Cyber Risk Still Not Getting Adequate Attention from Boards and Senior Executives

New Research Reveals Cyber Risk Still Not Getting Adequate Attention
from Boards and Senior Executives

News Summary:

* RSA®, The Security Division of EMC, alongside Carnegie Mellon CyLab
highlight new global research on cyber security governance
* New research surveyed Forbes Global 2000 list of CEOs, CFOs,
CROs and
board members of governance practices

Full Story:

RSA CONFERENCE 2012 - SAN FRANCISCO, CA - February 27, 2012 - The
advanced findings from the latest 2012 Carnegie Mellon CyLab Governance
survey of how corporate boards and executives are managing cyber risks
reveals the issue is still not getting adequate attention at the top.
The survey, sponsored by RSA, The Security Division of EMC (NYSE: EMC),
was the third survey conducted by CyLab Adjunct Distinguished Fellow,
Jody Westby, and comparisons with the 2008 and 2010 data clearly show
ongoing gaps in governance.

Using the Forbes Global 2000 list, the 2012 survey represents the first
analysis of cyber governance postures of major corporations around the
world. One of the most important advance findings is that boards and
senior management still are not engaging in key oversight activities,
such as setting top-level policies and reviews of privacy and security
budgets to help protect against breaches and mitigate financial losses.
Even though there are some improvements in key “regular” board
governance practices, less than one-third of the respondents indicate
their boards and senior executives are undertaking basic
responsibilities for cyber governance.

Although improvements are shown in the formation of board Risk
Committees and cross-organizational teams within their organizations,
nearly half of the respondents indicated that their companies do not
have full-time personnel in key privacy and security roles, and 58 per
cent of the respondents said their boards are not reviewing their
companies’ insurance coverage for cyber-related risks.

Recommendations

To help company boards improve corporate governance of privacy and
security, the advance findings of the research included recommendations
for organizations to undertake key governance activities, such as:

* Establish the “tone from the top” for privacy and security
through top-level policies.
* Review roles and responsibilities for privacy and security and ensure
they are assigned to qualified full-time senior level professionals and
that risk and accountability are shared throughout the organization.
* Ensure regular information flows to senior management and boards on
privacy and security risks, including cyber incidents and breaches.
* Review annual IT budgets for privacy and security, separate from the
CIO’s budget.
* Conduct annual reviews of the enterprise security program and
effectiveness of controls, review the findings, and ensure gaps and
deficiencies are addressed.
* Evaluate the adequacy of cyber insurance coverage against the
organization’s risk profile.

The advanced findings of the 2012 Carnegie Mellon CyLab Governance
survey will be available to download and at RSA Conference 2012.

The final survey report, which will also analyze differences in
responses from Asia, Europe and North America and responses by industry
sector, will be released in March 2012.

RSA Executive Quote:

Brian Fitzgerald, Vice President, Marketing, RSA

“The models for creating, delivering and managing IT services are in
a state of transformation driven by virtualization, cloud computing, the
hyper-connectivity of people and organizations, and the emergence of a
new class of ‘big data’ applications. With the convergence of these
trends amid an increasingly complex compliance and threat landscape,
executives and boards must be actively engaged in ensuring their
organizations are addressing these risks while reaping the benefits of
next generation IT.”

Carnegie Mellon Executive Quote:

Jody Westby, CEO of Global Risk & Adjunct Distinguished Fellow,
Carnegie Mellon CyLab

“Privacy and security are competitiveness issues, and companies that
set the tone of a ‘trusted workplace’ with their employees also
convey the message of a ‘trusted business’ to the marketplace.
Effective governance enhances profitability through the mitigation of
liabilities and losses associated with compliance costs, operat
ional
downtime, cybercrime, and theft of intellectual property.”

Additional Resources:

* Download the 2012 Carnegie Mellon CyLab Governance survey
* Visit the RSA Thought Leadership page on EMC.com
* Learn more about Trusted IT from EMC
* Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and the RSA
Speaking of Security Blog and Podcast

About Carnegie Mellon CyLab: Carnegie Mellon CyLab is a
university-wide, multi-disciplinary research and education centre for
computer and network security, information security and software
assurance. CyLab is located in the College of Engineering at Carnegie
Mellon University. For more, see www.cylab.cmu.edu.

About RSA

RSA, The Security Division of EMC is the premier provider of security,
risk and compliance management solutions for business acceleration. RSA
helps the world’s leading organizations solve their most complex and
sensitive security challenges. These challenges include managing
organizational risk, safeguarding mobile access and collaboration,
proving compliance and securing virtual and cloud environments.

Combining business-critical controls in identity assurance, encryption
& key management, SIEM, Data Loss Prevention, Continuous Network
Monitoring, and Fraud Protection with industry leading eGRC capabilities
and robust consulting services, RSA brings visibility and trust to
millions of user identities, the transactions that they perform and the
data that is generated. For more information, please visit www.RSA.com
and www.EMC.com.

About EMC

EMC Corporation is a global leader in enabling businesses and service
providers to transform their operations and deliver IT as a service.
Fundamental to this transformation is cloud computing. Through
innovative products and services, EMC accelerates the journey to cloud
computing, helping IT departments to store, manage, protect and analyze
their most valuable asset - information - in a more agile, trusted and
cost-efficient way. Additional information about EMC can be found at
www.EMC.com.

EMC Canada (www.EMC2.ca), headquartered in Toronto with nine offices
from coast to coast, is a wholly owned subsidiary of EMC Corporation.

- 30 -