Cyber Experts Offer Six Tips for Director Oversight

October 16th, 2015 | By

“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.

Cyber Panel

The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.

Below is a summary of the high points from that discussion.

  1. Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
  2. Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
  3. Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
  4. Make sure your leadership is tapping into information-sharing initiatives. Many new initiatives have emerged to increase transparency about cyber-risks, including the sharing of information about specific incidents with law enforcement aimed to better prepare organizations for new threats. From industry-to-industry resources such as the Financial Services Information Sharing and Analysis Center and cross-sector initiatives like New England’s Advanced Cyber Security Center to government-supported groups including the National Cybersecurity Center of Excellence, resources abound and panelists urged full use.
  5. Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
  6. Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses.We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.

Dig deeper into leading practices by reviewing the Director’s Handbook Series on Cyber Risk Oversight and watching the panel’s full discussion.

1 Comment »

A Former White House CIO Discusses Data Hygiene and Cybersecurity Strategies

October 15th, 2015 | By

Consumers in the digital marketplace rarely think twice about allowing companies access to their personal information, and the companies that are amassing this data are enjoying the unprecedented business opportunities that such access entails. This exchange of information does, however, come with substantial liability risks; that information can easily fall into the wrong hands. This feature of the e-commerce landscape is causing both consumers and companies to ask: Is privacy dead in the Information Age? To explore this question, NACD Directorship Editor in Chief Judy Warner sat down with former White House Chief Information Officer and founder of consulting company Fortalice Theresa Payton during a Monday evening session at the 2015 NACD Global Board Leaders’ Summit.

Theresa Payton at 2015 Global Board Leaders' Summit

In short, privacy isn’t dead, but our concept of privacy is undergoing a transformation. Payton said that as business leaders and consumers, we need to have serious conversations about what the new—and correct—lines of privacy are. “We own some responsibilities as business leaders and government officials,” she said. “Data is hackable and breaches are inevitable. Don’t aid and abet hackers.”

It turns out that companies are inadvertently aiding and abetting hackers. First, some organizations fall victim to their own, outdated view of building cyber defenses: Set up as big a firewall as you can around the company’s data assets; install anti-malware and antivirus software—done. This is a losing defensive strategy; it fails to take into account the mechanics of how and why these major breaches continue to happen.

According to Payton, companies with poor data hygiene are the most susceptible to cyberattacks. When companies kept analog files, they would shred records when storage space was exhausted or when data reached a certain age. In a digital environment, storage space is cheap and seemingly limitless, meaning that data could—and probably will—live on servers for years. As time goes on and a company reorganizes, data is forgotten, creating prime points of entry for hackers. Adopting a data-“shredding” strategy is imperative.

In addition, the tools needed to hack into a system have become both affordable and readily available. Now anyone can be a hacker—and those who have chosen this path grow more adept at their craft every day. Taken altogether, this is a recipe for potential disaster.

Payton outlined best practices for maintaining optimal data hygiene:

  • Don’t keep all of your data in one place. For data you need to retain, “segment it to save it.” In other words, divide that information among multiple digital locations so that if one location is compromised, a hacker hasn’t gained access to the entirety of the data the company holds.
  • Create rules around when you no longer need data and set a schedule for “shredding” it.
  • “Shred” any data that you don’t need. Keep only data related to the attributes of consumer behaviors and get rid of the specifics (e.g., names and social security numbers). Doing so will reduce your risk of being held accountable when a breach happens.

Furthermore, she stressed that directors should be sure to ask certain questions as they work with management to hone the company’s cybersecurity strategies:

  • Have we identified our top critical assets—those that if held for ransom, lost, or divulged, would destroy us as a company?
  • Who has access to those assets? How do we grant access?
  • Have we drilled for a cyber breach disaster?
  • Do we have a liability plan that will cover the board should critical assets be breached?

No Comments »

Advice to Board Members From Batman’s Producer: Look East

October 14th, 2015 | By

Michael Uslan has been many things: a lawyer, a professor, an executive producer, and—most recently—a global media mogul; but he identifies most closely with the moniker that became the title of his 2011 memoir: The Boy Who Loved Batman. During an interview at the 2015 NACD Global Board Leaders’ Summit, Uslan reflected on his experience in media—ranging from Hollywood as a case study on how to think about competition to the danger of losing sight of the story to the rise of China as an indispensable partner in long-term strategic growth. In the process, he shared valuable insights that apply across industries.

Michael Uslan at Global Board Leaders' Summit

A self-described “comic-book geek” even before he could read, by the time Uslan graduated from high school, he had amassed a collection of more than 30,000 issues. “They were stacked floor to ceiling in our garage,” he recalls. “My dad never could get a car in there.” While Uslan would read almost any superhero rag within reach, he developed an early and enduring love for the caped crusader. That love drove him, at age 28, to buy the rights to the Batman franchise. He was able to purchase them for a song, even as the president of DC Comics tried to talk Uslan out of the deal, telling him that Batman was “as dead as a dodo.” Uslan was undeterred. He believed in the potential of showing a darker, more human side of Batman, to say nothing of the revenue the franchise could generate in ancillary toy, comic book, video game, and other product sales.

Armed with what he saw as a self-evident blockbuster idea, Uslan made the rounds of the Hollywood studios. He was rejected at every turn. “I was told I was crazy. They told me it was the worst idea they had ever heard.” In fact, it took 10 years to get the first film, 1989’s Batman, greenlighted; but that break gave Uslan the chance to launch, almost single-handedly, a franchise that has achieved No. 1 box-office rankings and grossed billions of dollars worldwide.

