Boards Are Still Clueless About Cybersecurity

Editor’s Note:  The Advanced Key Findings of the Carnegie Mellon CyLab report is attached below.

From: Forbes 

Jody Westby, Contributor

The Governance of Enterprise Security: CyLab 2012 Report, released today by Carnegie Mellon CyLab, examines how boards of directors and senior management are managing privacy and cyber risks. Although two previous reports were conducted in 2008 and 2010, this is the first global survey on these issues and the first to compare responses by industry sector.[1] The cross-sector comparisons in the 2012 report provide a compelling picture that critical infrastructure companies need to put cybersecurity and privacy on their boards’ agendas and place greater emphasis at the executive level on protecting their organizations’ digital assets (data, software programs, and networks).

Seventy-five percent (75%) of the 2012 survey respondents were from critical infrastructure industry sectors, primarily the financial, energy/utilities, IT/telecom, and industrials sectors. The survey probed whether senior executives and board members were undertaking basic cyber governance activities, such as reviewing privacy and security budgets and top-level policies, establishing key roles and responsibilities for privacy and security, and reviewing security program assessments. It also asked whether the board was receiving information critical to the management of cyber risks, such as regular reports on breaches and the loss of data.

Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices. When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two. The energy/utility respondents indicated that:

  • 71% of their boards rarely or never review privacy and security budgets
  • 79% of their boards rarely or never review roles and responsibilities
  • 64% of their boards rarely or never review top-level policies
  • 57% of their boards rarely or never review security program assessments.

When queried about issues that their boards were actively addressing, the energy/utilities sector had the lowest percentages for IT operations (14%) and vendor management (0%). Although 57% of all respondents said that their boards were not reviewing insurance coverage for cyber risks, the energy/utilities sector’s respondents said 79% of their boards were not conducting cyber insurance reviews. The energy/utilities sector also had the fewest Risk/Security Committees at the board level and placed the least value on IT experience when recruiting board members (7%). The sector tied with the industrials sector in having the lowest percentage of cross-organizational committees to coordinate on privacy and security issues (50% compared with 92% for the IT/telecom sector).

What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity. They also have a heavy concentration of industrial control systems (commonly called SCADA systems (supervisory data acquisition and control systems)), most of which were not designed for security and have no logging functions to enable forensic investigations of attacks. “Control systems should have the highest degree of oversight because attacks on these systems can cause irrecoverable consequences, such as extended electric outages or even death,” noted Joe Weiss, Managing Partner of Applied Control Solutions in Cupertino, CA. “However, most of the industrial control systems were designed for reliability and safety, not security. These systems are often connected to the Internet and are vulnerable to ordinary attacks,” he said. Weiss also pointed out that attacks are possible even when not connected to the Internet, which was the case with the Stuxnet attack on the Iranian nuclear system.

The energy/utilities sector was not the only critical infrastructure sector that fared poorly in the survey results. The industrial sector did only slightly better. Although the survey findings confirmed the belief of many security experts that the financial sector has the best security practices, even its respondents indicated major gaps in security governance. For example, 52% of the financial sector respondents said that their boards do not review cyber insurance coverage and only 44% of them actively address computer and information security. Forty-two percent of financial sector respondents indicated that their boards rarely or never review annual privacy and security budgets and 39% rarely or never review roles and responsibilities. The financial sector respondents also had one of the highest percentages of CISOs (76%) and CSOs (63%) who are assigned responsibility for both privacy and security, creating segregation of duties issues.

What are these people thinking? Boards clearly have a duty to protect the assets of their company, which today, includes a high percentage of digital assets. If boards and officers have an obligation to ensure that the R&D lab door is locked, they similarly have an obligation to ensure that the digital R&D lab door is locked. They also are responsible for ensuring tested plans are in place for business continuity and disaster recovery. Companies in the World Trade Center on 9/11 that did not have offsite system backup files found themselves to be out of business.

Today, the risks to corporate data are greater than ever because it is highly desired by criminals, competitors, and nation states. Personal identity breach headlines have subsided, but data theft and hacking headlines have increased. Boards and executives also have to consider that data losses may no longer be kept quiet. In late 2011, the SEC issued guidelines that require public companies to disclose security events if they materially affect the entity’s products, services, relationships, or competitive conditions or if they would make an investment in the company speculative or risky.

It is not a stretch to conclude that failures by boards and senior executives to manage cyber risks can amount to a breach of fiduciary duty or negligence. Shareholder derivative suits against directors and officers are possible as a result of drops in stock price, loss of market share, or significant financial losses that are incurred as a result of a security event that was possible due to security program deficiencies that should have been detected through proper oversight. There also is a reasonable argument that the strong protections afforded to boards and officers under the business judgment rule may be less effective in security cases due to established standards and best practices for governance of IT and risk management and numerous compliance requirements in federal and state laws that require enterprise security programs and management oversight.

This line of thinking is bolstered by provisions in the Council of Europe Convention on Cybercrime, which the U.S. and 46 other countries have signed (it has been ratified by 33), that provide for administrative, civil, or criminal liability for cybercrimes that benefit the company and were made possible due to the lack of supervision or control of someone in a senior management position, such as a director or officer. The European Union’s Council Framework Decision on attacks against information systems mirrors this language and applies to all 27 member countries.

If boards and senior management were paying more attention to the privacy and security of their digital assets there may not be such a clamor on the Hill for legislation that would mandate cybersecurity requirements and/or standards. The truth of the matter is that security programs will not get better until management begins to treat cybersecurity as an enterprise risk that must be governed. Overall, CISOs are a competent group of professionals, but they can not get attention at the top and adequate funding to close gaps that they know exist. In addition, too many are stuck reporting to CIOs who squeeze their budgets, interfere in procurements, and meddle in security configuration settings.

Where do directors and officers begin? A good starting point is reading the 2012 CyLab Governance Report and heeding its recommendations for better digital risk management.

[1] Disclosure: I am the author of the 2008, 2010, and 2012 CyLab governance reports. The Governance of Enterprise Security: CyLab 2012 Report was sponsored by RSA and Forbes.



Leave a Reply

Your email address will not be published.

Please Answer: *