I watched with interest as Senators Jack Reed (D-RI) and Susan Collins (R-ME) advanced bipartisan legislation that would require companies to disclose whether they have a director with cyber expertise on the board, and if not, why. Regardless of whether it passes, The Cybersecurity Disclosure Act of 2015 has apparently widened the door for shareholders and regulators to increase their pressure on boards and hold them more accountable for being proactive about understanding the company’s cybersecurity risk.
As someone who has witnessed the global cybersecurity battlefield at close range for over 14 years, I wholeheartedly agree that boards should increase their knowledge of cyber related risks and engage more proactively with the company’s strategy for mitigating them. Yet for boards to rise to Sen. Reed’s challenge that companies “have the capacity to protect investors and customers from cyber-related attacks,” it’s important to solve for the problem and not just the perception. Electing a cyber-expert to the board could certainly be helpful for companies. However, it may not be practical at this time. Nor does it solve for capacity.
No matter what risks they oversee, from financial to geopolitical, board members have an obligation to avail themselves of the right information to make informed decisions that safeguard shareholder value. This is no less true of cybersecurity risk. In order to empower an effective security program, the board should seek the right information and expertise on which to base its decisions about tolerance, investment, policy, and practice. That information includes but is not limited to: a solid understanding of the threats, the results of a well-prepared cybersecurity risk assessment, a roadmap that articulates desired outcomes and metrics for monitoring effectiveness.
Companies are trying to answer the questions: “How do we know if we’re making a reasonable and appropriate effort to mitigate these risks?” and “How do we measure and rationalize our security investment in the context of corporate strategy and risk tolerance?” I believe boards and their committees should oversee the cyber risk similar to the way the audit process manages financial risk.
Seek a balanced view of Information Technology (IT) security and IT enablement. Give both sides adequate time on the boardroom agenda at each meeting. You’ll gain insights on how strategic initiatives add risk so they are addressed earlier with less disruption, but you’ll also have the added benefit of exploring how security can enable those initiatives.
Ask whether the cybersecurity program has early warning capabilities that reduce time-to-respond. And if not, ask when to expect them. The goal is resilience, not the elimination of risk. Defense is not the endgame. The goal is to reduce the time it takes to detect and respond to the threats targeting your company’s digital assets. Early response is the cornerstone of mitigating risk and damage. Boards should ask if there is a one to three year roadmap for achieving an early warning system that increases visibility and applies threat intelligence to existing solutions, at a minimum, for a more proactive security posture.
Be sure that specific “point solutions” are not confused with the company’s cybersecurity strategy. New technology solutions may be necessary, but being resilient against the threats will depend on how those solutions are integrated, managed and governed as a whole. Ask your cybersecurity officer “what are the desired outcomes?” and “what is the roadmap for getting there?” It’s better to crawl-walk-run toward a well-integrated, manageable program than to jump at every new solution. It’s not about how many “boxes” are deployed to stop the adversary. It’s about how well you’re organized for the fight.
Seek the right threat and risk monitoring dashboard. Security officers with a proactive security program in place should be able to answer: are there threat actors in our systems now? If the answer is no, how can we be sure? and “How do we know they’re there?” Another important metric to monitor is how well the company is improving its “time to respond” to incidents.
And finally, seek third party input and intelligence to aid informed decision-making. Cybersecurity risk is asymmetric, so any security program that provides early warning is going to need threat insights beyond a company’s own experience to date. The right security expertise can help you identify your most likely threats based on global threat intelligence gathered from outside the company’s own limited experience. A third party can also help your security team assess the effectiveness of its current posture against those real-world threats by simulating the attacks. With capabilities in place to anticipate the real threats and prioritize effort, you can greatly expand the security program’s capacity and effectiveness.
It’s inevitable that more and more board members will come to the table with a working knowledge of IT enablement and IT security over time. But for now, boards can take a more proactive and knowledgeable stance by: seeking equal input from IT security and IT enablement leaders; leveraging third party threat intelligence and expertise; and monitoring the company’s progress toward a stronger security posture with “early warning” capabilities that mitigate risk with faster response. These measures go beyond the appearance of “prioritizing” cybersecurity. They add up to tangible improvements in risk mitigation on behalf of all the company’s stakeholders.
Mike Cote is CEO of SecureWorks, a global cybersecurity services firm that provides an early warning system for evolving cyber threats, enabling organizations to prevent, detect, rapidly respond to and predict cyberattacks. SecureWorks minimizes risk and delivers actionable, intelligence-driven security solutions for more than 4,200 clients in 59 countries.
Board risk reporting is a subject of debate within many organizations as directors often consider reports to be too detailed or not actionable. Simply stated, risk reporting should enable the board and its respective committees to understand and govern the organization’s risks. To that end, here are six interrelated “board risk reporting principles” intended to foster reporting that focuses directors on the risks that matter and enables them to bring to bear their knowledge and expertise in ways that add and preserve enterprise value:
Focus on critical enterprise risks and emerging risks. The critical enterprise risks represent the top risks that can threaten the company’s strategy, business model or viability and consequently warrant the most attention from the board’s risk oversight process. The board also needs to be mindful of emerging risks triggered by unanticipated and potentially disruptive events of varying velocity, ranging from catastrophic events—for example, a pandemic or hurricane—to existing risks accelerated by external and/or internal factors in unexpected ways, such as the impact of deteriorating underwriting standards or the demand for an endless supply of mortgage-backed securities on the subprime market that led up to the 2008 financial crisis.