Missed Opportunities

Uslan’s experience is reminiscent of other cases in which visionary concepts were initially pooh-poohed by power brokers and industry leaders who couldn’t believe that customers would respond to something different from the status quo. Consider these two examples, cited by speakers at last year’s NACD annual meeting: John Backus, co-founder and managing partner for New Atlantic Ventures, described his company’s failure to foresee the transformative power of the World Wide Web: “I ran an Internet banking company. We were focused on the phone in the home. We missed the Internet. We missed the Internet because we had our blinders on.” Scott Kupor, managing director at Andreessen Horowitz, summed up how his company missed the boat on AirBnB: “When we first saw it, we thought, ‘This is crazy.’ We made the cardinal mistake in venture capital that I hope we never make again, which is we thought about [the proposal] in the context of our own frame of mind and what we thought was appropriate…. [W]e viewed it through the lens of our current biases.”

Digital Disruption Fuels the Rise of Techtainment

Hollywood is notoriously insular. A colleague who is both a corporate director and a veteran of the studio system once observed, “They have a model that locks others out, but the problem when you lock others out is that you lock yourself in.” Uslan noted that Hollywood is making fewer and fewer movies. As revenue models contract to a handful of familiar formulas, it becomes harder to make groundbreaking films like 1989’s Batman and the hits that followed it. None other than Steven Spielberg and George Lucas famously predicted the implosion of the U.S. film industry in a 2013 lecture at USC’s film school, citing as its principal cause the big studios’ collective fear of straying from the tried and true.

At the same time, Hollywood is facing increased competition from indie upstarts, much of it attributable to the studios themselves for underestimating the importance of mobile technology and innovative delivery systems for their products. The fate of distribution outlets like Blockbuster is already the stuff of b-school case-study legend, while major cable networks and big studios are fighting to stay relevant in a creative space that is now being rapidly colonized by newcomers like Amazon Studios, Netflix, and Hulu.

“It’s a new world,” Uslan observed, “and it’s changing so fast.… Netflix, Amazon, Google, Yahoo, Microsoft—these are the names that are becoming more and more prominent; as you look to the future, they may be the names that compete with or even supplant the names of the studios and networks we know today. Add to that rapid changes in technology [that enable filmmakers] to get their products directly to the individual consumers—whether they want to see it on a big screen, on their wristwatch, in their glasses, or maybe one day projected on the moon.”

Uslan also cautioned against becoming so enamored with a product that a company loses sight of its overarching value proposition. He cited both the decline in box-office revenues and in the target age of audience members, which has dipped to 25 years old. Couple that with the aforementioned fear of innovation, and Uslan sees a clear connection. “I always say there are 10 great rules to making a great movie,” he said: “No. 1, story; No. 2, story; 3, story; 4, story; 5, characters; 6, characters; 7, characters; 8, story; 9, story; 10, story. And as long as they remember that, we’re great. If instead they become enamored of these toys, these special effects, and just want to top the person who came before them, then you wind up with shoot-’em-up–blow-’em-ups that are unsatisfying to anyone over the age of 18.” Substitute the phrases “value proposition” and “corporate mission” for the words character and story in Uslan’s rules, and you have a prescient lesson for every company.

Beyond Borders: The New Hollywood

Discussion of disruption wasn’t limited to technology. Uslan’s message for the director audience: “China, China, and China.” The Asian continent is home to 1.5 billion new media consumers, and by 2018, China will surpass the U.S. as the largest film market in the world. When that happens, decision-making will move from Hollywood to Beijing and Shanghai, generating seismic aftershocks in the way that media is created and consumed. It comes as no surprise then that Uslan is looking to that region of the world for much of his future business. Last month he inked a large deal with one of China’s leading production companies, Huace, and just this week announced a deal with Huayi Brothers Media to launch a film and TV franchise based on the “Thunder Agents” comic book series. “The sleeping giant has awakened,” Uslan says of China and cautions that success in the region hinges on building both relationships and true cultural understanding.

“We have spent the past two years going to China, having a presence there, developing relationships, nurturing friendships, building trust—investing two years before we sat down to make deals—and that I think has been one of the most important aspects of what we’re doing and how we’re approaching it,” Uslan observed. “We are looking for true partners; we want full, 50/50 partnership; we want you sitting at the table with us; we want you engaged with us; and we want you to make us understand what is authentic to China, what is culturally sensitive to China, so that it’s not just our Westerner’s imposition,” he continued.

When asked about the Chinese consumer base, Uslan shared perhaps his biggest surprise to date—the success of a decidedly American superhero movie. “I have been absolutely amazed…. Consider this in the last year: the movie Captain America played well in China. Captain America! Dressed in a red, white, and blue American flag, solving everyone’s problems—culturally that was amazing to me and a real eye opener.… The Chinese are open to American culture and world culture, and we must be open to theirs as well,” he said. “That is the only way this is going to work.”

Uslan shared similar observations about working with Chinese executives. “What I love about the business culture in China is that it’s very close to ours,” he said, “I worked for a number of years in Japan, and I have to tell you that in all the meetings I had in Japan, there was never one situation where there was a female executive at any of the meetings I attended. In China, it’s probably 50 percent, and it’s a very comfortable feeling working with them; and they are open to learning and sharing on that level. Our relationship has been one truly built on friendship and, hopefully, trust going forward.”

Uslan summed up his observations with a challenge to the audience—stay curious, move outside your comfort zones, and be willing to re-imagine what’s possible: “Things are changing so fast now—if you don’t do that, the risk of your becoming irrelevant is very high.”

No Comments »