Analytics
2/28/2012
02:51 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RSA: Top-Level Execs Not On Top Of Risk Management

New RSA-Carnegie Mellon CyLab survey finds most Fortune 2000 execs have little to do with their firms' security and privacy policies

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- Most Fortune 2000 executives and external boards of directors are still not involved with their companies' cybersecurity strategy and oversight, according to new data revealed here today by Carnegie Mellon's Cylab.

Carnegie Mellon and RSA, which commissioned the survey, gave a peek at the preliminary results here today at a press briefing that also headlined RSA Security executive chairman Art Coviello. Coviello urged the security industry to work together "as never before" to fight all types of attackers, from nation-state to hacktivists to cybercriminals. "We have to have the commitment and resolve to work together as never before," said Coviello, who plans to detail this in his keynote address here tomorrow. "You will hear from me tomorrow a very strong call to action."

[ Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details. See Victim Businesses Teaming Up To Fight Cybercriminals. ]

He also noted RSA's firsthand experience in the heightened attack landscape, given its breach last March. "We learned from our own incident and provided us insight into others' attacks," Coviello said. He reiterated that despite the breach of the SecurID servers, there were no successful attacks on its customers in the aftermath.

The key is intelligence-driven security, Coviello said, and organizations must do a better job at evaluating risk.

"The research from Carnegie Mellon bears that out," he said.

When grilled during a question-and-answer period by some members of the press about whether RSA now has a credibility problem as a security vendor advising its customers, Coviello said security companies will continue to be targeted. "We've never seen so many high-profile attacks" as there were in the past 12 months, he said. "We've never had attacks that have been used on one company to be a stepping stone to [attacking] other companies. That's why so many security firms have been attacked."

Meanwhile, the Carnegie Mellon survey data raises some red flags for the boardroom of some of the world's largest firms: More than 70 percent of these top-level execs said they either occasionally, rarely, or never review the roles and responsibilities of their top IT security and privacy officials. And more than 70 percent operate the same way when it comes to reviewing top-level policies on IT security and privacy risks. They're just not closely involved, the study found.

"This indicates that we still have gaps in core governance responsibilities," said Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab.

And less than two-thirds have full-time privacy and security positions filled in their companies, according to the survey.

This vindicates the CSO's cry that it's difficult to get the attention of senior management, Westby said. "It's hard to get access to that level" of management, she said.

There were some bright spots, however: Enterprise risk management programs are on the rise, with 94 percent of the firms reporting that they have these programs in place, up from 85 percent in 2010. And more of the Fortune firms have cross-organizational teams that manage privacy and security and risk -- 70 percent, up from 65 percent in 2010.

Meanwhile, Westby maintained that a business' security policies are its own responsibility, not that of RSA or other security vendors.

"No security company can be responsible for the security policies of all of its customers," Westby said. "We can't think that security companies are able to protect the business community" fully, she said. "That's the business community's responsibility."

A full copy of the 2012 Carnegie Mellon CyLab Governance report is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3991
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) dol_use_jmobile, (2) dol_optimize_smallscreen, (3) dol_no_mouse_hover, (4) dol_hide_topmenu, (5) dol_hide_leftmenu, (6) mainmenu, or (7) leftmenu pa...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.