Companies are leaving themselves wide open to hackers if they do not have a chief information officer and a chief security officer to protect their assets, according to a new cyber security study of global corporations.
The study, by the Carnegie Mellon University's CyLab, also found boards and senior level executives are not keeping a close watch on privacy and security matters themselves, thus not exercising their good governance duties.
"To tell you how bad it is 70 per cent rarely, never or only occasionally review and approve security and privacy policies; 74 per cent rarely, never or occasionally review and approve roles and responsibility for IT security [personnel]; 64 per cent rarely, never or occasionally review privacy and security budgets; and 59 per cent rarely, occasionally or never receive regular reports from IT management," said Jody Westby, CEO of Global Cyber Risk and adjunct distinguished fellow at the university.
Westby said in the three years she has conducted the survey some indicators had improved, namely the number of companies that now had a dedicated risk management committee - 46 per cent in 2012, up from 8 per cent in 2010 - but it was still not enough, hence the exceptional number of breaches reported in the past 12 months.
She believed board directors and C-level executives thought it was "too hard" to grasp technical issues, preferring to leave it to the "technical department". There were some signs of improvement, however, with 27 per cent appointing an outside director with IT security expertise.
However, with 85 to 90 per cent of all company assets today being digital, boards must have full-time security and privacy expertise internally to make sure their doors are locked, she said.
The survey spoke to CEOs, presidents, corporate secretaries and board chairs in the Forbes Global 2000 list. It included Australia's largest corporates. Referring to the need for breach disclosure in some countries, such as in the United States, she said organisations should undertake steps to secure information "no matter the compliance regime".
The survey found only 13 per cent of companies had a privacy officer.
"It's no wonder there are so many breaches. Privacy, security and cybercrime are three legs of the same stool," Westby told IT Pro at an RSA press briefing in San Francisco, ahead of the opening of the RSA2012 information technology security conference tomorrow.
"They have to think of them as inter-related. Privacy programs have to be integrated with security programs, without one you don't have the couple.
"No wonder there's so much privacy information sitting there, waiting to be breached."
Referring to the possibility companies had executives in privacy and security roles but gave them a different title she said: "My response is if you're a global company you should have a CPO and a CSO."
Westby said the survey's preliminary results vindicated the CIOs who had over the years complained of not attracting enough attention from the board and not obtaining access to better security budgets and resources. The full survey results will be released in late March.
The situation in Australia shows some promise, however, with a local study released today revealing Australian CIOs are making progress with their boards.
The Telsyte Australian CIO Information Security Priorities Study 2012 found there's increased awareness of security by board and senior management locally, with focus on operating system security and disaster recovery.
Telsyte senior analyst Rodney Gedda said for many, the dark events of 2011 were "a helping hand".
"Security is often viewed by senior management as an unwanted operating expense, but when the company's reputation and revenue are exposed, as demonstrated so flagrantly last year, security becomes strategic, Gedda said.
This writer is attending RSA2012 as a guest of the company.