I watched with interest as Senators Jack Reed (D-RI) and Susan Collins (R-ME) advanced bipartisan legislation that would require companies to disclose whether they have a director with cyber expertise on the board, and if not, why. Regardless of whether it passes, The Cybersecurity Disclosure Act of 2015 has apparently widened the door for shareholders and regulators to increase their pressure on boards and hold them more accountable for being proactive about understanding the company’s cybersecurity risk.
As someone who has witnessed the global cybersecurity battlefield at close range for over 14 years, I wholeheartedly agree that boards should increase their knowledge of cyber related risks and engage more proactively with the company’s strategy for mitigating them. Yet for boards to rise to Sen. Reed’s challenge that companies “have the capacity to protect investors and customers from cyber-related attacks,” it’s important to solve for the problem and not just the perception. Electing a cyber-expert to the board could certainly be helpful for companies. However, it may not be practical at this time. Nor does it solve for capacity.
No matter what risks they oversee, from financial to geopolitical, board members have an obligation to avail themselves of the right information to make informed decisions that safeguard shareholder value. This is no less true of cybersecurity risk. In order to empower an effective security program, the board should seek the right information and expertise on which to base its decisions about tolerance, investment, policy, and practice. That information includes but is not limited to: a solid understanding of the threats, the results of a well-prepared cybersecurity risk assessment, a roadmap that articulates desired outcomes and metrics for monitoring effectiveness.
Companies are trying to answer the questions: “How do we know if we’re making a reasonable and appropriate effort to mitigate these risks?” and “How do we measure and rationalize our security investment in the context of corporate strategy and risk tolerance?” I believe boards and their committees should oversee the cyber risk similar to the way the audit process manages financial risk.
Seek a balanced view of Information Technology (IT) security and IT enablement. Give both sides adequate time on the boardroom agenda at each meeting. You’ll gain insights on how strategic initiatives add risk so they are addressed earlier with less disruption, but you’ll also have the added benefit of exploring how security can enable those initiatives.
Ask whether the cybersecurity program has early warning capabilities that reduce time-to-respond. And if not, ask when to expect them. The goal is resilience, not the elimination of risk. Defense is not the endgame. The goal is to reduce the time it takes to detect and respond to the threats targeting your company’s digital assets. Early response is the cornerstone of mitigating risk and damage. Boards should ask if there is a one to three year roadmap for achieving an early warning system that increases visibility and applies threat intelligence to existing solutions, at a minimum, for a more proactive security posture.
Be sure that specific “point solutions” are not confused with the company’s cybersecurity strategy. New technology solutions may be necessary, but being resilient against the threats will depend on how those solutions are integrated, managed and governed as a whole. Ask your cybersecurity officer “what are the desired outcomes?” and “what is the roadmap for getting there?” It’s better to crawl-walk-run toward a well-integrated, manageable program than to jump at every new solution. It’s not about how many “boxes” are deployed to stop the adversary. It’s about how well you’re organized for the fight.
Seek the right threat and risk monitoring dashboard. Security officers with a proactive security program in place should be able to answer: are there threat actors in our systems now? If the answer is no, how can we be sure? and “How do we know they’re there?” Another important metric to monitor is how well the company is improving its “time to respond” to incidents.
And finally, seek third party input and intelligence to aid informed decision-making. Cybersecurity risk is asymmetric, so any security program that provides early warning is going to need threat insights beyond a company’s own experience to date. The right security expertise can help you identify your most likely threats based on global threat intelligence gathered from outside the company’s own limited experience. A third party can also help your security team assess the effectiveness of its current posture against those real-world threats by simulating the attacks. With capabilities in place to anticipate the real threats and prioritize effort, you can greatly expand the security program’s capacity and effectiveness.
It’s inevitable that more and more board members will come to the table with a working knowledge of IT enablement and IT security over time. But for now, boards can take a more proactive and knowledgeable stance by: seeking equal input from IT security and IT enablement leaders; leveraging third party threat intelligence and expertise; and monitoring the company’s progress toward a stronger security posture with “early warning” capabilities that mitigate risk with faster response. These measures go beyond the appearance of “prioritizing” cybersecurity. They add up to tangible improvements in risk mitigation on behalf of all the company’s stakeholders.
Mike Cote is CEO of SecureWorks, a global cybersecurity services firm that provides an early warning system for evolving cyber threats, enabling organizations to prevent, detect, rapidly respond to and predict cyberattacks. SecureWorks minimizes risk and delivers actionable, intelligence-driven security solutions for more than 4,200 clients in 59 countries.
CEO succession planning is one of a board’s most important responsibilities. However, many companies are unprepared for communicating executive transitions. A recent survey of senior-level corporate executives published by Alix Partners shows that about 50 percent of respondents felt their companies were unprepared for CEO succession, either because the company hadn’t identified possible successors or hadn’t sufficiently trained candidates for the top job.
Communications strategy is an integral part of CEO succession preparedness. Executive transitions can unfold quickly, demanding decisive action in developing the proper message and coordinating communications strategy both internally and externally. When thinking about a possible transition announcement, there are several foundational elements for successfully positioning a senior executive change.
Why is the CEO leaving?
There are a handful of standard reasons a company gives for an executive’s departure. Whether a CEO retires, steps down, is terminated, decides to spend more time with family, or pursues new opportunities, companies must present a clear rationale for the departure. Given nuances in language that could imply the motivations of the executive and company, word choice is especially important. Transitions that appear confusing, mysterious, or acrimonious will spook investors or stoke speculation.
In the age of investor activism, boards look for opportunities to demonstrate they will take action when a CEO is viewed as underperforming. This may lead to a press release that does not shower the outgoing executive with praise, therefore signaling a less-than-favorable view of the executive. Or the announcement may state the departure is by “mutual decision,” again a clear signal. Communicating CEO departure is a delicate balancing act.
When is the right time to communicate about a succession?
CEO transition announcements generally take financial markets by surprise and create immediate concern. As a result, some companies have found ways to prepare advance messaging for a planned transition to precondition the market to a future change.
For example, Kinder Morgan made a quick reference to a future CEO transition in its comments at an investor conference before an established timeline or formal announcement had been made. In another example, when dealing with a series of executive changes over the course of 15 months, Mack-Cali Realty Corp. issued an update about its executive search process six months after the CEO stepped down. Ultimately, the company named its new CEO, COO and president, CFO, and chief legal officer and secretary in one release. It should be noted that Mack-Cali’s case is fairly unique; in proprietary research, Edelman found the majority of companies identify a successor in the initial transition announcement. However, companies stand to learn from Mack-Cali and Kinder Morgan’s inventive approaches to communicating succession plans.
Who gets quoted in the release?
The presence of executive quotes in the release about their departure is another important signal of behind-the-scenes dynamics. If the outgoing CEO is quoted, this suggests some deference to that individual, especially if their quote comes first. If the chair or lead director praises the outgoing CEO in their quote, that again sends a message. However, if the chair makes a statement along the lines of “It’s time to take the company to the next level,” dissatisfaction with current leadership may be signaled to the audience, despite other symbolic cues in the announcement.
What’s the appropriate way to share the announcement?
CEO transition press releases tend to be brief, typically under 150 words. In addition to announcing via newswire, companies will notify their internal audiences directly at the time of the company’s external news announcement, and, if applicable, will also publish the news via their owned media channels (as in the case of Reddit and Twitter). Failure to get ahead of the news can make a company the target of speculation, as was the case with Proctor and Gamble (P&G) when the Wall Street Journalreported a likely scenario for P&G’s leadership transition based on analyst sources.
Employees should be briefed at the same time as the company’s news announcement, so that employees learn about the leadership change and plans for the company’s future from the source and not via the press.
How can companies leverage the media?
CEO transitions typically raise many questions with internal and external audiences, and the media is often quick to report on perceived corporate instability. Companies should consider a proactive strategy to ensure their messages around a leadership transition are understood and conveyed in the first wave of media coverage. A common strategy is to pre-brief a trusted reporter or two to secure a more holistic or accurate story at the outset of the announcement, with an embargo time established to coincide with the press release timeline. Another option is to hold a post-announcement briefing with reporters to provide greater context and answer questions.
How can companies mitigate concerns about financial performance?
The first likely question from the investment community when a company announces a CEO transition is “Does this mean the company will underperform projections?” Companies should consider reaffirmation of their financial guidance if possible at the time of the announcement. Another approach is to package the CEO succession announcement with a quarterly earnings announcement. This approach allows the company to simultaneously address any questions or concerns about financial performance.
