CMU Survey Insights: Why Boards of Directors Don't Get it

This is the key takeaway from a new Carnegie Mellon University CyLab survey, which shows that there is a "gaping hole as wide as the Grand Canyon" in board and senior executive oversight of these critical business issues.

To understand this study, we spoke with its author, Jody Westby, Adjunct Distinguished Fellow at CyLab and CEO at Global Cyber Risk. In an exclusive interview, she discusses:

Jody Westby received her B.A., summa cum laude, University of Tulsa; J.D., magna cum laude, Georgetown University Law Center; Order of the Coif. Drawing upon a unique combination of more than 20 years of technical, legal, policy, and business experience, Jody Westby brings a seasoned, multidisciplinary perspective to the many issues facing businesses and governments today in the areas of privacy, information security, outsourcing/offshoring risks, cybercrime, and IT business risk management. She regularly consults with governments, private sector executives, and operational personnel on the development of enterprise security programs that dovetail the technical, legal, operational, and managerial considerations.

Prior to forming Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC), specializing in outsourcing and cyber security/privacy issues. Before that, she was president of The Work-IT Group, launched an IT solutions company for the CIA, managed the domestic policy department for the world's largest business organization, was senior fellow and director of information technology (IT) studies for one of the nation's leading think tanks, practiced law with two top-tier New York firms, and spent 10 years in the computer industry specializing in database management systems.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is a new interesting study on governance and board management by Carnegie Mellon University, and we are talking with the author of that study, Jody Westby, Adjunct Distinguished Fellow at CyLab and CEO at Global Cyber Risk. Jody, thank you so much for joining me today.

JODY WESTBY: My pleasure, Tom, thank you.

FIELD: Tell us a little bit about this new study; what prompted it and then what some of your key findings are.

WESTBY: It was prompted by the continuing feeling for over the past several years, five or six years, by IT experts and the IT industry generally that boards and senior management were not paying adequate attention to the security of their organizations' data and information technology systems.

So this survey was designed to determine if these claims were actually valid and the degree to which boards and directors were actually exercising oversight of privacy and security, the organizational structure, if they were, for governance and the degree to which companies were really following best practices for governance, privacy and security. So those were the driving forces.

FIELD: Okay. Tell me about some of the key findings here, and then my real question is what sort of shocks did you find?

WESTBY: Well, the findings overall, broadly did support that boards of directors and officers of corporations are not paying adequate attention to privacy and security, nor exercising adequate governance and engaging on the key activities that really would give them an indication of whether the risks, the privacy and security were being managed.

But what surprised me was that most companies indicated that they really didn't have the right kind of executives in these roles. I think we all assume that most companies had the chief information security officer or chief officer security and a chief privacy officer. Companies seemed to grab onto this privacy officer notion rather readily several years ago, when everyone started pushing this, and the surprising result was that 59% of the respondents said their organization did not have a CISO and 71% said they didn't have a CSO.

But more surprising was the 78% that said their organizations did not have a chief privacy officer. And so I think this is really a clear indication of a gap in governance -- if boards don't even understand that they have to have these key roles and responsibilities well staffed with qualified people and roles defined, then that is a major gap.

The second thing that almost goes hand in hand with this, though, was that the organizations -- we asked them if they had an enterprise risk management plan, and less than half, 47%, said that they had a risk management plan. So that means 50% of the respondents companies didn't have a risk management plan, and the respondents were from public listed companies, so NASDAQ, NYSE companies.

You would think that after 9-11 and the emphasis being on risk that they would at least have a risk plan. But even more surprising was out of that 47% then, only about two-thirds of those said that IT was considered in the risk management. So companies clearly are not understanding that they would not even be able to operate and do business if they didn't have their IT systems, their information networks. Their applications and their data are truly the digital assets that comprise the very operations and necessary information of an organization, and they are not including it in risk management. So those are the two things that I think just really, really surprised me.

FIELD: Jody, which industries did you study, and did you analyze at all whether there are any key differences among industries?

