South African executives miss the risk management boat

South African executives seem to think security and risk management is an evolving art that simply takes care of itself. Risk management practices are commonly left to executives with little oversight and no objectives on which their activities can be measured.

“With new standards, such as the King III report, companies are well aware that risk management is a precise science that can and should be measured in conjunction with corporate governance, risk and compliance processes,” says Phillip Gerber, MD of Magix Security.

“However, many company executives choose not to get involved in risk and security issues, rather leaving it to the chief information security officer (CISO), or another senior colleague, with the hope that all goes well.”

Unfortunately, this attitude is also common among international executives. At the RSA 2012 Conference earlier this year, Carnegie Mellon's Cylab revealed research that shows “boards and senior management still are not engaging in key oversight activities, such as setting top-level policies and reviews of privacy and security budgets to help protect against breaches and mitigate financial losses”. [i]

The report also states that over 70% of top-level executives “said they either occasionally, rarely or never review the roles and responsibilities of their top IT security and privacy officials. And more than 70% operate the same way when it comes to reviewing top-level policies on IT security and privacy risks.” [ii]

Gerber says the attitude of many executives is that they rather assume everything is running perfectly than get involved in the complexities of vulnerability audits and risk mitigation strategies. Even when a serious compromise is detected, South Africa has no disclosure laws, so breaches and the loss of confidential company or customer data is swept under the rug.

Additionally, many executives not only leave risk management responsibilities to someone else, some even protect their security colleagues from accountability. This is possibly because taking them to task will only expose their own ignorance and lack of oversight.

“These problems may change when the Data Protection Act is passed into law, but we've been waiting for it for a long time with seemingly no progress,” Gerber notes. “The reality is that executives will continue to do the minimum until they are personally at risk of legal or civil action.”

He adds that while security and risk management is a complex task, it does not have to be. Just as cyber crooks take advantage of modern technology to simplify their criminal activities, corporations are also able to use technology to protect themselves from external and internal risks.

“From the traditional firewalls and intrusion prevention solutions, through to systems that automatically and seamlessly monitor employees' activities, the bulk of the processes involved in managing security risks can be handled by technology,” Gerber says. “Where we need human intervention, however, is in the serious task of developing strategies and effectively overseeing their implementation - in other words, management.”

[i] http://www.emc.com/about/news/press/2012/20120227-02.htm
[ii] http://www.darkreading.com/insider-threat/167801100/security/security-management/232601610/rsa-top-level-execs-not-on-top-of-risk-management.html