Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:51 AM
Connect Directly

RSA: Top-Level Execs Not On Top Of Risk Management

New RSA-Carnegie Mellon CyLab survey finds most Fortune 2000 execs have little to do with their firms' security and privacy policies

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- Most Fortune 2000 executives and external boards of directors are still not involved with their companies' cybersecurity strategy and oversight, according to new data revealed here today by Carnegie Mellon's Cylab.

Carnegie Mellon and RSA, which commissioned the survey, gave a peek at the preliminary results here today at a press briefing that also headlined RSA Security executive chairman Art Coviello. Coviello urged the security industry to work together "as never before" to fight all types of attackers, from nation-state to hacktivists to cybercriminals. "We have to have the commitment and resolve to work together as never before," said Coviello, who plans to detail this in his keynote address here tomorrow. "You will hear from me tomorrow a very strong call to action."

[ Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details. See Victim Businesses Teaming Up To Fight Cybercriminals. ]

He also noted RSA's firsthand experience in the heightened attack landscape, given its breach last March. "We learned from our own incident and provided us insight into others' attacks," Coviello said. He reiterated that despite the breach of the SecurID servers, there were no successful attacks on its customers in the aftermath.

The key is intelligence-driven security, Coviello said, and organizations must do a better job at evaluating risk.

"The research from Carnegie Mellon bears that out," he said.

When grilled during a question-and-answer period by some members of the press about whether RSA now has a credibility problem as a security vendor advising its customers, Coviello said security companies will continue to be targeted. "We've never seen so many high-profile attacks" as there were in the past 12 months, he said. "We've never had attacks that have been used on one company to be a stepping stone to [attacking] other companies. That's why so many security firms have been attacked."

Meanwhile, the Carnegie Mellon survey data raises some red flags for the boardroom of some of the world's largest firms: More than 70 percent of these top-level execs said they either occasionally, rarely, or never review the roles and responsibilities of their top IT security and privacy officials. And more than 70 percent operate the same way when it comes to reviewing top-level policies on IT security and privacy risks. They're just not closely involved, the study found.

"This indicates that we still have gaps in core governance responsibilities," said Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab.

And less than two-thirds have full-time privacy and security positions filled in their companies, according to the survey.

This vindicates the CSO's cry that it's difficult to get the attention of senior management, Westby said. "It's hard to get access to that level" of management, she said.

There were some bright spots, however: Enterprise risk management programs are on the rise, with 94 percent of the firms reporting that they have these programs in place, up from 85 percent in 2010. And more of the Fortune firms have cross-organizational teams that manage privacy and security and risk -- 70 percent, up from 65 percent in 2010.

Meanwhile, Westby maintained that a business' security policies are its own responsibility, not that of RSA or other security vendors.

"No security company can be responsible for the security policies of all of its customers," Westby said. "We can't think that security companies are able to protect the business community" fully, she said. "That's the business community's responsibility."

A full copy of the 2012 Carnegie Mellon CyLab Governance report is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...