Carnegie Mellon’s CyLab conducted a survey “to measure the degree of governance afforded by boards of directors and senior management to the security of their organizations’ information, applications, and networks.” CyLab found that, among the survey respondents, there is little corporate board or senior executive oversight of cybersecurity projects.
The survey also found:
- Boards were only involved in: privacy compliance reviews 19% of the time, in assessments of risk related to IT or personal data only 31% of the time; and security breach notification plans 21% of the time.
- 56% or respondents said they only occasionally or rarely reviewed and approved top-level policies regarding privacy and security risks; an additional 23% said they never did.
- 62% of respondents said they only occasionally or rarely received reports from senior management regarding privacy and security risks; an additional 15% said they never got such reports.
The report “is based upon data received from 703 individuals serving on U.S.-listed public company boards. More than two-thirds of the respondents were serving as outside board directors, with the remainder of respondents representing inside directors and non-voting board attendees (including senior management, general counsels, and corporate secretaries).”