Archives

Getting the Right Cybersecurity Metrics and Reports for Your Board

Published by

In the 2017–2018 NACD Public Company Governance Survey, 22 percent of corporate directors said they were either dissatisfied or very dissatisfied with the quality of cybersecurity information provided by management.

We’re not surprised. In most cases, management still reports on cybersecurity with imprecise scorecards like red-yellow-green “heat maps,” security “maturity ratings,” and highly technical data that are out of step with the metric-based reporting that is common for other enterprise reporting disciplines.

Boards deserve better. We recognize that cybersecurity is a relatively young discipline, compared to others under the umbrella of enterprise risk management (ERM). But it’s not a special snowflake. Management can and should deliver reports that are:

  • Transparent about performance, with economically-focused results based on easily understood methods.
  • Benchmarked, so directors can see metrics in context to peer companies or the industry.
  • Decision-oriented, so the board can provide oversight of management’s decisions, including resource allocation, security controls, and cyber insurance.

While that level of reporting may still be aspirational for some companies, directors can drive their organizations forward by asking the following five questions, and demanding answers backed by the sorts of metrics and reports that we suggest below.

Before we get to the questions, there’s an over-arching prerequisite for sensible reporting: Every key performance and risk indicator should be tracked against a target performance or risk appetite, respectively.

That means defining risk tolerances in an objective, clear, and measurable way—for instance, “our critical systems downtime should always be less than one percent”—so that an analyst’s gut feelings aren’t determining results.

1. What is the threat environment that we face?

The chief information security officer or chief risk officer should paint a picture of the threat environment (cybercriminals, nation-states, malicious insiders, etc.) that describes what’s going on globally, in our industry, and within the organization. Examples of good metrics and reports include:

  • Global cyber-related financial and data losses
  • New cyber breaches and lessons learned
  • Trends in ransomware, zero-day attacks, and new attack patterns
  • Cyber threat trends from ISACs (information sharing and analysis centers)

2. What is our cyber-risk profile as defined from the outside looking in?

Boards should get cyber-risk assessments from independent sources. Useful sources of information include:

  • Independent security ratings of the company, benchmarked against peers
  • Third-party and fourth-party risk indicators
  • Independent security assessments (e.g., external consultants and auditors)

3. What is our cyber-risk profile as defined by internal leadership?

Management should provide assessments with tangible performance and risk metrics on the company’s cybersecurity program, which may include:

  • NIST-based program maturity assessment
  • Compliance metrics on basic cyber hygiene (the five Ps): passwords, privileged access, patching, phishing, and penetration testing
  • Percentage of critical systems downtime and time to recover
  • Mean time to detect and remediate cyber breaches

4. What is our cyber-risk exposure in economic terms? Based on the company’s cyber-risk profile, the central question is: What is the company’s potential loss?

In the past 30 years, we have seen that question answered in economic terms in each and every risk discipline in ERM: interest rate risk, market risk, credit risk, operational risk, and strategic risk. Now we need to address that question for cyber risk. This expectation can also be found in the U.S. Securities and Exchange Commission’s new guidance on cybersecurity disclosures and its focus on quantitative risk factors.

The Factor Analysis of Information Risk (FAIR) methodology is a widely-accepted standard for quantifying cyber value-at-risk. The FAIR model provides an analytical approach to quantify cyber-risk exposure and meet the heightened expectations of key stakeholders.

In the current environment, directors should demand more robust reporting on metrics such as:

  • Value of enterprise digital assets, especially the company’s crown jewels
  • Probability of occurrence and potential loss magnitude
  • Potential reputational damage and impact on shareholder value
  • Costs of developing and maintaining the cybersecurity program
  • Costs of compliance with regulatory requirements (e.g., the EU’s General Data Protection Regulation)

5. Are we making the right business and operational decisions?

Cyber is not simply a technology, security, or even risk issue. Rather, it is a business issue and a “cost of doing business” in the digital economy. On the opportunity side, advanced technologies and digital innovations can help companies offer new products and services, delight their customers, and streamline or disrupt the supply chain. As a top strategic issue, management should provide the board with risk and return metrics that can support effective oversight of business and operational decisions, such as:

  • Risk-adjusted profitability of digital businesses and strategies
  • Return on investment of cybersecurity controls
  • Cyber insurance versus self-insured

We believe the number should be zero when it comes to the percentage of directors dissatisfied with the cybersecurity information provided by management. Based on our own observations of board reports on the quality of cybersecurity reporting, there remains significant gaps. We hope our article will serve as a framework for directors and executives to discuss ways to close those gaps.

