RSA: Top-Level Execs Not On Top Of Risk Management

  /     /     /  
Publicated : 22/11/2024   Category : security

RSA: Top-Level Execs Not On Top Of Risk Management


New RSA-Carnegie Mellon CyLab survey finds most Fortune 2000 execs have little to do with their firms security and privacy policies


RSA CONFERENCE 2012 -- San Francisco, Calif. -- Most Fortune 2000 executives and external boards of directors are still not involved with their companies cybersecurity strategy and oversight, according to new data revealed here today by Carnegie Mellons Cylab.
Carnegie Mellon and RSA, which commissioned the survey, gave a peek at the preliminary results here today at a press briefing that also headlined RSA Security executive chairman Art Coviello. Coviello urged the security industry to work together as never before to fight all types of attackers, from nation-state to hacktivists to cybercriminals. We have to have the commitment and resolve to work together as never before, said Coviello, who plans to detail this in his keynote address here tomorrow. You will hear from me tomorrow a very strong call to action.
[ Major global corporations call for more collaboration among organizations hit by cyberattacks, but the devils in the details. See
Victim Businesses Teaming Up To Fight Cybercriminals
. ]
He also noted RSAs firsthand experience in the heightened attack landscape, given its breach last March. We learned from our own incident and provided us insight into others attacks, Coviello said. He reiterated that despite the breach of the SecurID servers, there were no successful attacks on its customers in the aftermath.
The key is intelligence-driven security, Coviello said, and organizations must do a better job at evaluating risk.
The research from Carnegie Mellon bears that out, he said.
When grilled during a question-and-answer period by some members of the press about whether RSA now has a credibility problem as a security vendor advising its customers, Coviello said security companies will continue to be targeted. Weve never seen so many high-profile attacks as there were in the past 12 months, he said. Weve never had attacks that have been used on one company to be a stepping stone to [attacking] other companies. Thats why so many security firms have been attacked.
Meanwhile, the Carnegie Mellon survey data raises some red flags for the boardroom of some of the worlds largest firms: More than 70 percent of these top-level execs said they either occasionally, rarely, or never review the roles and responsibilities of their top IT security and privacy officials. And more than 70 percent operate the same way when it comes to reviewing top-level policies on IT security and privacy risks. Theyre just not closely involved, the study found.
This indicates that we still have gaps in core governance responsibilities, said Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow, Carnegie Mellon CyLab.
And less than two-thirds have full-time privacy and security positions filled in their companies, according to the survey.
This vindicates the CSOs cry that its difficult to get the attention of senior management, Westby said. Its hard to get access to that level of management, she said.
There were some bright spots, however: Enterprise risk management programs are on the rise, with 94 percent of the firms reporting that they have these programs in place, up from 85 percent in 2010. And more of the Fortune firms have cross-organizational teams that manage privacy and security and risk -- 70 percent, up from 65 percent in 2010.
Meanwhile, Westby maintained that a business security policies are its own responsibility, not that of RSA or other security vendors.
No security company can be responsible for the security policies of all of its customers, Westby said. We cant think that security companies are able to protect the business community fully, she said. Thats the business communitys responsibility.
A full copy of the 2012 Carnegie Mellon CyLab Governance report is available
here
(PDF).
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
RSA: Top-Level Execs Not On Top Of Risk Management