Archive for the ‘The Digital Director’ Category

Cyber Experts Offer Six Tips for Director Oversight

October 16th, 2015 | By

“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.

Cyber Panel

The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.

Below is a summary of the high points from that discussion.

  1. Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
  2. Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
  3. Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
  4. Make sure your leadership is tapping into information-sharing initiatives. Many new initiatives have emerged to increase transparency about cyber-risks, including the sharing of information about specific incidents with law enforcement aimed to better prepare organizations for new threats. From industry-to-industry resources such as the Financial Services Information Sharing and Analysis Center and cross-sector initiatives like New England’s Advanced Cyber Security Center to government-supported groups including the National Cybersecurity Center of Excellence, resources abound and panelists urged full use.
  5. Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
  6. Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses.We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.

Dig deeper into leading practices by reviewing the Director’s Handbook Series on Cyber Risk Oversight and watching the panel’s full discussion.

A Former White House CIO Discusses Data Hygiene and Cybersecurity Strategies

October 15th, 2015 | By

Consumers in the digital marketplace rarely think twice about allowing companies access to their personal information, and the companies that are amassing this data are enjoying the unprecedented business opportunities that such access entails. This exchange of information does, however, come with substantial liability risks; that information can easily fall into the wrong hands. This feature of the e-commerce landscape is causing both consumers and companies to ask: Is privacy dead in the Information Age? To explore this question, NACD Directorship Editor in Chief Judy Warner sat down with former White House Chief Information Officer and founder of consulting company Fortalice Theresa Payton during a Monday evening session at the 2015 NACD Global Board Leaders’ Summit.

Theresa Payton at 2015 Global Board Leaders' Summit

In short, privacy isn’t dead, but our concept of privacy is undergoing a transformation. Payton said that as business leaders and consumers, we need to have serious conversations about what the new—and correct—lines of privacy are. “We own some responsibilities as business leaders and government officials,” she said. “Data is hackable and breaches are inevitable. Don’t aid and abet hackers.”

It turns out that companies are inadvertently aiding and abetting hackers. First, some organizations fall victim to their own, outdated view of building cyber defenses: Set up as big a firewall as you can around the company’s data assets; install anti-malware and antivirus software—done. This is a losing defensive strategy; it fails to take into account the mechanics of how and why these major breaches continue to happen.

According to Payton, companies with poor data hygiene are the most susceptible to cyberattacks. When companies kept analog files, they would shred records when storage space was exhausted or when data reached a certain age. In a digital environment, storage space is cheap and seemingly limitless, meaning that data could—and probably will—live on servers for years. As time goes on and a company reorganizes, data is forgotten, creating prime points of entry for hackers. Adopting a data-“shredding” strategy is imperative.

In addition, the tools needed to hack into a system have become both affordable and readily available. Now anyone can be a hacker—and those who have chosen this path grow more adept at their craft every day. Taken altogether, this is a recipe for potential disaster.

Payton outlined best practices for maintaining optimal data hygiene:

  • Don’t keep all of your data in one place. For data you need to retain, “segment it to save it.” In other words, divide that information among multiple digital locations so that if one location is compromised, a hacker hasn’t gained access to the entirety of the data the company holds.
  • Create rules around when you no longer need data and set a schedule for “shredding” it.
  • “Shred” any data that you don’t need. Keep only data related to the attributes of consumer behaviors and get rid of the specifics (e.g., names and social security numbers). Doing so will reduce your risk of being held accountable when a breach happens.

Furthermore, she stressed that directors should be sure to ask certain questions as they work with management to hone the company’s cybersecurity strategies:

  • Have we identified our top critical assets—those that if held for ransom, lost, or divulged, would destroy us as a company?
  • Who has access to those assets? How do we grant access?
  • Have we drilled for a cyber breach disaster?
  • Do we have a liability plan that will cover the board should critical assets be breached?

Josh Klein on How Technology is Transforming Commerce

October 12th, 2015 | By

The word hacker carries many connotations, most of them negative. But is it possible that hacking can be a force for good? During his keynote speech at the 2015 NACD Global Board Leaders’ Summit, technologist, author, and self-described hacker Josh Klein offered a fast-paced dive into the misconceptions that directors and executives may be perpetuating without even recognizing their error.

Josh Klein

“Disruptive trends in technology, culture, and business are converging,” Klein observed before exploring four areas in which this convergence is creating unprecedented opportunities.

  1. Code. In 2006, the cost to develop a website was exorbitant by any standard. Today, thanks to the multitude of free web-development tools now on the market, the cost is next to nothing. In Klein’s words, “It’s getting cheaper and cheaper to validate your business concept.” This fact alone will grow the pool of competition exponentially, because anyone who knows enough code to use these tools and has a marketable business plan can start a company. Anyone from legitimate start-up entrepreneurs to criminal masterminds can code a site, which means that companies must anticipate and plan for competition of varying legality and ethical standing.
  2. Culture. “Tech doesn’t spring from the ether,” Klein pointed out. “It emerges from the attitudes and desires of users.” Information can be shared and spread almost instantaneously, increasing the likelihood that a company will at some point receive undesirable attention. According to Klein, technology creates a meritocracy via democratic exposure of reputation. But instead of trying to hide negative feedback, companies should get ahead of the problem and own it as best they can. He cited AirBnB as one example of how digital technologies have created marketplace meritocracies. Responding to an incident in which an AirBnB guest caused significant damage to a host’s home, the company rolled out a million-dollar host guarantee policy. This move both acknowledged the problems with the company’s old business processes and affirmed its commitment to improving those systems and protecting AirBnB hosts.
  3. Competition. With the rise in sources of competition, businesses that rest on their laurels and become complacent about their success are putting themselves in a dangerous position. Looking out over the audience, Klein underscored the obvious: “We’re all sitting here, and the innovation may be happening someplace else.”
  4. Future Context. To many of us it seems that everyone is connected by the Internet, but only about one-third of the world’s population is online. Klein observed that the remaining two-thirds may be illiterate and may not have bank accounts; they do, however, participate in the black market, which is currently valued at $10 trillion and accounts for $1 in every $7 exchanged, making it the second largest market on the planet. Companies must anticipate how these demographic shifts will create new business demands and transform the face of e-commerce.

Klein ended by entreating his audience not to panic but instead to begin experimenting, learning, evolving, and to do this all as quickly as possible. “Do it now, because if you’re not, someone else is.”