At the IT security conference that bears his company's name, RSA executive chairman Art Coviello acknowledged the company's got a lot of work to do to repair its reputation after a 2011 hack attack that exposed information on 77 million customer accounts. "We recognize that we have to regain and maintain our customer's confidence," Coviello said at a news conference late Monday, prior to his kick-off keynote address Tuesday at RSA Conference 2012 in San Francisco, the first since RSA's breach in March 2011.
Despite widespread media attention to the breach of RSA's SecureID security protection for customers, Coviello reiterated that "there was no successful attack [on customers] using the information stolen from us." RSA worked for up to nine months after the breach to make sure there was no subsequent attack on a customer, he said, but also to rebuild customer confidence in the company.
However, a new Global 2000 survey released by RSA, the security division of EMC, shows a troubling lack of attention to security and privacy risks among directors and top executives, and calls for companies to "establish a tone from the top" to make security and privacy protection top priorities. The Carnegie Mellon University CyLab 2012 Governance Survey, of people from Forbes Global 2000 companies, revealed that 70% of those surveyed "occasionally, rarely, or never" review and approve top-level policies on IT security and privacy; 74% occasionally, rarely, or never approve roles and responsibilities for lead personnel for privacy and security; and 64% occasionally, rarely, or never approve annual budgets for privacy and security protection.
[ See our complete RSA 2012 Security Conference coverage, live from San Francisco. ]
"Boards really are not exercising governance by undertaking the core activities that they should be taking to really be watching what's going on with the privacy and security in their organizations," said Jody Westby, adjunct distinguished fellow at Carnegie Mellon's CyLab and author of the study.
Security professionals often view compliance as a burden, but it doesn't have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)