Cybersecurity risk management by boards and senior executives: 12 recommendations

According to Forbes, a recent Carnegie Mellon study has found that corporate boards “are not actively addressing cyber risk management.”  The researchers collected data from corporations worldwide and across all industrial sectors, and found that while boards actively attend to risk management as part of their oversight, “there is still a gap in understanding the linkage between cybersecurity risks and enterprise risk management”.

The study’s report, well worth reviewing for its instructive if sometimes disturbing findings, concludes that by implementing the following twelve recommendations, boards and senior management can “significantly improve their organizations’ security posture and reduce risk”:


  1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.
  2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.
  3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.  This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.
  4. Review existing top-level policies to create a culture of security and respect for privacy.  Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.
  5. Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.
  6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.
  7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.
  8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.
  9. Require regular reports from senior management on privacy and security risks.
  10. Require annual board review of budgets for privacy and security risk management.
  11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.
  12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

Boards Are Still Clueless About Cybersecurity,” Forbes (May 16, 2012).

“Governance of Enterprise Security: CyLab 2012 Report — How Boards and Senior Executives Are Managing Cyber Risks” by Jody Westby, Carnegie Mellon CyLab (May 16, 2012)

Posted in ARRA, HIPAA Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *