CEOs – How does your company protect the information it uses? Do you know?

Today corporate data is at a higher risk of theft than ever before. C-level officers have the duty to protect the digital assets of their organizations. Moreover, laws and regulations impose specific privacy and cybersecurity obligations on companies. Cybersecurity requires active oversight by boards and senior executives.

Carnegie Mellon CyLab has released its third survey on how boards and senior executives are governing the privacy and security of their organizations’ digital assets.Using the Forbes Global 2000 list, the survey indicate a serious lack of attention at the top. Although organizationally, boards are forming Risk Committees within their organizations, they are not regularly engaging in key cybersecurity governance activities.

One of the most important findings of the survey is that boards still are not exercising appropriate governance over the privacy and security of their digital assets. Here are more interesting findings from the survey:

• CISO/CSOs declare that they cannot get the attention of their senior management and boards.
• Less than one-third of the respondents are undertaking basic responsibilities for cyber governance.
• There is still an apparent disconnect between boards and senior executives understanding that privacy and security, and IT risks, are part of enterprise risk management.
• 58% of the respondents said their board did not review the organization’s insurance coverage for cyber-related risks;
• Less than two-thirds of respondents have full-time personnel in key roles responsible for privacy and security in a manner that is consistent with internationally accepted best practices and standards.

Contrary to what some CEOs may think, information security is a boardroom issue. How does your company protect the information it uses? Do you know?

As a CEO, you have the responsibility to understand what information your organization owns, which are the greatest risks and what is the CISO/CSO doing to protect it.

Here are some questions you should have an answer to:

• How are we keeping our information safe?
• Who is responsible for protecting our critical information?
• Who will respond in case of a breach or an attack?
• What kind of measurements are in place to track protection metrics?
• How do we prevent breaches and attacks?
• How are policies being enforced?
• How will we respond to a security breach?
• How do we make employees understand that security is also their responsibility?
• What are the penalties for exposing nonpublic information?
• Do we comply with regulatory requirements and industry standards?
• Have we adopted a set of best practices regarding our cybersecurity needs?