Carnegie Mellon University's CyLab has surveyed 703 corporate board directors and found that only 36 percent of the respondents said their board was directly involved in overseeing the management of information security. The boards were involved about 31 percent of the time in assessing risk related to IT or personal data. Only 8 percent said their boards had a risk committee that is separate from the audit committee, and 12 percent have established functional separation of privacy and security. Cybersecurity should be viewed as an enterprise risk management issue rather than an IT problem, say Carnegie Mellon researchers.
"There is a clear duty to protect the assets of a company, and today, most corporate assets are digital," says CyLab's Jody Westby, lead author of the survey.
The researchers offer recommendations for improving the corporate governance of privacy and security, such as establishing a board risk committee that is separate from the audit committee, reviewing existing top-level policies, and embracing security and privacy issues. "Without the right organizational structure and interest from top officials, enterprise security can't be effective no matter how much money an organization throws at it," says report co-author Richard Power.
From Carnegie Mellon News