Address ongoing business management risks on an outlier basis. Every business has myriad operational, financial and compliance risks. For those risks that are not critical enterprise risks, risk reporting should be integrated with periodic status reports on line-of-business, product, geographic, functional, or program performance. Reports on these risks should also be triggered by the escalation of unusual matters that immediate board attention, such as exceptions against established limits (i.e., limit breaches). The point is that reporting on the day-to-day risks should not be as frequent as the critical enterprise and emerging risks.
Ensure risk reporting is linked to key business objectives. Realistic and measurable objectives support the organization’s overall strategy and business plan. Risks related to those objectives may impact the organization’s ability to achieve those objectives and execute the strategy and plan. The relevancy of risk reporting is more firmly established with directors when it is closely tied to strategic business plans and the critical objectives and initiatives management has communicated to them.
Use risk reporting to advance dialogues around risk appetite. A winning strategy exploits the areas in which the organization excels relative to its competitors. The risk appetite statement serves as a guidepost for when a new market opportunity or significant risk emerges. Although dialogue around risk appetite has advanced at the board level over recent years, there is still plenty of room for improvement. Once executive management and the board agree on the drivers of—and strategic, operational, and financial parameters around—opportunity-seeking behavior, the resulting risk appetite statement is a reminder of the core risk strategy arising from the strategy-setting process. Risk reporting should call attention to the level of risk the organization is undertaking in the pursuit of value creation and disclose when conditions change and the agreed-upon parameters are approached or breached.
Integrate risk reporting with performance reporting. When stakeholders (e.g., owners of corporate, line-of-business, product, geographic, functional or program performance goals) report on performance to the board, they should also disclose the related key risks. Linking opportunity seeking behavior and the related risks is important as it enables each stakeholder reporting to the board to engage in a dialogue with directors on: the underlying risks and assumptions inherent in executing the strategy and achieving performance targets; the “hard spots” (i.e., the aspects of the plan that are well within reach to be achieved) and “soft spots,” (i.e., the riskier parts of the plan) inherent in the performance plan; the implications of changes in the business environment on the core assumptions and desired risk levels underlying the strategy; and the effectiveness of risk management capabilities. The effectiveness with which risk reporting is integrated with performance reporting is a powerful indicator of the enterprise’s risk culture. If risk reporting is an appendage to performance reporting, risk is more likely to receive limited board agenda time.
Report on whether changes in the external environment affect the critical assumptions underlying the strategy. Risk reporting should provide insights as to whether executive management’s assumptions about markets, customers, competition, technology, regulations, commodity prices and other external factors remain valid. Reporting should focus on whether changes in these environmental factors have occurred, which could alter the fundamentals underlying the business model. Boards place high value on “early warning” capability.
The above principles are not intended to prescribe specific reporting practices, but rather offer sound direction for the board and management to pursue in improving the substance and content of the reporting.
Questions for Boards
The following are suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
Does the board periodically evaluate the nature and frequency of management’s risk reporting?
Do directors work with management to agree on risk information the board and its committees require?
Is the board satisfied that both full board and board committee agendas allocate sufficient time to risk?
Do directors think they receive sufficient information on changing risks to avoid surprises?
Jim DeLoach is a managing director with Protiviti, a global consulting firm.
On July 17, NACD hosted a Directorship 2020® forum in Seattle that focused on how disruptive forces are changing the way companies do business. Through keynote addresses, expert panels, and small group discussions, the program provided an in-depth look at environmental and innovative disruptive forces and how boards can oversee management of the risks and opportunities such forces create. This event was held in partnership with Broadridge Financial Solutions, KPMG’s Audit Committee Institute (ACI), Marsh & McClennan Cos., and PwC.
In his keynote address, Hewlett-Packard Co. (HP) Global Director of Sustainability and Social Innovation Nathan Hurst examined the nexus of environmental issues and innovative technology. Motivated in part by concerns about the anticipated effects of climate change, consumers are more alert than ever to the impacts that businesses and their products are having on the environment. As our increasingly data-driven society shifts to digital media, the new technologies being used to store, manage, and process this data are producing a larger environmental footprint than one might expect. Hurst estimates that if cloud computing were a country, it would rank as the fifth largest country in the world in terms of energy use.
