A majority of board members and senior executives responsible for critical industries in the United States do not have sufficient knowledge about their companies’ cybersecurity endeavors, according to a new research report.
The report, entitled Governance of Enterprise Security: CyLab 2012 Report, was released May 16 by Carnegie Mellon CyLab and its sponsor, RSA, The Security Division of EMC. It examines how boards of directors and senior management are managing data privacy and cybersecurity.
Seventy-five percent of the respondents to the 2012 global survey identified themselves as representing critical infrastructure sectors, such as financial institutions, energy/utilities, and the IT/telecom sector.
The survey inquired as to whether senior executives and board members were undertaking basic cyber governance activities, such as reviewing privacy and security budgets and top-level policies, establishing key roles and responsibilities, and reviewing security assessments. The survey also asked whether the board was receiving information in regard to the management of security risks, such as regular reports on breaches and the loss of data.
Of the critical infrastructure respondents, the energy/utilities sector was the most uncoordinated and unprepared, reporting that more than 70% of their boards rarely or never review privacy and security budgets; 64% rarely or never review top-level policies; and 57% rarely or never review security program assessments.
The report echoes concerns that have been voiced on Capitol Hill. NTCA’s Washington Report has been closely following Congress’ attempts to shore up our nation’s critical infrastructure through new cybersecurity legislation, currently in draft form in the House and the Senate. It remains to be seen if this legislation will ensnare rural telcos or IT companies that service critical infrastructure providers, such as electric companies, health care providers, defense contractors or financial institutions.
On its face, the report also has important implications for rural telecommunications companies that are interested in servicing energy distribution companies (and other utility providers) with broadband infrastructure. Rural telcos have foundational knowledge and expertise concerning data privacy and cybersecurity, an important selling point in consultations with potential partners and customers.