Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:
How can boards communicate with management about cyber risk?
How does cyber risk fit into discussions about risk appetite?
Here are some highlights from that conversation.
Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?
Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].
Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?
Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.
Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.
Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.
Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?
Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.
We sometimes all wish we could go back in time to advise ourselves on how to approach a new challenge or community given the knowledge and experience we have today. For the 2015 NACD Directorship 100 (D100), each honoree was asked to do just that. D100 directors were asked to provide a short, written response to this question: “What is the best advice you would give to a first-time director?” The D100 editorial team received responses from most honorees and they ranged from pithy maxims to stories about the challenges of staying independent.
A portion of the responses from the Class of 2015 D100 directors follows. Profiles of D100 honorees can be found in the November/December issue of NACD Directorship magazine.
Gary E. Anderson
Chemical Financial Corp., Eastman Chemical Co.
“I found that the best way to [contribute] was to frame appropriate questions dealing with the topic at hand. It doesn’t matter what the issue is, whether on corporate strategy, short-term tactics, succession planning, compensation, or risk management. The use of appropriate questioning also can work at home with the family!”
Avnet, Southwest Airlines
“I fully embrace the Southwest Airlines and Avnet way of doing business: treat your people well and they will be equipped and motivated to treat your customers extraordinarily well, and that will produce distinguished rewards for your shareholders. Everyone is important, in every nook and cranny of the business, and every decision at the board level should involve the question, ‘How will this affect our people, our principles, and our culture?’”
“Know your shareholders. What are their expectations? Is the company meeting them?
“Know your colleagues. Diversity of views, backgrounds, and experience enriches the company bottom line. Learn where your colleague’s views differ from yours. Understand why. Have courage and join them in candid discussion.
“Know your management team. Do they live their values? Are they delivering results?
“Be involved in NACD, as governance is a learned skill and doing it right keeps our private enterprise system strong.”
Betsy D. Holden
Diageo PLC, Time Inc., Western Union Co.
“The best advice that I received as a new director was, first of all, choose wisely. Select an industry and company that you are really interested in, a management team that you believe in, and a board where your skills and experiences are relevant and will add value.
“Secondly, what really differentiates the best directors is how they interact with management and the other directors. Good directors are confident and courageous, and challenge management in a positive, constructive way…They understand that chemistry is the intangible that drives board effectiveness and they really listen to and treat other directors with respect.”
Nancy J. Karch
Genworth Financial, Kate Spade & Co., Kimberly- Clark Corp., MasterCard
“Some of the best advice I received as a new director was to accept that this role is different than anything I had ever done, and to have patience to learn the ropes. [A director] is an advisor, a member of a peer team, a leader on governance matters, a decision maker on some matters—[it’s] a mix unlike anything else. Plus, as in any job change, one is entering a new culture, and in the case of a board, both a company and a board culture. So be patient.”
Bemis Co., Delphi Automotive
“The best advice I received was pertinent to me both as a director and as a chair/CEO. That is: ‘Tim, be yourself, remember that is what got you here.’ [That advice] caused me to think about hard work, integrity, ethics, and striving to make the proper decisions.
“It also reminded me that as my career evolved from working summer jobs in automotive plants to the boardroom of BorgWarner, I listened to, learned from, and developed relationships with people from all levels of society. This has become a valuable tool in the boardroom. Each time ‘a sticky issue’ is discussed, I remember to think back to my previous experiences and express what I think is the proper approach.”
Sarah E. Raiss
Canadian Oil Sands, Commercial Metals Co., Loblaw Cos., Vermillion Energy
“The best advice I received came from a very seasoned director. He said that I should find a person or two on the board that I could best relate to and either ask them to be my ‘board buddy’ or just make them my ‘board buddy’ without even asking. This person would help me understand current board dynamics, help me understand the history as necessary, and provide feedback on the value I brought to the board. I have used this technique on every board to which I am appointed, [and it] has allowed me to be more productive and a valuable contributor more quickly. I am most appreciative of my ‘buddies.’”
Molina Healthcare, Park Ohio Holdings Corp.
“Three people gave me great advice when I decided to accept board positions at Molina Healthcare and Park Ohio. The first was Mary Molina, the company’s chair. It was simple but profound: ‘Remember the mission. It is the cornerstone of our corporate culture.’
“The second came from Ed Crawford, chair and CEO of Park Ohio. He said, ‘Act with integrity at all times and have the courage to do the right thing.’
“The third was from my husband, Bruce Kulp, former general counsel of Ford Europe. He counseled me to listen, get as much information as possible, trust in the power of common sense, and to always think strategically.
