For far too many boards of directors and senior management ofcritical infrastructure industry sectors, cybersecurity and privacyare less than afterthoughts. They are barely even thoughts. That'sa key finding of "Governance of Enterprise Security: CyLab 2012Report," ( View PDF ) a global survey of industries by Carnegie Mellon CyLab and itssponsor, RSA, The Security Division of EMC. Jody Westby, CEO ofGlobal Cyber Risk and the author of the report, wrote in Forbes last week that boards of directors are essentially "clueless" aboutcybersecurity, saying 75% of the survey respondents were fromcritical infrastructure industry sectors -- "primarily thefinancial, energy/utilities, IT/telcom and industrial." [More inour topic center: Security Leadership ] "When asked whether their organizations were undertaking six bestpractices for cyber governance, the energy/utilities sector rankedlast for four of the practices and next to last for the other two,"Westby wrote. "According to the survey results, 71% of their boardsrarely or never review privacy and security budgets; 79% rarely ornever review roles and responsibilities; 64% rarely or never reviewtop-level policies and; 57% rarely or never review security programassessments." Beyond this, Westby says 79% of boards in theenergy/utilities sector were not conducting cyber insurancereviews. "What is disturbing about these findings is that theenergy/utilities sector is one of the most regulated industrysectors and one of the most important to business continuity.""What are these people thinking?" she asked, adding that suchinattention to security is the digital version of failing to lockthe R&D lab door. The consequences for loss of data, she says,can range from shareholder lawsuits for failure to protect theassets of the corporation to government sanctions for compliancefailures. And, when it comes to defense and criticalinfrastructure, national security could be at risk from hostilenation states that have concluded that attacking U.S. cybervulnerabilities is cheaper and has a much greater chance of successthan a military encounter. Westby told CSO things are indeed as badas the report results suggest, although she says the financialsector has made much more progress in security than others. Toomany in those other sectors, she says, "aren't even doing thebasics." Whose fault is that? Some experts say it is the "Cool HandLuke" problem -- a failure to communicate by CISOs. "We in thesecurity community have done a poor job of communicating the issuesto executive management," says Mark Baldwin, CISSO and principalresearcher at InfosecStuff. "CEOs and boards are business people.Too frequently, infosec professionals speak in terms of threats orvulnerabilities or technology. They need to learn to speak in termsthat business leaders understand, and the one thing they understandis risk." The CISO of a major corporation on the West Coast, whodeclined to be identified, doesn't blame the CEOs or boards. Hesays if a company has a CISO, "and [his or her] job is to own yourinformation security, whose fault is it if the board is clueless?"He agrees with Baldwin that some CISOs "don't understand how totalk in risk language." But even though that criticism is comingfrom CISOs themselves, Westby doesn't think it is entirely fair.Some CEOs and boards "don't want to hear from them no matter howwell they communicate," she says. "And some CIOs and CISOs neversee long-term strategic plans. How can they be expected to doanything if they don't know the plan?" She says too many CEOs failto understand that "IT risks are enterprise risks," and assume thatif they have hired competent security people, there will not be aproblem. "Their attitude is, 'Take care of it -- don't bother me,'"she says. That may be because corporate leaders and boards ofdirectors are focused on what they view as much more importantproblems: such as how to survive and prosper in a hyper-competitiveenvironment. Gary Long, CSO of ITWorks Operations at Cerner, saysthe corporate vision "often focuses on bookings, analyst opinions,and quarterly projections," not security. And Long thinks there maybe a level of denial about the risk for some CEOs if there has notyet been a major data breach. "Their attitude is, 'Why should I doanything if it's never happened before?'" [See also:Ã'Â Industry on Cybersecurity Act of 2012: Not so fast ] If there is a solution, it will come through bettercommunication, not legislation, says Westby, who calls the variouscybersecurity bills pending in Congress "stupid." Members ofCongress don't understand cybersecurity, she says, and cannot beexpected to improve it. Long says real improvement is possible ifcorporations take security policy outside of IT, "which focuses oncost rather than risk. IT would still implement and run thenecessary solutions, but the security organization would beresponsible for presenting risks and strategy to the CEO/board." Ifthat makes boards and executives start paying attention "it wouldbe better," Westby says. "That's where you're going to have thereal action and traction. It should be a no-brainer. We've talkedabout it since 1999." Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section. We are high quality suppliers, our products such as Boot Supports , Shoe Display Stand Manufacturer for oversee buyer. To know more, please visits Bag Hanger Stand.
Related Articles -
Boot Supports, Shoe Display Stand Manufacturer,
|