“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Michael Uslan has been many things: a lawyer, a professor, an executive producer, and—most recently—a global media mogul; but he identifies most closely with the moniker that became the title of his 2011 memoir: The Boy Who Loved Batman. During an interview at the 2015 NACD Global Board Leaders’ Summit, Uslan reflected on his experience in media—ranging from Hollywood as a case study on how to think about competition to the danger of losing sight of the story to the rise of China as an indispensable partner in long-term strategic growth. In the process, he shared valuable insights that apply across industries.
A self-described “comic-book geek” even before he could read, by the time Uslan graduated from high school, he had amassed a collection of more than 30,000 issues. “They were stacked floor to ceiling in our garage,” he recalls. “My dad never could get a car in there.” While Uslan would read almost any superhero rag within reach, he developed an early and enduring love for the caped crusader. That love drove him, at age 28, to buy the rights to the Batman franchise. He was able to purchase them for a song, even as the president of DC Comics tried to talk Uslan out of the deal, telling him that Batman was “as dead as a dodo.” Uslan was undeterred. He believed in the potential of showing a darker, more human side of Batman, to say nothing of the revenue the franchise could generate in ancillary toy, comic book, video game, and other product sales.
Armed with what he saw as a self-evident blockbuster idea, Uslan made the rounds of the Hollywood studios. He was rejected at every turn. “I was told I was crazy. They told me it was the worst idea they had ever heard.” In fact, it took 10 years to get the first film, 1989’s Batman, greenlighted; but that break gave Uslan the chance to launch, almost single-handedly, a franchise that has achieved No. 1 box-office rankings and grossed billions of dollars worldwide.
Uslan’s experience is reminiscent of other cases in which visionary concepts were initially pooh-poohed by power brokers and industry leaders who couldn’t believe that customers would respond to something different from the status quo. Consider these two examples, cited by speakers at last year’s NACD annual meeting: John Backus, co-founder and managing partner for New Atlantic Ventures, described his company’s failure to foresee the transformative power of the World Wide Web: “I ran an Internet banking company. We were focused on the phone in the home. We missed the Internet. We missed the Internet because we had our blinders on.” Scott Kupor, managing director at Andreessen Horowitz, summed up how his company missed the boat on AirBnB: “When we first saw it, we thought, ‘This is crazy.’ We made the cardinal mistake in venture capital that I hope we never make again, which is we thought about [the proposal] in the context of our own frame of mind and what we thought was appropriate…. [W]e viewed it through the lens of our current biases.”
Digital Disruption Fuels the Rise of Techtainment
Hollywood is notoriously insular. A colleague who is both a corporate director and a veteran of the studio system once observed, “They have a model that locks others out, but the problem when you lock others out is that you lock yourself in.” Uslan noted that Hollywood is making fewer and fewer movies. As revenue models contract to a handful of familiar formulas, it becomes harder to make groundbreaking films like 1989’s Batman and the hits that followed it. None other than Steven Spielberg and George Lucas famously predicted the implosion of the U.S. film industry in a 2013 lecture at USC’s film school, citing as its principal cause the big studios’ collective fear of straying from the tried and true.
At the same time, Hollywood is facing increased competition from indie upstarts, much of it attributable to the studios themselves for underestimating the importance of mobile technology and innovative delivery systems for their products. The fate of distribution outlets like Blockbuster is already the stuff of b-school case-study legend, while major cable networks and big studios are fighting to stay relevant in a creative space that is now being rapidly colonized by newcomers like Amazon Studios, Netflix, and Hulu.
“It’s a new world,” Uslan observed, “and it’s changing so fast.… Netflix, Amazon, Google, Yahoo, Microsoft—these are the names that are becoming more and more prominent; as you look to the future, they may be the names that compete with or even supplant the names of the studios and networks we know today. Add to that rapid changes in technology [that enable filmmakers] to get their products directly to the individual consumers—whether they want to see it on a big screen, on their wristwatch, in their glasses, or maybe one day projected on the moon.”
