Speaking at NACD was a highlight of my year, as the audience was forward-thinking, eager to learn, and willing to grapple with tough questions in order to reach good answers. The discussions after my talk were almost as much fun as the talk itself, and there was significant appetite for a reference sheet to some of the bigger ideas I’d outlined. I hope that the summary pulled together here will prove helpful, and I welcome remarks, insights, or questions about any of it!
Disruptive trends in technology, culture, and business are converging. That convergence is an opportunity for businesses that recognize how to proceed.
Code: Technology is cheaper, faster, and better than ever before.
From software toolkits to education outlets, cloud computing to open-source big-data structures, there have never been so many ways for a motivated player to exert so much leverage so rapidly. Competitive advantages and resources that once belonged exclusively to large companies are increasingly not just accessible but freely available. In many cases, these platforms even invert such advantages—meaning that individuals who are part of porous, open groups are able to deploy better solutions faster than corporate counterparts by leveraging their communities. And all at low to no cost.
President Obama’s first campaign for the White House is a prime example of this phenomenon: he hired data specialists who used a simple method to computationally test different versions of his website in order to see which ones were generating more donations. Using this approach, he exceeded his projections by an additional 4 million e-mail addresses, a click-through rate of 140 percent, and $75 million more than was expected.
Culture: Transparency, meritocracy, and a willingness to disrupt anything characterize the new technology (and business) marketplace.
The age of playing by the rules—any rules—has largely gone by the wayside. When it’s possible to conduct corporate inversion online in under 20 minutes using a digital toolkit provided by a foreign nation state, it’s clear the playing field has changed. This is exactly what Estonia’s new “E-Estonia” initiative—which grants corporations a type of citizenship supported by cryptographically backed authentication—has been accused of enabling.
The people developing new solutions and creating new technologies take for granted an entirely different set of social (and moral) norms, which have no respect for the way your business is currently structured.
Competition: An exploding black market and a global tipping point that will occur when the remaining two-thirds of the planet come online over the next five years herald an incipient tidal wave of strange new competitors.
If you think the Internet has been disruptive during the past 20 years, you haven’t seen anything yet. The motivations and expectations of people completely new to technology differ from those of people who have already internalized it. Much like the toddler who doesn’t know what to do with a computer mouse and thinks a computer screen is broken when he can’t swipe it, new users of innovative technologies will have different expectations for what your company should provide. When you mix in a booming black market and a surging cascade of disruptive technologies—everything from drones to 3-D printing to dial-your-own genomics—you have a strange new world indeed…and one coming at you very, very quickly.
ACTION ITEMS: There’s good news in all this. You can compete just as well—if not better—by recognizing that the game has changed and adapting to the new rules.
1) Experiment, experiment, experiment.
It’s faster, cheaper, and easier than ever before to invent, test, and iterate. It’s what your competitors (and they are legion) are doing—especially the outlier startups that you so fear will flip your market as Uber did the medallion cab industry’s. The good news? You can do exactly the same thing. Even better, once you do, you already have a supply chain, established market, and deep resources to drive these new industries ahead of smaller first-time players.
What to ask your senior management: How are you implementing more agile and iterative development methodologies, and why?
2) Systematize culture change.
Empower your employees to act on your behalf. Legitimize risk. Reward insight. While this strategy looks good on paper, it is nearly impossible to execute, especially in highly efficient, competitive, and well-established organizations. Do it anyway, and you will find yourself at the helm of one of the most powerful entities in today’s market: A company that effectively innovates as a matter of course and knows how to build businesses and deploy products accordingly.
What to ask your senior management: How are we empowering our employees, at every level, to change the way our company operates? What evidence are we measuring that indicates this strategy is working?
3) Risk everything.
All business is about risk. But many companies have lost sight of the fact that this means not just mitigating risk but also embracing it. The emergence of new technology is confronting every industry with massive shifts that entail plenty of risk in the most negative sense. But the opposite is equally true, and it’s only by seizing the opportunities this time of change represents that you’ll emerge victorious. And who knows…you might even make the world a better place while you’re doing it.
What to ask your senior management: If you had to increase revenue by 25 percent this quarter, what would you try? Why aren’t we trying that?
I live every day in the future, metabolizing the new technologies that are slipping over our event horizon and into daily life. It’s a scary place to be, but it’s also one that offers boundless hope. Times of change are enormous opportunities for advancement. Those of us who experiment voraciously, learn quickly, and adapt effectively will chart the course for how human commerce unfolds over the next two decades. Our way will become the “new normal” and possibly set standards that will shape lives for generations to come. It’s not a time without risk, but it’s also a chance to change the world. What more could you want?