“Lastly, the people you deal with in management and the board are human. They have families. They have good days and bad days. Kindness is powerful, even in the boardroom.”
Olympia J. Snowe
Aetna, T. Rowe Price Group
“One of the key components of executing critical judgment is ensuring an ongoing evaluation of how the company’s short term goals enhance its strategy for creating long-term value. That requires early and extensive director engagement in the shaping of the strategy, greater understanding and knowledge of business operations, and constant assessment and management of the risk.
“In this era of deeper investor involvement, it is more essential than ever for boards to communicate to shareholders the extent to which the independent directors are vigorously exercising their due diligence towards maximizing the value of the enterprise.”
Ronald D. Sugar
Air Lease Corp., Amgen, Apple, Chevron Corp.
“Select your boards carefully…You should be mindful of geography, meeting schedules, and be prepared to put in whatever time is necessary. And when trouble comes, you must be committed to see things through—whatever it takes.
“In well-run companies, board meetings enter a predictable rhythm, and are fairly routine. It has been said that in routine times, the quality of a board doesn’t really matter—until suddenly those moments when it matters enormously. Such ‘moments’ might include a significant market shift, a technology disruption, a planned (or unplanned) management succession, a serious regulatory or litigation threat, an environmental or safety crisis, a significant acquisition, a hedge fund activist campaign, or a hostile takeover attempt. In those moments, the board’s collective wisdom, perspective, and mature judgement can make—or break—a company.”
David A. Wilson
Barnes & Noble Education, CoreSite Realty Corp.
“The best advice came from the counsel I engaged for [a] special committee. He noted the fiduciary duties of directors formed a foundation but not the entire structure. The greatest challenge I will ever confront as an independent director, he said, is ‘independence.’ He was speaking not of the independence necessary to meet SEC and NYSE thresholds. Rather, he spoke of the independence of mind, thought and action.
“What our attorney never told me was how challenging it may be to hold fast when you are in the minority, but how critical it is to our governance system that you do.
“Polonius may have been a pompous fool, but I still find value in these words: ‘This above all: to thine own self be true, And it must follow, as the night the day, Thou canst not then be false to any man.’—William Shakespeare, Hamlet, Act 1 Scene III.’”
Review the full list of D100 honorees at NACDonline.org/Magazine, and take a few moments to consider who you might nominate for inclusion in our tenth anniversary list. A call for nominees will be issued to all NACD members in early 2016.
Meet Jeannine Strandjord, a seasoned public company director whose board experience has spanned information technology to retail, and whose executive résumé includes the role of chief integration officer at Sprint, where she oversaw the transformation of the telecom giant during a period of radical change. She recently spoke with NACD Directorship magazine about her path from being a first-time director to becoming a boardroom leader and shared her best advice for new or aspiring directors.
Just what should newly minted or aspiring directors keep top-of-mind? “First of all, learn what you have to offer to that board,” Strandjord said. “Be sure that it’s something that adds value—not just that you’d like to be on a board. Second, if you really want to serve on a board, you better learn how to network. Meet as many other people as you can and find a great mentor who could be helpful in finding the right board for you. A wonderful mentor provided much of the reading material and later helped recruit me to his board, and I’ve acquired other mentors along the way through networking.”
Strandjord currently raises the bar for boardroom excellence at Euronet Worldwide, MGP Ingredients, American Century Mutual Funds, J.E. Dunn Construction, and the Ewing Marion Kaufmann Foundation. To advance her boardroom education and enhance her director skills, she decided to pursue the NACD Board Leadership Fellowship. “I believe I owe it to my boards to continue my education,” she said. “Continuing education is extremely important for all board members. You can’t be as effective in any endeavor unless you keep up your skill sets, because things are changing too quickly.”
NACD Fellowship, the gold standard for director credentials, is a comprehensive program of study developed to educate directors about perennial and emerging boardroom issues and best practices. Completion of this rigorous program demonstrates a director’s serious commitment to exemplary board leadership. “NACD brings the most value in terms of the education that they provide—and I’ve been to programs at the New York Stock Exchange and the Investment Council Institute,” Strandjord said. “NACD’s program is terrific, and I really believe in it.”
Read the full interview with Jeannine Strandjord in the September/October 2015 issue of NACD Directorship magazine, where she also talks about the biggest disruptors she faced at Sprint, her experience as the first and only woman on a board, and how the decision to pursue NACD Fellowship has shaped her board service.
Future issues of NACD Directorship will introduce you to other outstanding NACD Board Leadership Fellows. To learn more about the program and how you can attain the NACD Fellowship credential, click here.
Dawn Mahler and Jesse Rhodes contributed to this piece.