Corporate Boards in the Dark About InfoSec

Where does your board stand when it comes to involvement in information security issues? If it’s like the ones surveyed by Carnegie Mellon’s CyLab center, the answer is in the dark.

Just over a third of outside directors who serve on the boards of public companies surveyed say their board has any visibility on information security issues, according to the CyLab survey; CyLab is the university-wide center that focuses on issues of security.

Similarly, just 31 percent of the 706 directors who responded to the survey say their boards were involve in assessment of risk related to IT or personal data. Only eight percent of respondents reported that their board has a risk committee separate from the audit committee, and only 12 percent of those surveyed said their company had established a functional separation of privacy and security.

Carnegie Mellon used the survey to recommend broad operational changes “from establishing a board risk committee separate from the audit committee to reviewing existing top-level policies, to create a culture of security and respect for privacy.”

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER