Fact: we live in a world of data. Today, nearly every strategic decision is fortified by metrics and dashboards, analyzing the projected outcome to the smallest degree. This is equally true at NACD, where our annual governance surveys—public, private, and nonprofit—underlie nearly every aspect of the organization’s activity. From publications and presentations, to peer exchanges, and our annual Board Leadership Conference, data collected from the thousands of respondents informs the sessions, forums, topics, and future events. Beyond the boardroom, the trends, statistics, and perspectives captured in these surveys provide those in the C-suite, investors, and stakeholders with crucial information on the current state of corporate governance in the United States.
In the regulatory sphere, we use survey data to inform our comment letters and in-person testimony on behalf of boardrooms to regulators and lawmakers. For instance, survey responses from NACD’s membership strengthened CEO Ken Daly’s comments to the Public Company Accounting Oversight Board (PCAOB) regarding proposed mandatory audit firm rotation, and the recommended alternative of a widely supported rigorous evaluation process. The PCAOB’s initiative on audit firm rotation is now “paused.”
NACD’s three annual governance surveys can help fuel your board’s process in benchmarking with respect to peers and leading practices. Whether you use a general report, or commission an NACD Custom Benchmarking Report, data broken down by industry, size, or both serves as an excellent starting point for boardroom discussions.
NACD is dedicated to providing directors with timely and pertinent content, but we need your input. As a thank you for participating in these surveys, NACD will send each participant a free electronic copy of the final report for each survey he or she takes. In fact, each survey respondent is entered to win a one-year NACD Individual Director Membership, or an opportunity to extend NACD membership. We thank you in advance for your participation.
It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.
Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.
Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.
At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.
Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.
Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.
On May 23, NACD announced the election of Dr. Reatha Clark King to chairman of our board of directors. While Reatha’s role as chair is new, her relationship with NACD goes back many years. She has been a member of NACD since 1993, an NACD director since 2005, and chaired the governance committee in recent years.
An unconventional path
Reatha’s directorship experience is extensive; she has served on the boards of ExxonMobil, Wells Fargo & Co., H.B. Fuller Co., Minnesota Mutual Insurance Co., and The Lenox Group—in addition to several nonprofit organizations. She has followed, however, what I would call an unconventional path to the boardroom. After earning undergraduate degrees in chemistry and math and later a PhD in chemistry from the University of Chicago, Reatha began her career in the sciences, working as a research chemist for the National Bureau of Standards, and then becoming a professor of chemistry and an academic dean at York College. After earning another degree—this time an MBA—she became the president of Metropolitan State University in Minnesota. Reatha was then tapped to head the General Mills Foundation, where she spent 14 years leading the company’s community initiatives. From there, she added the aforementioned board seats to her already impressive resume.
Preparing for 2020 and beyond
Looking ahead, Reatha’s experience in both the corporate arena and academia makes her particularly well-suited to guide NACD and its NACD Directorship 2020 initiative. NACD Directorship 2020 aims to help boards understand, define, and prepare for the emerging and evolving issues that will shape the future of directorship. It gives me great confidence that Reatha will be leading our organization as we prepare for 2020 and beyond.
I’m also honored that Barbara Franklin, who has led our board for the last four years, will continue to serve as a director until May 2014. Barbara has had a tremendous impact on NACD, overseeing our unprecedented membership growth during her tenure and helping us solidify our position as the authority on leading boardroom practices.
As I look at our excellent board of directors and management team, I am more confident than ever in NACD’s ability to deliver on our mission to advance exemplary board leadership.