Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:51 AM
Connect Directly

RSA: Top-Level Execs Not On Top Of Risk Management

New RSA-Carnegie Mellon CyLab survey finds most Fortune 2000 execs have little to do with their firms' security and privacy policies

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- Most Fortune 2000 executives and external boards of directors are still not involved with their companies' cybersecurity strategy and oversight, according to new data revealed here today by Carnegie Mellon's Cylab.

Carnegie Mellon and RSA, which commissioned the survey, gave a peek at the preliminary results here today at a press briefing that also headlined RSA Security executive chairman Art Coviello. Coviello urged the security industry to work together "as never before" to fight all types of attackers, from nation-state to hacktivists to cybercriminals. "We have to have the commitment and resolve to work together as never before," said Coviello, who plans to detail this in his keynote address here tomorrow. "You will hear from me tomorrow a very strong call to action."

[ Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devil's in the details. See Victim Businesses Teaming Up To Fight Cybercriminals. ]

He also noted RSA's firsthand experience in the heightened attack landscape, given its breach last March. "We learned from our own incident and provided us insight into others' attacks," Coviello said. He reiterated that despite the breach of the SecurID servers, there were no successful attacks on its customers in the aftermath.

The key is intelligence-driven security, Coviello said, and organizations must do a better job at evaluating risk.

"The research from Carnegie Mellon bears that out," he said.

When grilled during a question-and-answer period by some members of the press about whether RSA now has a credibility problem as a security vendor advising its customers, Coviello said security companies will continue to be targeted. "We've never seen so many high-profile attacks" as there were in the past 12 months, he said. "We've never had attacks that have been used on one company to be a stepping stone to [attacking] other companies. That's why so many security firms have been attacked."

Meanwhile, the Carnegie Mellon survey data raises some red flags for the boardroom of some of the world's largest firms: More than 70 percent of these top-level execs said they either occasionally, rarely, or never review the roles and responsibilities of their top IT security and privacy officials. And more than 70 percent operate the same way when it comes to reviewing top-level policies on IT security and privacy risks. They're just not closely involved, the study found.

"This indicates that we still have gaps in core governance responsibilities," said Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab.

And less than two-thirds have full-time privacy and security positions filled in their companies, according to the survey.

This vindicates the CSO's cry that it's difficult to get the attention of senior management, Westby said. "It's hard to get access to that level" of management, she said.

There were some bright spots, however: Enterprise risk management programs are on the rise, with 94 percent of the firms reporting that they have these programs in place, up from 85 percent in 2010. And more of the Fortune firms have cross-organizational teams that manage privacy and security and risk -- 70 percent, up from 65 percent in 2010.

Meanwhile, Westby maintained that a business' security policies are its own responsibility, not that of RSA or other security vendors.

"No security company can be responsible for the security policies of all of its customers," Westby said. "We can't think that security companies are able to protect the business community" fully, she said. "That's the business community's responsibility."

A full copy of the 2012 Carnegie Mellon CyLab Governance report is available here (PDF).

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...