Organizations Still not Taking IT security seriously

How Are Organizations Still Not Taking Cyber Security Seriously?

How is it that in this day and age senior leaders are still clueless about the significance of Cyber security? In a Cylab 2012 report performed by Carnegie Mellon they found that organizational leaders are inept at protecting and safeguarding critical assets against those who wish to exploit these vulnerabilities which is particularly true of the industries that make up the majority of our critical infrastructure such as industrial, financial and utility firms which comprised of 75 percent of the survey. We have emphasized how crucial it is for organizations to incorporate the appropriate governance and risk management approaches that are essential to the viability and protection of society at large in today's day and age. For example ISACA is one organization that gives you access to critical information you need to succeed and add value via its talented global community of IT audit, information security and IT governance professionals as well as approaches such as making use of Cobit5. In getting back to the survey researched whether senior leadership were taking initiatives such as reviewing privacy and security budgets and top-level policies, establishing key roles and responsibilities for privacy and security, reviewing security program assessments and if leaders were being provided information imperative to the management of cyber risks, such as regular reports on breaches and the loss of data. Standards, policies and procedures such as those provided by ISO27000 or ISO13335 could easily be used as a guide and approach for organizations to utilize however that appears not to be the case. The industry that was the worst culprit was the utility sector. That is scary especially in light of how this industry is responsible for a great deal of our infrastructure. 71% of their boards rarely or never review privacy and security budgets; 79% of their boards rarely or never review roles and responsibilities; 64% of their boards rarely or never review top-level policies; and 57% of their boards rarely or never review security program assessments. The utility industry also lacked the least amount of IT Security Committees at the board level and placed the least value on IT experience when recruiting board member and the industrial's were not far behind.  Although the survey did state that the financial sector had the best security practices it still had several gaps in security governance.  For example, 52% of the financial sector respondents said that their boards do not review cyber insurance coverage and only 44% of them actively address computer and information security.  It was also shown that 42% of the financial sector's boards rarely or never review annual privacy and security budgets and 39% rarely or never review roles and responsibilities.  It must be noted that the financial sector did in fact have one of the highest percentages of CISOs and CSOs who are responsible for both privacy, security and segregation of duties. This is pretty scary when one really begins to think about it. Lets hope these boards begin to start implementing the appropriate countermeasures by taking a more proactive approach in the area of IT security instead of waiting to be reactive to something that can cause a catastrophic event beyond our wildest dreams!