WESTBY: We looked at all industry sectors and all sizes. So we had energy, financial, healthcare, IT and telecommunications, we had industrials, consumer, we had also materials and retailing. So we had a good cross-section of industry sectors, and the sizes also ranged from less than $50 million to more than $10 billion, or up to $10 billion I think. So we had some small to medium sized companies up to the very huge global giants, but we did not separate the findings by industry sector.

About 70% of the respondents were from critical infrastructure industry sectors, but we didn't compare the results and the responses -- but it's a good thought. We intend to repeat this study next year and to get information and try to develop a baseline and comparison point. I think it would be good for us next year to look and see if some industry sectors are really vastly different in their responses than others.

FIELD: That would be interesting. Two things would interest me: one to compare the industries, especially when you've got something like financial services that is so regulated, and then to look at size of organizations as well. That might give you some interesting cross tabs and again, something to think about next year.

WESTBY: Exactly.

FIELD: Okay so based on what you saw this year in your analysis, what are the greatest concerns that come from the responses in this study?

WESTBY: Well, I think the greatest concerns are the things that we believe comprise the best practices for really managing and governing enterprise security are not being looked at. So for example, 38% of the respondents said they only occasionally or rarely reviewed and approved annual budgets for privacy and security, and an additional 40% said they never did. So that is a total of 78% that was either occasionally, rarely or never.

Then when you look at reviewing roles and responsibilities, again, it was 55% said they only occasionally or rarely reviewed, and then an additional 28% said they never did. When we look at the top level policies that should come from the board and senior management that set the tone for security, 56% of the respondents said that they only occasionally or rarely reviewed and approved top level policies regarding privacy and security, and an additional 23% said they never did. Then when we look at reviewing reporting from senior management on privacy and security, 62% of them said that they only occasionally or rarely reviewed reports from senior management, and an additional 15% said they never did. So when we look at those activities and then we ask them if they conducted annual privacy compliance reviews, if they had breach notification plans, if they conducted annual risk assessments and the results were very, very low. In fact, more than half, 56% of the respondents said they didn't do any of those things. Those are real driving points for understanding the state of privacy and security in an organization.

If you aren't doing privacy compliance reviews, then you really don't know if you are doing anything at all with privacy, and only 25% said they had a breach notification plan. So if you look at the privacy rights clearinghouse website that has kept a tally of the number of records breached since the ChoicePoint event in 2005, that doubled in the last year.

The number of records breached doubled in the last year, but yet only 21% of the respondents said they had a security breach notification plan. Now this is consistent with what I find in my work because what I find in my work is companies are ill prepared when there is a breach, and there really isn't a plan that is well thought through, much less tested.

So I think that it shows a real negligence on the part of companies, when they have clear compliance requirements now and notification requirements to notify consumers, plus the state laws are now that many of them are requiring in addition they notify state attorneys general, consumer protection agencies, sometimes they have to notify credit bureaus, sometimes law enforcement has to be involved, so there are a lot of other points that are mandated notification.

So not to have a security breach notification plan in this day and age, I think that is another huge gap and it really, I think, indicates either these boards have to wake up, or the clear thing is they need to start looking at their board composition and start focusing on getting IT security experts on their boards so they can better protect the assets of their corporations.

FIELD: Well, you make a good point given the climate that we are in right now that certainly consumer confidence is shaken. We see a new administration coming in and likely more regulatory oversight for everybody. So given what you've seen and what came out of this report, what are some of the top line recommendations you've made to companies?

WESTBY: We are certainly recommending that boards have the right kind of governance structures in place, that there be a top organization team within a company that has the chief privacy officer, security officer, chief information technology officer, human resources, legal, chief financial officer involved so that they can discuss on a regular basis privacy and security concerns, so certainly putting the right governance structures in place.

Having the right policies at the top, conducting annual reviews and risk assessments are also clearly top recommendations. So the report overall has, I believe about 12 recommendations,. And also to make sure that there is a board risk committee. That was something that we were pretty concerned about is that boards still are overly reliant on their audit committee for whatever oversight there is of privacy and security. And when we were discussing the findings with some people in writing the report they said, well of course they are relying on their audit committees that's who is supposed to manage risk, and we said exactly, but they aren't supposed to establish it.

