In a new report from Carnegie Mellon's CyLab, the energy and utilities sector ranked lowest in IT governmance and security in comparison to other industries.
The study, titled “The Governance of Enterprise Security: CyLab 2012 Report”, found that cyber security as a priority was lowest among those organizatons who administer aspects of the nation's critical infrastructure.
The report provides a side-by-side analysis of governance and security oversight across several industries including utiliities, the financial and industrial production sectors, and was co-sponsored by Forbes and security provider RSA.
“Of the critical infrastructure respondents, the energy/utilities sector had the poorest governance practices. When asked whether their organizations were undertaking six best practices for cyber governance, the energy/utilities sector ranked last for four of the practices and next to last for the other two,” wrote the study's author Jody Westby.
The findings reported by Forbes are as follows:
- 71 percent of their boards rarely or never review privacy and security budgets.
- 79 percent of their boards rarely or never review roles and responsibilities.
- 64 percent of their boards rarely or never review top-level policies.
- 57 percent of their boards rarely or never review security program assessments.
“What is disturbing about these findings is that the energy/utilities sector is one of the most regulated industry sectors and one of the most important to business continuity,” Westby said.
She also noted that Industrial Control Systems (ICS) and SCADA controls "were not designed for security and have no logging functions to enable forensic investigations of attacks."
Also of concern was the finding that the energy and utility sector “placed the least value on IT experience when recruiting board members,” Westby noted.
While the energy and utility sector rated poorly in the study, the other sectors surveyed did not fare much better, and the report further iterates the disconnect between the Board of Directors and organizational security.
In March, CyLab issued the third in a series of reports examining information security governance from the standpoint of corporate Boards.
The report, which utilized a data pool selected from the Forbes Global 2000 list, shows that little has changed in the way of a concerted focus on cyber security by those at the highest levels of leadership in some of the world's largest corporate entities.
"Boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets. Even though there are some improvements in key “regular” board governance practices, less than one-third of the respondents are undertaking basic responsibilities for cyber governance. The 2012 gains against the 2010 and 2008 findings are not significant and appear to be attributable to slight shifts," the report noted.
The findings showed that around half of the respondents indicated that the Boards of Directors rarely or never engage in policy reviews for IT security, assessments of the roles and responsibilities for senior level security managers, or actively exercise oversight of annual security budgets.
In addition, only about a third of respondents regularly or occasionally receive and review reports regarding the state of enterprise information security risk management.
The report also found that on average less than two-thirds of the corporations examined did not have senior level security and privacy personnel in place, such as a CSO or CISO, and only about thirteen percent had a Chief Privacy Officer in place.
Overall, the report did show slight improvements over the results from the 2008 and 2010 studies, but the long and short of it is that corporate Boards of Directors have still not embraced privacy and security matters adequately, even in the wake of well publicized and obviously damaging security events.
The lack of urgency in addressing enterprise security issues ultimately leaves companies and their stakeholders at risk of impact from a catastrophic data loss event.