At the IT security conference that bears his company's name, RSA executive chairman Art Colviello acknowledged the company's got a lot of work to do to repair its reputation after a 2011 hack attack that exposed information on 77 million customer accounts. "We recognize that we have to regain and maintain our customer's confidence," Coviello said at a news conference late Monday prior to his kick-off keynote address Tuesday at RSA Conference 2012 in San Francisco, the first since RSA's breach in March 2011.
Despite widespread media attention to the breach of RSA's SecureID security protection for customers, Coviello reiterated that "there was no successful attack [on customers] using the information stolen from us." RSA worked for up to nine months after the breach to make sure there was no subsequent attack on a customer, he said, but also to rebuild customer confidence in the company.
However, a new Global 2000 survey released by RSA, the security division of EMC, shows a troubling lack of attention to security and privacy risks among directors and top executives, and calls for companies to "establish a tone from the top" to make security and privacy protection top priorities. The Carnegie Mellon University CyLab 2012 Governance Survey, of people from Forbes Global 2000 companies, revealed that 70% of those surveyed "occasionally, rarely or never" review and approve top-level policies on IT security and privacy; 74% occasionally, rarely or never approve roles and responsibilities for lead personnel for privacy and security; and 64% occasionally, rarely or never approve annual budgets for privacy and security protection.
"Boards really are not exercising governance by undertaking the core activities that they should be taking to really be watching what's going on with the privacy and security in their organizations," says Jody Westby, adjunct distinguished fellow at Carnegie Mellon's CyLab and author of the study.
Slightly more encouraging was that 38% said they regularly receive reports from senior management regarding security and privacy issues, followed by 34% occasionally, and 25% rarely or never. Even more encouraging was evidence that board structures are changing to pivot toward security awareness. The survey showed that in 2012, 46% of those surveyed said they had created a board Risk Committee to focus on security and privacy as separate from a board Audit Committee. That's up from 14% in a 2010 survey and just 8% in 2008.
Also, 94% of respondents said their organization had formed an Enterprise Risk Management (ERM) program or other structure for assessing, reporting and responding to risks that could impact company operations. However, only half of those ERMs look specifically at privacy and security matters, Westby says, "so it does indicate that there's still a gap in recognizing that IT risks are enterprise risks."
In a preview of his remarks in his keynote, RSA's Coviello noted the expansion of the Internet in just the last 10 years, the exponential increase in the number of access devices, the huge streams of data coursing through networks and the rise of social media that creates a great atmosphere of openness in society. "Why is it a surprise that hackers are taking advantage of the degrees of openness that we see today?" Coviello asked. He said perimeter defenses to networks are not enough to protect today's vast IT environment and called for a "defense-in-depth" strategy of multiple safeguards against hacking and other threats.
Learn more about Strategy: Mobile Malware: Is Prevention Possible? by subscribing to Network Computing Pro Reports (free, registration required).