Uslan also cautioned against becoming so enamored with a product that a company loses sight of its overarching value proposition. He cited both the decline in box-office revenues and in the target age of audience members, which has dipped to 25 years old. Couple that with the aforementioned fear of innovation, and Uslan sees a clear connection. “I always say there are 10 great rules to making a great movie,” he said: “No. 1, story; No. 2, story; 3, story; 4, story; 5, characters; 6, characters; 7, characters; 8, story; 9, story; 10, story. And as long as they remember that, we’re great. If instead they become enamored of these toys, these special effects, and just want to top the person who came before them, then you wind up with shoot-’em-up–blow-’em-ups that are unsatisfying to anyone over the age of 18.” Substitute the phrases “value proposition” and “corporate mission” for the words character and story in Uslan’s rules, and you have a prescient lesson for every company.
Beyond Borders: The New Hollywood
Discussion of disruption wasn’t limited to technology. Uslan’s message for the director audience: “China, China, and China.” The Asian continent is home to 1.5 billion new media consumers, and by 2018, China will surpass the U.S. as the largest film market in the world. When that happens, decision-making will move from Hollywood to Beijing and Shanghai, generating seismic aftershocks in the way that media is created and consumed. It comes as no surprise then that Uslan is looking to that region of the world for much of his future business. Last month he inked a large deal with one of China’s leading production companies, Huace, and just this week announced a deal with Huayi Brothers Media to launch a film and TV franchise based on the “Thunder Agents” comic book series. “The sleeping giant has awakened,” Uslan says of China and cautions that success in the region hinges on building both relationships and true cultural understanding.
“We have spent the past two years going to China, having a presence there, developing relationships, nurturing friendships, building trust—investing two years before we sat down to make deals—and that I think has been one of the most important aspects of what we’re doing and how we’re approaching it,” Uslan observed. “We are looking for true partners; we want full, 50/50 partnership; we want you sitting at the table with us; we want you engaged with us; and we want you to make us understand what is authentic to China, what is culturally sensitive to China, so that it’s not just our Westerner’s imposition,” he continued.
When asked about the Chinese consumer base, Uslan shared perhaps his biggest surprise to date—the success of a decidedly American superhero movie. “I have been absolutely amazed…. Consider this in the last year: the movie Captain America played well in China. Captain America! Dressed in a red, white, and blue American flag, solving everyone’s problems—culturally that was amazing to me and a real eye opener.… The Chinese are open to American culture and world culture, and we must be open to theirs as well,” he said. “That is the only way this is going to work.”
Uslan shared similar observations about working with Chinese executives. “What I love about the business culture in China is that it’s very close to ours,” he said, “I worked for a number of years in Japan, and I have to tell you that in all the meetings I had in Japan, there was never one situation where there was a female executive at any of the meetings I attended. In China, it’s probably 50 percent, and it’s a very comfortable feeling working with them; and they are open to learning and sharing on that level. Our relationship has been one truly built on friendship and, hopefully, trust going forward.”
Uslan summed up his observations with a challenge to the audience—stay curious, move outside your comfort zones, and be willing to re-imagine what’s possible: “Things are changing so fast now—if you don’t do that, the risk of your becoming irrelevant is very high.”
Front and center for boards and senior management is the call to align the company’s day-to-day activities with long-term value creation, said Bill McCracken, co-chair of the NACD Blue Ribbon Commission (BRC) that produced the newly-released report on The Board and Long-Term Value Creation. McCracken, who is also a director of NACD and the MDU Resources Group, president of Executive Consulting Group, and the former CEO of CA Technologies, co-chaired the commission with Dr. Karen Horn, director of Eli Lilly & Co., Norfolk Southern Corp., and T. Rowe Price Mutual Funds, and vice chair of the NACD board.
What’s the first step for boards in creating long-term value? “Draw a clear line between the daily objectives and long-term strategy,” said McCracken. “Ask, ‘Have we done a good job articulating that? Do investors buy into the strategy? And does the company have the capabilities it needs to execute that strategy?’”
Dona D. Young—chair of the nominating and governance committee for Foot Locker Inc. and a director of Aegon N.V. and Save the Children—served as moderator for a panel that also included Margaret M. Foran, a director at Occidental Petroleum and the chief governance officer, vice president, and corporate secretary of Prudential Financial; and Brian L. Schorr, partner and chief legal officer of Trian Fund Management LP, director of the Bronx High School of Science Endowment Fund, and a trustee of the New York University School of Law. Young and Foran were both BRC Commissioners in 2015; Schorr was a member of the 2014 BRC, which focused on the board’s role in strategy development.
