more-arw search

Study: Cybersecurity Not a Top Priority for Corporate Boards, Upper Management

Board members and senior management at Forbes Global 2000 companies are reluct

Security experts say cyberthreats like phishing, malware and hacking are move prevalent than ever, yet most corporate boards and executives still haven't made cybersecurity a top organizational priority.

According to a recent survey by RSA, the security division of EMC, board members

Security experts say cyberthreats like phishing, malware and hacking are move prevalent than ever, yet most corporate boards and executives still haven't made cybersecurity a top organizational priority.

According to a recent survey by RSA, the security division of EMC, board members and senior management at Forbes Global 2000 companies are reluctant to get involved in oversight activities like reviewing privacy and security budgets and policies.

"Privacy and security are competitiveness issues, and companies that set the tone of a 'trusted workplace' with their employees also convey the message of a 'trusted business' to the marketplace," said Jody Westby of Carnegie Mellon CyLab. "Effective governance enhances profitability through the mitigation of liabilities and losses associated with compliance costs, operational downtime, cybercrime, and theft of intellectual property."

The survey revealed only 23 percent of corporate boards and senior management regularly review and approve top-level policies regarding privacy and IT security, while more than 40 percent rarely or never complete either governance task. Meanwhile, just 38 percent of respondents said their organization's board regularly receives privacy and security reports from senior management.

With cybercriminals increasingly using sophisticated, targeted attacks and mobile devices opening new security risks for enterprises, experts say it's imperative for top-level management to actively oversee the development of upgraded security and privacy strategies.

Comments

Ken Mason
Title: Controller
Company: Pascua Yaqui Tribe
LinkedIn Profile
(Controller, Pascua Yaqui Tribe) |

The difficulties here are two-fold:

Discussing security and privacy strategies inevitably involves a certain amount of "geek-speak" which the non-specialist does not understand. Senior management is busy and reluctant to commit the time needed to understand the concepts when that time could instead be spent in areas considered to be mission-critical.

Furthermore, preventive measures involve increasing IT spending in competition with revenue-producing spending. It's akin to insurance policies, which create resentment of the premiums as a drag on the bottom line.

IT professionals sometimes need to be creative to sell the benefits of implementing security. A primitive example from the 1990's involved increased spam that was annoying my CEO and other senior managers. I knew full well that their internet practices were largely responsible for the spam and consequent security threats but knew my audience well enough to know that attempts to educate them would be tuned out (at best) or actively resented, leading to political fallout that would impair my effectiveness. Discretion being the better part of valor, I directed my IT guy to investigate low-cost spam appliances and develop the business case for purchase and implementation. We settled on the Barracuda and sold it as a time-saver that would reduce spam by about 75%. We already had a good firewall appliance, DMZ and Trend Micro on our servers, so this was just an additional layer of protection from a security standpoint. However, it was an addition that had a visible and understandable benefit to the user community.

The good news is that the appliance worked as planned. I duly reported the results until the CEO told me not to bother anymore. Needless to say, the topic never reached the Board, which was unfortunate. The CIO often simply does not have the pull to influence the company culture unless and until something bad happens.