Josh Klein advises, writes, and hacks systems. He wants to know what you think.
“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Now in its third year, NACD’s Directorship 2020® takes an investigative look at the trends and disruptors that will shape boardrooms agendas of the future. This initiative is designed to raise directors’ awareness of these complex emerging issues and enable them to provide effective guidance to management teams as they navigate the associated risks and opportunities. The inaugural 2015 session was held on March 3 at the Grand Hyatt Hotel in New York City, where subject-matter experts from Broadridge, KPMG, Marsh & McLennan Cos., and PwC and corporate leaders explored the boardroom implications of geopolitical and economic disruption.
Illustrating the boardroom perspective on the impacts of economic and geopolitical disruption on corporate strategy.
In his remarks on economic disruption, Peterson Institute for International Economics Visiting Fellow and International Capital Strategies Executive Chair Douglas Rediker examined the changing face of global competitive markets. Governments around the world are increasingly involved in market activities and are more likely to champion domestic businesses or businesses based in countries with which they have trade agreements. This situation creates a business environment in which companies seeking to expand must assess a foreign country’s protected business sectors in order to fully evaluate the endemic risks and opportunities.
Taking a geopolitical perspective, UBS Executive Director and Head of U.S. Country Risk Dan A. Alamariu considered the ripple effects of government regulation, using a case example of the sanctions recently imposed by the US and EU on Russia. Though these measures did diminish the buying power of the ruble, the sanctions also hurt Western companies operating in Russia because consumers could no longer afford to purchase foreign goods. He cited other examples as well. In its efforts to recover from the financial crisis, the Chinese government has recently implemented a number of economic reforms. While these reforms may succeed in re-establishing China as an “engine of growth,” the infighting that they have triggered among political elites could ultimately dampen growth and set the country on an uncertain course. Closer to home, persistent gridlock in the US government is preventing needed progress on issues critical to the business community, such as tax policy and infrastructure.
Both speakers alluded to the fact that as countries become more divided and inwardly focused—both internally and with respect to international relations—developing collective approaches to major transnational issues such as climate change and cyberattacks will become more challenging. Companies will therefore need to devise their own strategies for addressing these challenges.
Economic and geopolitical disruptors are inextricably linked, and the three main takeaways from both sessions are as follows:
Embrace risk—you may discover opportunities. Directors need to start thinking like emerging markets investors. In other words, they should get comfortable working in a business environment that is volatile and unpredictable. This breed of investor has historically been focused on domestic, regional, and international political and economic risks. Because technology has created a world that is deeply interconnected, investors must proactively cultivate an understanding of geo-economic risks. By extension, it is also important to recognize technology as a major disruptive force that will continue to impact companies across all sectors. For example, tablet devices have completely changed not only how people communicate and access multimedia content but also how companies conduct business. By embracing disruptive technology, companies can in turn create the caliber of differentiated products that will transform the marketplace.
Be prepared. This ageless scouting motto is especially relevant to anyone managing or overseeing a company. Businesses the world over are more interconnected than ever before, which forces companies to compete across national borders and exposes them to international political and economic risks. Boards need to consider the ultimate “black swan” events that could affect their companies. By extension, directors need to be mathematically literate—if they are not already. Black-swan events include natural disasters, such as Hurricane Sandy, which incapacitated businesses in our nation’s financial epicenter; political events, such as the outbreak of war; economic unpredictability; and technological innovation, which we have seen from the automobile to the iPad. Having a by-the-numbers plan for how the company could behave in specific scenarios will create a comprehensive understanding of the risks the business faces. Because it’s impossible to completely protect a company, it is essential to create resiliency. The board must therefore ensure that incident response plans are in place and must routinely test those response plans to confirm that they meet the company’s evolving needs.
Beware of “herd mentality.” Directors need to periodically review the current board composition; and if there are gaps in the board’s collective knowledge that may prevent it from assessing areas of risk, it may be in the board’s best interests to bring in a third-party expert to help inform boardroom discussions. This is especially true of cyber risk. Many boards are still struggling to comprehend the depth and breadth of these threats, and because it’s neither possible nor desirable for every board to have a cyber expert in their ranks, it is imperative to bring in outside sources to inform and educate directors and management.
Look for full coverage of this NACD Directorship 2020 session in the May/June 2015 issue of NACD Directorship magazine. For information on future events and recaps of past events, visit the NACD Directorship 2020 microsite.