RSA: Top-Level Execs Not On Top Of Risk Management

RSA CONFERENCE 2012 -- San Francisco, Calif. -- Most Fortune 2000 executives and external boards of directors are still not involved with their companies' cybersecurity strategy and oversight, according to new data revealed here today by Carnegie Mellon's Cylab.

Carnegie Mellon and RSA, which commissioned the survey, gave a peek at the preliminary results here today at a press briefing that also headlined RSA Security executive chairman Art Coviello. Coviello urged the security industry to work together "as never before" to fight all types of attackers, from nation-state to hacktivists to cybercriminals. "We have to have the commitment and resolve to work together as never before," said Coviello, who plans to detail this in his keynote address here tomorrow. "You will hear from me tomorrow a very strong call to action."

[ Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details. See Victim Businesses Teaming Up To Fight Cybercriminals. ]

He also noted RSA's firsthand experience in the heightened attack landscape, given its breach last March. "We learned from our own incident and provided us insight into others' attacks," Coviello said. He reiterated that despite the breach of the SecurID servers, there were no successful attacks on its customers in the aftermath.

The key is intelligence-driven security, Coviello said, and organizations must do a better job at evaluating risk.

"The research from Carnegie Mellon bears that out," he said.

When grilled during a question-and-answer period by some members of the press about whether RSA now has a credibility problem as a security vendor advising its customers, Coviello said security companies will continue to be targeted. "We've never seen so many high-profile attacks" as there were in the past 12 months, he said. "We've never had attacks that have been used on one company to be a stepping stone to [attacking] other companies. That's why so many security firms have been attacked."

Meanwhile, the Carnegie Mellon survey data raises some red flags for the boardroom of some of the world's largest firms: More than 70 percent of these top-level execs said they either occasionally, rarely, or never review the roles and responsibilities of their top IT security and privacy officials. And more than 70 percent operate the same way when it comes to reviewing top-level policies on IT security and privacy risks. They're just not closely involved, the study found.

"This indicates that we still have gaps in core governance responsibilities," said Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab.

And less than two-thirds have full-time privacy and security positions filled in their companies, according to the survey.

This vindicates the CSO's cry that it's difficult to get the attention of senior management, Westby said. "It's hard to get access to that level" of management, she said.

There were some bright spots, however: Enterprise risk management programs are on the rise, with 94 percent of the firms reporting that they have these programs in place, up from 85 percent in 2010. And more of the Fortune firms have cross-organizational teams that manage privacy and security and risk -- 70 percent, up from 65 percent in 2010.

Meanwhile, Westby maintained that a business' security policies are its own responsibility, not that of RSA or other security vendors.

"No security company can be responsible for the security policies of all of its customers," Westby said. "We can't think that security companies are able to protect the business community" fully, she said. "That's the business community's responsibility."

A full copy of the 2012 Carnegie Mellon CyLab Governance report is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.