NACD Blog

The Boardroom Reality of Cyberattacks

May 23rd, 2013 | By Kate Iannelli

It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.

Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.

Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.

At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.

Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.

Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.

Tags: American Express, Chairman Mao, China, CIO, cyber defense, cybersecurity, data breach, hackers, Jeff Cunningham, Karl Hopkins, Mandiant, military, NACD Directorship, NACD Directorship 2020, NACD Spring Forum, national security, phishing, Ponemon Institute, Red Guard, Richard A. Clarke, Risk Oversight, SNR Denton, strategy, Technology, Verizon

No Comments »

NACD Board Names Dr. Reatha Clark King Chairman

May 23rd, 2013 | By Ken Daly

On May 23, NACD announced the election of Dr. Reatha Clark King to chairman of our board of directors. While Reatha’s role as chair is new, her relationship with NACD goes back many years. She has been a member of NACD since 1993, an NACD director since 2005, and chaired the governance committee in recent years.

An unconventional path

Reatha’s directorship experience is extensive; she has served on the boards of ExxonMobil, Wells Fargo & Co., H.B. Fuller Co., Minnesota Mutual Insurance Co., and The Lenox Group—in addition to several nonprofit organizations. She has followed, however, what I would call an unconventional path to the boardroom. After earning undergraduate degrees in chemistry and math and later a PhD in chemistry from the University of Chicago, Reatha began her career in the sciences, working as a research chemist for the National Bureau of Standards, and then becoming a professor of chemistry and an academic dean at York College. After earning another degree—this time an MBA—she became the president of Metropolitan State University in Minnesota. Reatha was then tapped to head the General Mills Foundation, where she spent 14 years leading the company’s community initiatives. From there, she added the aforementioned board seats to her already impressive resume.

Preparing for 2020 and beyond

Looking ahead, Reatha’s experience in both the corporate arena and academia makes her particularly well-suited to guide NACD and its NACD Directorship 2020 initiative. NACD Directorship 2020 aims to help boards understand, define, and prepare for the emerging and evolving issues that will shape the future of directorship. It gives me great confidence that Reatha will be leading our organization as we prepare for 2020 and beyond.

I’m also honored that Barbara Franklin, who has led our board for the last four years, will continue to serve as a director until May 2014. Barbara has had a tremendous impact on NACD, overseeing our unprecedented membership growth during her tenure and helping us solidify our position as the authority on leading boardroom practices.

As I look at our excellent board of directors and management team, I am more confident than ever in NACD’s ability to deliver on our mission to advance exemplary board leadership.

Tags: Barbara Franklin, board leadership, chairman succession, chemistry, Directorship 2020, Dr. Reatha Clark King, ExxonMobil, HB Fuller, math, MBA, Minnesota Mutual Insurance, NACD Chairman, National Bureau of Standards, The Lenox Group, University of Chicago, Wells Fargo, York College

No Comments »

Succession and Sport

May 16th, 2013 | By Adam Lee

As reported in Directors Daily last week, Sir Alex Ferguson, manager of publicly traded Manchester United, announced his retirement. While the retirement of a sports figure, especially an English football (soccer) manager, would not normally provide fodder for an NACD blog post, Ferguson’s resignation underlies the need for succession planning and talent development, and serves as yet another warning about the risks of social media.

A soccer manager is often the most public face of the organization. Although not a traditional member of the C-suite, Ferguson’s relevance is illustrated by the announcement of his retirement. Within minutes of the open of trading following the resignation announcement, Manchester United’s stock price fell more than 5 percent. Directors, especially those who serve organizations where non-CEO employees maintain high levels of public visibility or influence, may want to look closely at Ferguson’s retirement as an example of a high-profile succession. While a coach of a sports franchise is a unique case, this succession plan looks to have been a long-term process resulting in unanimous board approval for the retiring manager’s recommended candidate.

The average tenure of a Fortune 500 CEO is 4.6 years[i], while the average tenure of a high-level English soccer manager is only 2.1 seasons. In a profession defined by short termism, Ferguson successfully managed his club for over 26 years, nearly 10 years longer than the next longest serving premier league manager. The Manchester United board allowed Ferguson to take the lead in the search for his own successor, and even allowed him to make the approach to the succession candidate. It is unusual for a board to cede so much control over the succession process. With directors serving for an average of nine years, their experience and longevity are essential to maintaining corporate continuity throughout the succession process. The board’s role in developing potential succession candidates is one aspect of executive talent development being explored by this year’s NACD Blue Ribbon Commission. The October release of the commission’s report will also examine the value of internal development, backed by a number of studies comparing internal and external succession.

The appointment of an outsider to the position of Manchester United manager was expected, but boards may wish to consider the value of recruiting internal candidates for CEO and other senior executive positions. Studies show that internally recruited CEOs deliver greater total financial performance and are more likely to retain the position[ii]. Also, senior executives hired from the outside have higher rates of failure than those internally promoted[iii], and organizations with greater reliance on external hires have twice the turnover as organizations that rely on internal promotions[iv]. While these studies point toward internal succession policies, boards may look outside when searching for fresh perspectives and thinking, or even contemplating a change in strategy. While Manchester United had been the world’s most valuable soccer club for many years, it fell to second in 2013. Could the appointment of an outside manager mean a change in strategy aimed at regaining the club’s title as the most valuable soccer team in the world?

While Manchester United’s transition process may appear successful, the announcement of Sir Alex Ferguson’s successor did not unfold as planned. There was no “the king is dead, long live the king” announcement; Manchester United announced the impending resignation but waited until the next day to name the future manager. In that short span of time, social media threw a snag in the carefully planned announcement. Prior to officially naming Ferguson’s successor, Manchester United mistakenly tweeted a link to its Facebook page that congratulated the new manager, David Moyes, on his appointment; the tweet and Facebook page were withdrawn within one minute. Moyes had been predicted as the successor, so the ill-timed social media announcement did not receive the same level of attention as other high-profile public company social media announcements. These events surrounding the succession announcement underscore risks posed by social media. In this case, it seems that human error, not a technological glitch, was the source of the problem, reinforcing the fact that while directors’ focus on IT risk is important, they can’t neglect old-fashioned human risk.

In a rare overlap of soccer and governance, Manchester United can provide directors with an example of a high-profile non-CEO succession that has received significant attention worldwide.

[i] CEO Succession Practices

[ii] Outside and Inside Hired CEOs: A Performance Surprise

[iii] Hire Senior Executives that Last

[iv] Outside and Inside Hired CEOs: A Performance Surprise

Tags: C-suite, CEO, Manchester United, NACD, Sir Alex Ferguson, social media, Succession

No Comments »