actively addressing risks and risk enterprise management, risk management. but there is still a gap in understanding the linkage ! Boards between are cybersecurity not undertaking risks and key governance enterprise risk activities management. that would help protect their organizations ! from Boards some are not of the undertaking highest risks: key the governance reputational activities and financial that would losses help flowing protect from their theft organizations of confidential from some of and the proprietary highest risks: data the or reputational security breaches and financial involving losses personally flowing identifiable from theft information. of ! Organizationally, confidential and proprietary improvements data are or security seen in (1) breaches the increased involving number personally of boards identifiable with Risk information. ! Committees Organizationally, responsible improvements for privacy are and seen security in (1) the risks, increased and (2) number the high of percentage boards with of Risk companies that Committees have established responsible cross-organizational for privacy and committees security risks, to focus and on (2) privacy the high and percentage security risks. of companies that ! Although have established most boards cross-organizational hire outside expertise, committees less to than focus half on hire privacy it for assistance and security with risks. risk assessments ! and Although risk management. most boards There hire outside is a higher expertise, reliance less upon than IT half security hire it for experts assistance than risk with services risk assessments firms. ! and The risk majority management. of boards There are not is evaluating a higher reliance the adequacy upon IT of security their organizations’ experts than insurance risk services coverage firms. for ! cyber The majority risks. of boards are not evaluating the adequacy of their organizations’ insurance coverage for ! Boards cyber risks. are recognizing that IT security and risk expertise are important skills when recruiting board ! members. Boards are recognizing that IT security and risk expertise are important skills when recruiting board ! members. Less than two-thirds of the Forbes Global 2000 companies responding to the survey have full-time ! personnel Less than two-thirds in key roles of responsible the Forbes for Global privacy 2000 and companies security in responding a manner that to the is consistent survey have with full-time internationally personnel in key accepted roles responsible best practices for privacy and standards. and security For organizations in a manner that that is do consistent have these with roles assigned, internationally there accepted is a serious best lack practices of functional and standards. separation For of organizations privacy and security that do responsibilities. have these roles ! assigned, CISO/CSOs there still is a tend serious to report lack of to functional CIOs more separation than to CEOs of privacy or CFOs. and security responsibilities. Carnegie Mellon CyLab Carnegie Mellon CyLab ! ! ! CISO/CSOs still tend to report to CIOs more than to CEOs or CFOs.
Regional Regional Conclusions Carnegie Carnegie Mellon Mellon CyLab CyLab ! ! ! European European boards pay less attention to IT operations operations and and computer computer and and information information security security than than North North American American and Asian boards. ! ! Other Other than than receiving receiving privacy/security privacy/security and and breach/data breach/data loss loss reports, reports, North North American American boards boards lag lag behind behind European European and and Asian Asian boards boards in in undertaking undertaking key key activities activities associated associated with with privacy privacy and and security security governance. governance. ! ! Asian Asian boards boards are are much much more more likely likely to to have have board board Risk Risk Committees Committees responsible responsible for for privacy privacy and and security security than than North North American American and European European boards. ! ! Across Across all all regions, regions, 56-58% 56-58% of of boards boards are not reviewing their organization’s cyber cyber insurance insurance coverage. coverage. ! ! North North American American boards boards are much more reliant upon insurance broker risk expertise than risk services services firms firms or or IT IT security security experts experts when when seeking seeking assistance assistance with with risk risk assessments assessments and and risk management. management. ! ! North North American American and and Asian Asian boards boards value value board board member member IT IT experience experience much much more more highly highly than than European European boards. boards. All All geographical geographical regions regions value value risk and security expertise. ! ! Although Although Europe Europe leads leads globally globally in in privacy privacy regulation regulation and and enforcement, enforcement, few few European European organizations organizations have have a a CPO CPO (3%), (3%), with with Asia Asia only only slightly slightly ahead ahead (5%). (5%). European European companies, companies, however, however, have have a a higher higher percentage percentage of of CISOs CISOs and and CSOs CSOs than than North North American American or or Asian Asian organizations. organizations. ! ! Asian Asian organizations organizations (82%) (82%) are are much much more more likely likely to to have have privacy privacy and and security security responsibilities responsibilities assigned assigned to to key key personnel personnel than than North North American American and and European European organizations organizations (44% (44% and and 48%, 48%, respectively). respectively). Asians Asians are are less less likely, likely, however, however, to to have have the the CISO/CSO CISO/CSO report report to to the the CIO. CIO. Industry Industry Sector Conclusions ! ! The The financial financial sector sector has has better better privacy privacy and and security security governance governance practices practices than than the the energy/utilities, energy/utilities, IT/telecom, IT/telecom, and and industrials industrials industry industry sectors. sectors. It It also also has has a a high high rate rate of of board board IT/Technology IT/Technology Committees Committees and and Risk Risk Committees Committees separate separate from from the the Audit Audit Committee, Committee, which which are are assigned assigned oversight oversight of of privacy privacy and and security. security. ! ! Unlike Unlike the the financial financial sector, sector, the the IT/telecom IT/telecom sector sector tends tends to to assign assign the the Audit Audit Committee Committee responsibility responsibility for for cybersecurity cyber security and and privacy privacy risks. risks. ! ! The The IT/telecom IT/telecom industry industry sector sector respondents respondents indicated indicated that that none none of of their their organizations organizations have have a a board board IT/Technology IT/Technology Committee. Committee. ! ! The The energy/utilities energy/utilities and and IT/telecom IT/telecom respondents respondents indicated indicated that that their their organizations organizations never never (0%) (0%) rely rely upon upon insurance insurance brokers brokers to to provide provide outside outside risk risk expertise, expertise, while while the the industrials industrials sector sector relies relies upon upon them them 100%. 100%. The The financial financial sector sector seldom seldom does. does. ! ! Energy/utilities Energy/utilities and and IT/telecom IT/telecom sector sector boards boards are are not not adequately adequately reviewing reviewing cyber cyber insurance insurance coverage. coverage. ! ! The The energy/utilities energy/utilities sector sector places places a a much much lower lower value value on on board board member member IT IT experience experience than than financial, financial, IT/telecom, IT/telecom, and and industrials industrials industry industry sectors. sectors.
Page 1 and 2: How Boards & Senior Executives Are
Page 3 and 4: Table of Contents Table of Contents
Page 5 and 6: About Carnegie Mellon CyLab About C
Page 7 and 8: About RSA About RSA Founded in 1982
Page 9 and 10: Executive Executive Summary Summary
Page 11 and 12: Committee, but indicated that when
Page 13 and 14: Carnegie Mellon University’s Dean
Page 15 and 16: Enterprise governance and IT govern
Page 17 and 18: II. Findings and Conclusions II. Fi
Page 19 and 20: Industry & Region Comparison Table:
Page 21 and 22: management regarding privacy and se
Page 23 and 24: esponsible for risk 65% of the time
Page 25 and 26: Industry & Region Comparison Table:
Page 27: Industry & Region Comparison Table:
Page 31 and 32: Endnotes !!!!!!!!!!!!!!!!!!!!!!!!!!

Governance of Enterprise Security: CyLab 2012 Report How ... - RSA

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?