As boards develop their transition plans, they will be best prepared for changes at the top of the organization by considering their communications approach as early in the process as possible. During transition planning, communications staff can develop materials to guide executives through a successfully executed exit process that establishes a positive narrative for both the outgoing and incoming CEO alike.
Lisa Schultz McGann is a senior account supervisor in the Financial Communications and Capital Markets practice at Edelman, the largest PR firm in the world.
North Carolina State University’s Enterprise Risk Management Initiative and Protiviti have completed their latest survey of C-level executives and directors regarding the macroeconomic, strategic, and operational risks their organizations face. More than 500 board members and C-level executives participated in this year’s study. Noting some common themes, we’ve ranked the risks in order of priority on an overall basis below. Last year’s rankings are included in parentheses:
No. 1 (previously No. 1)—Regulatory changes and scrutiny may increase, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. This risk has been ranked at the top in each of the surveys we’ve conducted over the past four years, and is the top risk in many industry groups. The cost of regulation and its impact on business models remain high in many industries.
No. 2 (previously No. 2)—Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. Declining oil and gas prices, equity markets, and commodity prices, in general, have contributed to economic uncertainty. Short-termism is a concern as business investment has yet to catch up with pre-financial crisis levels. A new normal may be unfolding as businesses adapt their operations to an environment of slower organic growth.
No. 3 (previously No. 3)—The organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt core operations and/or damage its brand.This risk continues to be an issue of escalating concern. The harsh glare of the public spotlight on high-profile breaches at major retailers, global financial institutions and other organizations has led executives and directors to realize it is most likely not a matter of if a cyber risk event might occur, but when.
No. 4 (previously No. 4)—Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. As roundtables facilitated by the National Association of Corporate Directors and Protiviti in 2015 indicated, directors understand that talent strategy is inexplicably tied to overall business strategy. Companies need talented people with the requisite knowledge, skills, and core values to execute challenging growth and innovation strategies.
No. 5 (previously No. 7)—Privacy, identity, and information security risks may not be addressed with sufficient resources. The technological complexities giving rise to cybersecurity threats also spawn increased privacy/identity and other information security risks. As the digital world enables individuals to connect and share information, it presents more opportunities for companies to lose sensitive customer and private information, in effect, creating a “moving target” for companies to manage.
No. 6 (previously No. 11)—Rapid speed of disruptive innovations and/or new technologies within the industry may outpace the organization’s ability to compete and/or manage the risk appropriately, without making significant changes to the business model. Innovation can be disruptive if it improves the customer experience in ways that the market does not expect, typically by lowering the price significantly, or by designing a product or service that transforms the way in which the consumer’s needs are fulfilled. Whereas disruptive innovations may have once taken a decade or more to transform an industry, the elapsed time frame is compressing significantly, leaving very little time for reaction. Sustaining a business model in the face of digitally enabled competition requires constant innovation to stay ahead of the change curve.
No. 7 (previously No. 6)—Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. Positioning the organization as agile, adaptive, and resilient in the face of change is top-of-mind for many executives and directors. It’s a smart move. Early movers that exploit market opportunities and respond to emerging risks are more likely to survive and prosper in a rapidly changing environment.
No. 8 (previously No. 17)—Anticipated volatility in global financial markets and currencies may create significant, challenging issues for an organization to address. There are many forces at work that intensify this risk, e.g., high asset prices, slowing global growth, China’s approach to foreign exchange, declining commodity prices, uncertainty associated with central bank policies, and less confidence in policymakers’ ability to respond to market issues quickly and effectively.
No. 9 (previously No. 5)—The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues. The collective impact of the tone at the top, tone in the middle and tone at the bottom on risk management, compliance and responsible business behavior has a huge effect on timely escalation of risk issues to the people who matter. This is a cultural issue requiring constant attention by management and oversight by the board.
No. 10 (previously No. 9)—Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base. Disruptive innovations and the rapid pace of change continue to drive significant changes in the marketplace. Customer preferences are subject to rapid shifts, making it difficult to retain customers in an environment of slower growth. Sustaining customer loyalty and retention is a high priority for customer-focused organizations because senior executives know that preserving customer loyalty is more cost-effective than acquiring new customers.
A board of directors may want to consider the above risks in evaluating its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If the company has not identified these issues as risks, directors should consider asking why not.
Jim DeLoach is a managing director with Protiviti, a global consulting firm.