InformationWeek discusses a report from Carnegie Mellon on the “Governance of Enterprise Security.”
More than half of Fortune 1000 companies lack a full-time chief information security officer, only 38% have a chief security officer, and just 20% have a chief privacy officer. As a result, a majority of companies are failing to adequately assess and manage the risks that information security and privacy issues pose to their business.
Those findings come from “Governance of Enterprise Security,” a new study released yesterday by Carnegie Mellon University’s CyLab. The report is based on a survey of 66 board directors or senior executives who work at Fortune 1000 companies. Nearly half of respondents work at critical infrastructure companies. CyLab conducted a similar survey in 2008. […]
For starters, no respondent identified one of their board’s top-three priorities as involving computer or data security, and only 2% said that their board actively addressed IT operations and vendor management. Furthermore, 65% of boards failed to review their business’s insurance coverage for any cyber-related risks. […]
In another positive sign, the report found that 65% of organizations now have a cross-functional team for managing security and privacy, compared with only 17% of organizations in 2008.