The panel discussion amplified four key findings from this report:
Make short-term goals the building blocks of long-term strategy.
“It’s clear that short-term is not at odds with long-term,” Young said. “How do we integrate that concept in our companies?”
Panelists agreed that directors should determine how to break down long-term goals into measureable short-term milestones at the quarterly, half-year, and annual marks. As Schorr noted, “performance can’t be back-loaded: if a company consistently misses those short-term marks year-after-year, shareholders will question the integrity of the long-term goal you’re moving toward.” Among the BRC report’s tools for directors are examples of long-term-oriented performance metrics in nine different categories.
Directors also need to test the organization’s alignment between short-term metrics and long-term strategy with actual performance. Start off with your premise—or the long-term goal your organization is moving toward—and conduct historical look-backs on a regular basis, Foran said. “Were we right about our predictions? Did we reward the right things?”
Independent inquiry is not optional.
In order to be effective at setting those long-term goals and their relevant short-term milestones, directors must be knowledgeable about both the company and industry.
“We have to do our own homework and not rely solely on management [for information],” Young said. “How do board members engage in independent inquiry without making management feel like we don’t trust them?”
Directors should be reading press releases and analyst reports—not only those issued by their own company but also those of peers and competitors within the industry—to get a sense of what the trends are, Foran said. Trade publications and conferences are other key sources of data.
Schorr described an approach he himself uses: “At Trian, we focus on the income statement. We look at indicators such as EPS growth and EBITDA margins—do we see underperformance relative to what we believe is the company’s potential? Balance-sheet activists look for signs of excess cash, lower leverage ratios, or dividend payout ratios that are out of balance. We ask why. There may be a perfectly good reason; it’s just not well-articulated by management.”
Conduct regular individual-director evaluations.
McCracken highlighted the report’s recommendation on the need for long-term succession planning. When considering your company’s board composition, ask whether you have the capabilities and talent that will be needed to guide the company toward future goals, he said.
“We do strenuous 360-degree evaluations with management,” McCracken noted. “Why can’t we hold ourselves, as board members, to the same standard?” And since board members are peers, it is helpful to have a third party conduct the assessments. Young shared an example from her own experience in which individual director evaluations were truly 360-degree, incorporating input from senior management: “It was tremendously enlightening, really eye-opening.”
Be prepared to engage with shareholders.
The importance of regularly scheduled meetings with shareholders cannot be overestimated. “Don’t just wait for a problem to arise,” Shorr advised, noting that information exchange is a two-way street. The board should also have ways to gather unfiltered information about shareholders’ priorities and concerns.
McCracken emphasized this point: “In today’s world, board members need to talk to shareholders. Regulation FD is a non-issue, a red herring, and directors can’t use it as an excuse.” The BRC report provides detailed guidance that directors can use to prepare for shareholder meetings.
The BRC Report on the Board and Long-Term Value Creation is a natural extension of last year’s BRC report, which recommended that directors get involved in strategy decisions early on and remain involved with them, Schorr said. Doing so can help push management toward goals that promote long-term value creation with links to interim performance milestones that are clear to shareholders. “It’s more than understanding and doing defensive analysis. It’s getting into the boardroom and doing a lot of the things activists are doing,” Schorr said.
Moderator Young summarized the report’s significance this way: “This report helps directors to take a systems approach to engaging with management on strategy and driving value creation.”
This timely publication is the NACD’s twenty-second BRC report and represents the thought leadership of more than 20 eminent directors and trailblazers in business and government. Distributed to attendees of the GBLS and available to NACD members at www.nacdonline.org/value, the report contains the following practical guidance for the directors and boards of public, private, and nonprofit organizations:
Ten recommendations on the board’s role in driving long-term value creation
Eleven red flags that indicate a lack of alignment between short-term goals and long-term strategy
Specific steps directors can take regarding CEO selection and evaluation, capital allocation, and other elements related to long-term value creation
Eight appendices that offer detailed insights and practical boardroom tools