Critical industries don't grasp IT risks, study shows
- By William Jackson
- May 21, 2012
A study by Carnegie Mellon cybersecurity researchers found that top corporate executives too often are disengaged from management of cyber risks to their organizations and that operators of critical infrastructure tend to lag behind the more highly regulated financial services industry in overseeing cybersecurity and privacy protection.
The report, “How Boards & Senior Executives are Managing Cyber Risks,” found that despite some improvements during the four years since the researchers’ first study, there still is a lack of understanding of the importance of IT risks in overall enterprise risk management. Key activities such as review of budgets, security program assessments and assignment of roles and responsibilities for privacy and security often are not being addressed at the board level or by C-level executives.
The study also found that, overall, the financial sector has better privacy and security practices than other sectors, a finding that Sen. Joseph Lieberman (I-Conn.) said supports the argument for regulation of the nation’s critical infrastructure industries.
Spear-phishing attacks hit gas pipeline networks
Bipartisan cyber bill now the center of partisan turf war
“The poor cybersecurity ranking of the energy sector and other utilities reinforces repeated warnings about the vulnerability of our most critical infrastructure,” Lieberman, who chairs the Senate Homeland Security and Governmental Affairs Committee, said in a prepared statement.
The senator cited a recent Homeland Security Department alert that the natural gas pipeline industry has been targeted by cyberattacks that have compromised some networks. “Congress must move without delay — before a cyberattack occurs — to require the most insecure networks to meet minimum security requirements,” he said.
The study is the third in a series of biennial surveys done by Carnegie Mellon CyLab, the Pittsburgh-based university’s cybersecurity research and education center. It builds on similar surveys done in 2008 and 2010 and is based on results from 108 executives and board members from Forbes Global 2000 companies. Three quarters of this year’s respondents are from critical infrastructure companies.
The study addresses top management’s engagement rather than the actual security status of their organizations, and found for the third time that cyber risk management is not being adequately addressed.
Respondents showed that executives in the financial sector pay more attention to IT and security issues and are more engaged in budget reviews, roles and responsibilities, and top-level policies than those in utilities, IT and telecom, and industry sectors.
Critical infrastructure protection is emerging as a hot-button issue in Congress, and several competing bills have been introduced in both houses as government’s role in the process is being debated.
Lieberman is championing broad legislation that has received some bipartisan support. It would have the DHS oversee the security of privately owned critical infrastructure, including the authority to set baseline standards for operators. A Republican task force last year called for a piecemeal approach to security, with a focus on information sharing rather than regulation, and with no oversight authority for DHS.
Although there is general agreement that better information sharing is needed within the private sector and between the private sector and government, Lieberman said more than that is needed.
“As national security, homeland security and intelligence officials have clearly stated, information sharing is not enough,” he said. “Security standards must be put in place to protect our national security, our economic security and the future of our country.”
The Carnegie Mellon study includes a dozen recommendations for closing gaps in governance of enterprise security, including creating committees with authority for risk management within boards of directors and establishing accountable, independent C-level officers with responsibility for security and privacy.
Although separate roles and responsibilities for privacy and security are recommended, cross-organizational teams also are needed to effectively address the full range of concerns, the report states. These teams would bridge chief financial, information, security and privacy officers, as well as business line executives.
William Jackson is freelance writer and the author of the CyberEye blog.