Those findings come from "Governance of Enterprise Security," a new study released yesterday by Carnegie Mellon University's CyLab. The report is based on a survey of 66 board directors or senior executives who work at Fortune 1000 companies. Nearly half of respondents work at critical infrastructure companies. CyLab conducted a similar survey in 2008.
According to the report's author, Jody Westby, who's CEO of Global Cyber Risk and a distinguished fellow at CyLab, "the survey results indicate that boards and senior executives need to be more actively involved in the governance of the privacy and security of their computer systems and data."
For starters, no respondent identified one of their board's top-three priorities as involving computer or data security, and only 2% said that their board actively addressed IT operations and vendor management. Furthermore, 65% of boards failed to review their business's insurance coverage for any cyber-related risks.
The new survey did, however, find some improvements. For example, the number of organizations with a risk committee that's separate from an audit committee rose from 8% in 2008 to 14% in 2010. Even so, only about two-thirds of those risk committees oversee their company's privacy and security practices. According to Westby, failing to have a proper risk management program, and instead simply using audit committees to manage IT risks and security programs, can create a number of "segregation of duties issues."
Organizations, however, are getting better at recruiting board-level members who add more security smarts. According to the report, "another positive sign from the survey was the importance that boards are placing upon IT security and risk expertise in board recruitment." Indeed, three-quarters of respondents rated IT experience as at least "somewhat important" when recruiting new directors, while 86% said the same for risk management or security expertise.
In another positive sign, the report found that 65% of organizations now have a cross-functional team for managing security and privacy, compared with only 17% of organizations in 2008.