According to Hurst, companies must understand their environmental footprint in order to leverage the opportunities provided by “big data” and other technological tools for managing corporate sustainability. HP, for example, examined its operations, supply chain, and product portfolio to gauge its end-to-end carbon footprint. This assessment involved an organization-wide effort that required expertise and feedback from senior management, information technology departments, and operations departments, which was then used to determine the company’s baseline performance, set sustainability goals, and collaborate with organizational units on initiatives to reach those goals. For Hewlett-Packard, the relationship with supply chain managers was especially important, as the company sought to develop products whose production consumes fewer resources—such as power or water—and generates less waste—such as greenhouse gas emissions. In addition, Hewlett-Packard signed a power purchase agreement with SunEdison, the world’s largest renewable development company, to provide wind-generated electricity to its 1.5 million square-foot data center in Texas. Hewlett-Packard originally set a deadline of 2020 for reducing its greenhouse gas emissions by 20 percent of 2010 levels; however, the SunEdison agreement will enable HP to realize that goal by the end of the 2015 fiscal year.
Hurst succinctly summarized HP’s rationale for its sustainability and social innovation initiatives: the benefits of these initiatives for the company’s reputation and employee engagement, combined with new opportunities for profitable growth, collectively have the potential to produce major gains for HP.
In the second keynote address of the afternoon, Mark Silva, founder and CEO of KITE, spoke on innovation partnerships and described them as a gateway to investments, mergers, and acquisitions. Many companies at the forefront of innovation begin as small start-ups. While these businesses may initially be viewed as competitors with larger corporations, pursuing partnerships can be a mutually beneficial arrangement that allows established companies to embrace the latest wave of innovative ideas, provides start-ups with quick access to infrastructure and resources, and empowers both organizations to unlock growth opportunities. For example, the management team behind Sphero, a toy robot that can be controlled via smartphone or tablet devices, participated in a mentorship program offered by The Walt Disney Co., which subsequently used Sphero’s technology to create a robot featured in its Star Wars franchise. Through this partnership, the Sphero team has realized growth and greater exposure; and by providing a forum in which entrepreneurs can test their ideas, Disney continues to stay abreast of the latest innovations and trends. Other established companies, including Nike and Unilever, have similar brand accelerator programs to rally resources, invest in learning, and develop new capabilities.
Subsequent presentations and panel discussions generated the following key takeaways for board members:
Keep disruptive forces on the agenda. Trends and events that could potentially overturn the company’s business model should be routinely discussed at board meetings so that directors are always aware of and up to date on how management is approaching risks and realizing opportunities. Being proactive and thinking ahead about how to manage disruptors also promotes resiliency when a company faces a crisis. Boardroom discussions should address how the organization can diversify its supply chain so that the success of the business is not dependent on a single link in the chain in order to maintain production. For example, the board might ask management to consider how environmental changes—such as prolonged droughts or severe weather patterns—might lead to new business norms, and to plan how the company will adapt and stay competitive. Panelists agreed that boards need to “ask for the data”: What questions are customers and suppliers posing? What factors are driving their business decisions? What are, or could be, the game-changers in the company’s industry?
Clarify the payoff. Directors should ask management to demonstrate how responses to disruptive trends will impact the company’s bottom line. Nathan Hurst illustrated this point with an example from Wal-Mart, which has worked with several of its suppliers to reduce waste and costs. Noting the high water content of its liquid laundry detergents, the retailer joined forces with Procter & Gamble, Unilever, and Church & Dwight to create “doubleconcentrated” detergent, a product that delivered the same washing power as the old formula in just half the volume. Because of doubleconcentrated’s reduced water content, manufacturers could pack the product in smaller plastic bottles. The new product size allowed more bottles of detergent to be packed onto trucks and store shelves, while its lighter weight resulted in lower transportation costs.
Companies can also consider incorporating sustainability metrics into executive compensation plans. Some companies will not embrace sustainability unless it entails demonstrable cost savings or a failure to address environmental impact will cause the company to lose ground to competitors. But, as the Hewlett-Packard and Wal-Mart initiatives illustrate, focusing on sustainability offers a way to drive more efficient business practices, which in turn allows management to make better-informed and more effective decisions.
Furthermore, sustainability reporting can foster positive relationships with both shareholders and the general public. According to an analysis by Gibson Dunn, shareholder proposals on environmental issues—specifically those concerning climate change and greenhouse gas emissions—are among the most frequently submitted types of proposals. NACD’s Oversight of Corporate Sustainability Activities handbook advises that directors should understand how the company has chosen to define sustainability in the context of its strategy, and the board should be comfortable with management’s decisions about how the company communicates sustainability information within the organization and to shareholders. Reporting not only demonstrates the company’s culture and character; it can also give it a competitive edge.
Examine board composition. Another example raised in the panel discussions was that of Encyclopædia Britannica Inc., which had a board composed of bookbinders who, by virtue of their profession, were disinclined to embrace digital innovation. The advent of Internet-based rivals, such as Wikipedia, quickly made the company’s business model and flagship product obsolete.
The board should analyze the company’s current and future business models to see how well the criteria for director selection correspond to those models. Maintaining a balance between tenured directors, who have invaluable insights into the company, and newer directors can present challenges when that new talent pushes against the status quo, which in turn can lead to culture clash within the board. Since culture, by definition, functions to preserve the status quo, it can make or break innovation. By bringing in outside perspectives and people who will question it, the board can keep the company moving forward.