Business Roundtable wants CEOs to play bigger role in cybersecurity

Find opportunities — and win them.

Corporate chief executives must take individual and collective responsibility for the nation's cybersecurity, but they may need more management tools to do that effectively.

Corporate chief executives must take individual and collective responsibility for the nation's cybersecurity, but they may need more management tools to do that effectively, according to a new Business Roundtable report.

The critical infrastructure that makes up cyberspace is largely owned and operated by the private sector rather than the government, according to the roundtable report, "Committed to Protecting America: CEO Guide to Security Challenges."

As a result, "securing cyberspace is mainly a private sector responsibility to be shared by suppliers and end users of IT products and services," the report said.

Furthermore, since managing risks and safeguarding assets are CEO functions and cannot be delegated, CEOs must take the lead in the drive for cybersecurity, the report continues.

But there is a lack of management guidance available. Also lacking are accepted standards for corporate managers to follow and metrics to define success, the report said.

"The very frameworks needed to ensure robust network security are only just now being developed," the report said. "Auditing professionals are still attempting to clarify roles and responsibilities, for example, for managing information technology security issues."

Oversight boards have not offered details, either. "Although the Public Company Accounting Oversight Board and the Securities Exchange Commission agree that IT plays an important role in IT integrity, the oversight board does not detail guidance that management and others should use for the myriad cyber issues that confront the modern corporation," the roundtable stated.

Furthermore, there is no single auditing standard to apply to controlling cyber-risks, the report said. "Lack of harmonization of standards to certify cyber assurance presents a particular challenge for corporate officers," the report said.

In addition, creating and implementing performance metrics is still in the early stages. "The use of even rudimentary metrics will begin a long-term process of inculcating cybersecurity into the corporate culture," the report said.

The roundtable, an association of 160 chief executives of major companies, released two anti-terrorism guides on its Web site today to assist managers in improving homeland security and preparedness. The guides cover topics including a CEO's role, board involvement, planning and human resources in addition to cybersecurity.

"Each CEO in American has a crucial role to play in the ongoing war against terrorism," the report said.