What these companies are doing is throwing all the privacy and security into the audit committee, and then they oversee getting it all set up, and then they turn around and audit it. That's a clear segregation of duties issues and at the board level. So there should be a board risk committee to make sure the right risk measures are in place, and there should be a board audit committee that serves as a check and balance on those activities that are performed under the oversight of the risk committee.

So the board risk committee is a really, really important change we are trying to get boards to do and senior management to undertake is to add that risk committee. Only 8% of the respondents said they had a board risk committee.

We also want to be sure that privacy and security in an organization are separated. A number of the respondents indicated that the security person also took care of privacy. And the risk there - and I have seen it among some of my clients -- is that when you have someone that is responsible for both privacy and security, you have a single point of failure. The person may determine that some law or compliance requirement does not apply to their organization and therefore the privacy compliance drops out the window and the security measures are never implemented and so the company is wide open. So privacy and security roles should be separated.

Also clearly, of course, we are wanting annual reviews and audits to make sure that controls are effective and that changes in the organization have been accommodated in a security program. And it is very tempting for companies to say well we finally got this whole security program set up and we did all of these things, and so now let's move on and we'll go look at it again in five years -- and you can't do that.

The technology and the risks evolve so fast that it has to be an annual review by both the board risk committee and the audit committee, and then of course comparing the results. That is what we do with financial statements, and that is how we ought to handle information technology risks as well.

FIELD: Now Jody, I know that you know financial institutions fairly well. Are there any real specific takeaways for banking institutions that read this report that they should pay particular attention to?

WESTBY: Well, of course the Federal Reserve and the financial regulatory entities require banks to have response plans, they do have specific privacy and compliance requirements, and they do have specific notification requirements.

I would say the main thing that financial institutions should do is to look at one, do they have a board risk committee, are IT risks included in their enterprise risk management, and do they have a cross-organizational team so that they have involved key executives across their organization to meet and talk regularly? And I don't mean pushing this down to mid-level management level because that is what just diverts attention away from the senior level people, and that is what diverts attention away from budgeting the amounts that needed to be budgeted to maintain truly an effective security program.

You need to include communications and public relations, perhaps even investor relations, and the other folks that I mentioned like HR, legal, CIO, CSO, CRO, the chief roles that would come into place while including the financial. And when you have that kind of cross organizational team working in a company with a board risk committee, that begins a very effective dialogue to manage these risks.

But those are the real things that I see: Financial institutions need to take a real close look at their governance structure ,and they need to take a close look at their breach notification plans to make sure that they really in fact are compliant with the guidance that is out there from the Federal Reserve and how to handle a breach.

FIELD: IT has been a fascinating study Jody. I've really enjoyed it, and we are going to share this with our audience as well. So I guess my last question is what's next? What are you going to tackle next and when can we look forward to hearing more from you?

WESTBY: Well we are going to do the study again next year and we are going to also be doing--we want to go do briefings on this report and on our findings to boards and to senior management. So we welcome them to contact us and ask us to come and talk to them because that is part of our effort to try to pull our weight and our contribution that we want to make in the next year to see if we can help boards understand their issues.

It is one thing to issue a report, but we are going to go one step farther and provide briefings to companies that want it on these issues to help their boards and senior management really understand what their responsibilities are. So then next year we will be doing a repeat of the study, and we will probably add some questions and I think your suggestion about having some comparison with industry sectors is a really good one. So that is kind of the plan at this point.

FIELD: Very good. Jody, thank you for taking time to share your insight with us today.

WESTBY: Thank you for your interest, and please feel free to tell your members to contact Carnegie Mellon CyLab if they are interested in such a briefing and we will get right in touch with them.

FIELD: Very good. We've been talking with Jody Westby. For Information Security Media Group, I'm Tom Field. Thank you very much.