May 16, 2012 /PRNewswire/ --
- RSA, The Security Division of EMC (NYSE: EMC), alongside Carnegie Mellon CyLab highlight Carnegie Mellon CyLab's new 2012 Governance Report, the first global analysis of how boards and senior executives are managing cyber risks by geographical region and industry sector.
- The report reveals the complexities associated with governing privacy and security risks, with survey data revealing a gap in board-level understanding of the linkage between IT risks and enterprise risk management.
- The report offers 12 recommendations to help improve the governance of enterprise security.
- The findings confirm the belief among security experts that, overall, the financial sector is better following security best practices versus the energy/utilities, IT/telecom, and industrials sectors. All sectors, however, are not undertaking critical governance activities such as reviewing cyber insurance coverage, assigning key privacy and security responsibilities and receiving regular reports on cyber risks and incidents.
- Results indicate that North American boards are lagging behind Asian and European boards in undertaking key activities associated with best practices for privacy and security governance.
Governance of Enterprise Security: CyLab 2012 Report
is the first survey to examine how corporate boards and executives are managing cyber risks across
. Sponsored by RSA, The Security Division of EMC, this is the third report conducted by CyLab Adjunct Distinguished Fellow,
. The report examines responses to a survey of senior executives and corporate board members from the Forbes Global 2000 list. The report reveals that corporate boards and executives are taking risk management seriously but there is still a gap in understanding the link between
information technology (IT) risks
and enterprise risk management. This gap indicates that boards have a lack of understanding of how all business operations are supported by computer systems and digital data and how risks in these areas can undermine operations. Less than two-thirds of the respondents' organizations have full-time personnel in key roles for privacy and security (CISO/CSO, CPO, CRO) in a manner that is consistent with internationally accepted best practices and standards. The degree to which these roles are filled varies by industry and region.
Survey results in the report confirms the belief among security experts that, overall, the financial sector has better security and governance practices than other industry sectors. The financial sector shows the greatest degree of board attention to critical issues related to cyber risk management, while the energy/utilities and industrials sectors reveal a lack of board attention to critical issues such as vendor management, computer and information security and IT operations. The energy/utilities respondents also rank next to last in establishing necessary segregation of duties between board Risk Committees and Audit Committees.