Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:56 PM
Dark Reading
Dark Reading
Products and Releases

New Research Reveals Cyber Risk Still Not Getting Adequate Attention From Boards And Senior Executives

Less than one-third of the respondents indicate their boards and senior executives are undertaking basic responsibilities for cyber governance

Click here for more articles.

The advanced findings from the latest 2012 Carnegie Mellon CyLab Governance survey of how corporate boards and executives are managing cyber risks reveals the issue is still not getting adequate attention at the top. The survey, sponsored by RSA, The Security Division of EMC (NYSE: EMC), was the third survey conducted by CyLab Adjunct Distinguished Fellow, Jody Westby, and comparisons with the 2008 and 2010 data clearly show ongoing gaps in governance.

Using the Forbes Global 2000 list, the 2012 survey represents the first analysis of cyber governance postures of major corporations around the world. One of the most important advance findings is that boards and senior management still are not engaging in key oversight activities, such as setting top-level policies and reviews of privacy and security budgets to help protect against breaches and mitigate financial losses. Even though there are some improvements in key "regular" board governance practices, less than one-third of the respondents indicate their boards and senior executives are undertaking basic responsibilities for cyber governance.

Although improvements are shown in the formation of board Risk Committees and cross-organizational teams within their organizations, nearly half of the respondents indicated that their companies do not have full-time personnel in key privacy and security roles, and 58% of the respondents said their boards are not reviewing their companies' insurance coverage for cyber-related risks.


To help company boards improve corporate governance of privacy and security, the advance findings of the research included recommendations for organizations to undertake key governance activities, such as:

Establish the "tone from the top" for privacy and security through top-level policies. Review roles and responsibilities for privacy and security and ensure they are assigned to qualified full-time senior level professionals and that risk and accountability are shared throughout the organization. Ensure regular information flows to senior management and boards on privacy and security risks, including cyber incidents and breaches. Review annual IT budgets for privacy and security, separate from the CIO's budget. Conduct annual reviews of the enterprise security program and effectiveness of controls, review the findings, and ensure gaps and deficiencies are addressed. Evaluate the adequacy of cyber insurance coverage against the organization's risk profile.

The final survey report, which will also analyze differences in responses from Asia, Europe and North America and responses by industry sector, will be released in March 2012.

RSA Executive Quote:

Brian Fitzgerald, Vice President, Marketing, RSA

"The models for creating, delivering and managing IT services are in a state of transformation driven by virtualization, cloud computing, the hyper-connectivity of people and organizations, and the emergence of a new class of 'big data' applications. With the convergence of these trends amid an increasingly complex compliance and threat landscape, executives and boards must be actively engaged in ensuring their organizations are addressing these risks while reaping the benefits of next generation IT."

Carnegie Mellon Executive Quote:

Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab

"Privacy and security are competitiveness issues, and companies that set the tone of a 'trusted workplace' with their employees also convey the message of a 'trusted business' to the marketplace. Effective governance enhances profitability through the mitigation of liabilities and losses associated with compliance costs, operational downtime, cybercrime, and theft of intellectual property."

Additional Resources:

Download the 2012 Carnegie Mellon CyLab Governance survey Visit the RSA Thought Leadership page on EMC.com Learn more about Trusted IT from EMC Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and the RSA Speaking of Security Blog and Podcast.

About Carnegie Mellon CyLab: Carnegie Mellon CyLab is a university-wide, multi-disciplinary research and education center for computer and network security, information security and software assurance. CyLab is located in the College of Engineering at Carnegie Mellon University. For more, see www.cylab.cmu.edu.

About RSA

RSA, The Security Division of EMC is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance and securing virtual and cloud environments.

Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...