Connect with us

Hi, what are you looking for?



Senior Corporate Execs Failing in Cyber Risk Management, Survey

Critical Infrastructure Executives Cite Need for Improvement in Managing Cyber-related Risks

Senior corporate executives are placing a strong emphasis on risk management generally, but are falling short when it comes to extending that emphasis to the world of IT, a new survey has found.

Critical Infrastructure Executives Cite Need for Improvement in Managing Cyber-related Risks

Senior corporate executives are placing a strong emphasis on risk management generally, but are falling short when it comes to extending that emphasis to the world of IT, a new survey has found.

The survey, which was sponsored by EMC’s RSA division, is detailed in a report from Carnegie Mellon University’s CyLab that reveals 57 percent of respondents are not analyzing the adequacy of cyber insurance coverage or undertaking key activities related to cyber-risk management to help manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches.

Managing Risk in Industry“The increasing criticality of digital resources and the more complex threat landscapes mean senior executives and boards must get better at marrying security functions with corporate operations,” said Tom Heiser, president of the RSA division, in a statement. “Boards are asking questions about risk and IT security, now there needs to be a closed loop system with management for risk policies to assure a trusted IT environment throughout their enterprise. Senior executives and boards can’t get better at this without boosting their essential oversight and involvement in cyber risk management.”

The survey fielded answers from 108 executives and board members from Forbes Global 2000 companies. Although respondents across geographical regions consistently replied that top members of their organizations were not reviewing cyber-insurance coverage, a high percentage from critical-infrastructure industries such as the energy and utilities sectors indicated nearly 80 percent of their boards of directors do not review insurance for cyber-related risks.

“We have seen NERC CIP as the largest influencer for cyber security decisions at Energy/Utility companies,” Jacob Kitchel, senior manager of security and compliance for Industrial Defender told SecurityWeek. “NERC CIP has been heavily focused on the reliability of critical infrastructure and it is surprising to see such high numbers of people that weren’t considering risk and privacy for the Energy/Utility category.” 

“Often times, people just imagine that organizations have the adequate resources to fully address critical infrastructure security and privacy issues,” Kitchel added. “What we typically see is that the majority of large enterprise organizations have the appropriate resources to address these issues, while the smaller organizations are struggling to juggle security, compliance and change management responsibilities.” 

The survey revealed a significant increase in the number of boards with committees responsible for privacy and security risks (48 percent in 2012 versus just eight percent in 2008) as well as in the number of companies with cross-organizational teams that manage privacy and security risks (72 percent in 2012 and 17 percent in 2008, respectively). But board and senior management officials are not universally establishing key positions with these responsibilities. Less than two-thirds of respondents have full-time personnel in positions such as CISOs and CSOs in manner consistent with internationally accepted best practices and standards.  Eighty-two percent said they do not have a CPO (chief privacy officer).

Advertisement. Scroll to continue reading.

“By looking at the security risk and governance practices of specific industry sectors, the CYLAB report highlights that those who protect the money…are better at managing cyber risk from the executive level, while boards of energy and utilities sectors lag seriously behind,” addded Kim Legelis, vice president of Industrial Defender. “Recent news about gas [companies] being targeted by cyber-attacks should serve as a wake-up call to the boards of energy companies and utilities that highly motivated adversaries have put their companies in the cross hairs. These boards, whether they are aware of it or not, manage significant risks of both economic and public safety disruptions to their customers and shareholders. Making critical infrastructure security a priority is an essential part of their modern fiduciary responsibilities.”

 “These are the basics; critical infrastructures have a higher duty of care,” noted Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab. “Boards that fail to step up their cyber risk management are placing their organizations at risk and could be breaching their fiduciary duty to protect the assets of the corporation, which includes digital assets.”

The report can be found here (PDF).

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...