Cyber risks commanding board-level attentionReprints
The “needle has moved” in terms of boards of directors more actively addressing cyber risks, says a study released by consultant Jody R. Westby on Friday.
Three previous studies in 2008, 2010 and 2012 “revealed that boards were not actively managing cyber risk and failed to understand the linkage between information technology risks and enterprise risk management,” according to the study conducted by Ms. Westby, who is CEO of Washington-based cyber risk consultant Global Cyber Risk L.L.C.
The study, “Governance of Cybersecurity: 2015 Report,” is based on results received from 121 respondents at the board or senior executive level and was conducted through the Atlanta-based Georgia Tech Information Security Center.
Among other results, the study indicated 63% of boards are actively addressing and governing computer and information security, which compares with the 33% in 2012 and 39% in 2010.
“Boards are now undertaking key oversight activities related to governance of cyber security, such as reviewing security program assessments and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks,” says the report.
It said the weakest areas of cyber governance involved reviewing security budgets and assigning roles and responsibilities for key privacy and security personnel.