Critical Infrastructure Executives Cite Need for Improvement in Managing Cyber-related Risks
Senior corporate executives are placing a strong emphasis on risk management generally, but are falling short when it comes to extending that emphasis to the world of IT, a new survey has found.
The survey, which was sponsored by EMC's RSA division, is detailed in a report from Carnegie Mellon University's CyLab that reveals 57 percent of respondents are not analyzing the adequacy of cyber insurance coverage or undertaking key activities related to cyber-risk management to help manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches.
"The increasing criticality of digital resources and the more complex threat landscapes mean senior executives and boards must get better at marrying security functions with corporate operations," said Tom Heiser, president of the RSA division, in a statement. "Boards are asking questions about risk and IT security, now there needs to be a closed loop system with management for risk policies to assure a trusted IT environment throughout their enterprise. Senior executives and boards can't get better at this without boosting their essential oversight and involvement in cyber risk management."
The survey fielded answers from 108 executives and board members from Forbes Global 2000 companies. Although respondents across geographical regions consistently replied that top members of their organizations were not reviewing cyber-insurance coverage, a high percentage from critical-infrastructure industries such as the energy and utilities sectors indicated nearly 80 percent of their boards of directors do not review insurance for cyber-related risks.
“We have seen NERC CIP as the largest influencer for cyber security decisions at Energy/Utility companies," Jacob Kitchel, senior manager of security and compliance for Industrial Defender told SecurityWeek. "NERC CIP has been heavily focused on the reliability of critical infrastructure and it is surprising to see such high numbers of people that weren’t considering risk and privacy for the Energy/Utility category."
"Often times, people just imagine that organizations have the adequate resources to fully address critical infrastructure security and privacy issues," Kitchel added. "What we typically see is that the majority of large enterprise organizations have the appropriate resources to address these issues, while the smaller organizations are struggling to juggle security, compliance and change management responsibilities.”
The survey revealed a significant increase in the number of boards with committees responsible for privacy and security risks (48 percent in 2012 versus just eight percent in 2008) as well as in the number of companies with cross-organizational teams that manage privacy and security risks (72 percent in 2012 and 17 percent in 2008, respectively). But board and senior management officials are not universally establishing key positions with these responsibilities. Less than two-thirds of respondents have full-time personnel in positions such as CISOs and CSOs in manner consistent with internationally accepted best practices and standards. Eighty-two percent said they do not have a CPO (chief privacy officer).
“By looking at the security risk and governance practices of specific industry sectors, the CYLAB report highlights that those who protect the money...are better at managing cyber risk from the executive level, while boards of energy and utilities sectors lag seriously behind," addded Kim Legelis, vice president of Industrial Defender. "Recent news about gas [companies] being targeted by cyber-attacks should serve as a wake-up call to the boards of energy companies and utilities that highly motivated adversaries have put their companies in the cross hairs. These boards, whether they are aware of it or not, manage significant risks of both economic and public safety disruptions to their customers and shareholders. Making critical infrastructure security a priority is an essential part of their modern fiduciary responsibilities.”
"These are the basics; critical infrastructures have a higher duty of care," noted Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab. "Boards that fail to step up their cyber risk management are placing their organizations at risk and could be breaching their fiduciary duty to protect the assets of the corporation, which includes digital assets."
The report can be found here (PDF).