When Healthcare Meets Retail

Published by

Sam Glick

It seems there’s always a new article about Amazon’s latest Alexa news, or a trendy startup trying to disrupt the shopping experience. Or, more soberly, a downtown now dominated by empty storefronts. Americans living and shopping in the country that invented the modern shopping mall, the supermarket, and e-commerce seek out the latest and greatest retail experience. Traditional retailers are now getting into the health business. Amazon bought Whole Foods, a grocer that began as a health food store. Walmart is considering buying PillPack, an online pharmacy startup. Albertsons is buying Rite Aid. And, in the biggest retail healthcare deal yet, CVS is buying Aetna, bringing together a retail chain with nearly 10,000 stores and a major national health insurer.

What does all this activity mean? Will the average American soon be going to the drugstore to pick up a quart of milk and have someone look at their rash while they’re there? Will my family physician deliver care at the same place that sells my Cheerios? The short answer to both questions: Maybe.

Retail’s entry into healthcare reflects three major trends in how the healthcare industry—and consumer behaviors—are evolving:

  1. Consumers are in the driver’s seat. In 2017, the average single plan deductible for those with employer-sponsored health insurance was $1,505. Since 2006, the average consumer’s annual out-of-pocket healthcare spending has increased by 230 percent. Consumers are spending mostly their own money for basic healthcare services, and they want to see value for that money like they do in other industries. They want reasonable prices, convenient hours and locations, and great service—not exactly attributes for which traditional doctor’s offices or hospitals are known. So, they’re turning to retailers and others to meet their needs, and it’s working. Oliver Wyman research shows consumers who visit a clinic in a drug, grocery, or discount store are highly likely to return—with just the opposite being true for conventional medical offices.
  2. Primary care is being redefined. The shortage of primary care physicians nationwide has been well-documented. Yet primary care is provided by a physician in many locations beyond the traditional exam room. Providers such as Kaiser Permanente now conduct more than 50 percent of primary care visits electronically. And in the United Kingdom, through a partnership with the artificial intelligence company, Ada, the National Health Service provides round-the-clock care via a chatbot. Also, in states such as California, pharmacists are beginning to be licensed to provide basic medical services, which could have a significant impact, given that there are more pharmacists in the US than there are primary care physicians. A drugstore chain with a pharmacist on every corner, or an online retailer with an app on every smartphone, is well positioned to get into the modern primary care business.
  3. Pharmacy matters more than ever before. We’ve seen some miraculous drug innovations in recent years—from a cure for Hepatitis C to using a patient’s own immune system to fight cancer—but those innovations have been accompanied by significant increases in pharmacy costs. According to Mercer, increases in pharmacy spending are one of the biggest concerns for employers when it comes to managing healthcare costs. Yet controlling that spending requires careful coordination long after a physician writes a prescription, from ensuring drugs are being taken correctly to understanding which consumers represent most of the spending to monitoring effectiveness. (Overall, just 0.3 percent of Americans account for a full 20 percent of drug spending.) And retailers—with big local footprints, large pharmacist workforces, and years of experience with consumer analytics—are in an advantageous place to deliver real value.

What does this mean for corporate directors?

Well, for those on retailer and healthcare boards, what’s vital is making sure that experience, value, and consumer preferences remain front and center on the company’s agenda, and that a range of innovative partnership and M&A options are being considered.

In other industries, directors should be asking hard questions to probe how these retail healthcare trends are being reflected in employee benefits and the company’s role in the new retail healthcare ecosystem. Health is affected by nearly every part of a consumer’s life, from technology to transportation, to food, to housing choices. Pretty soon, every company could be a healthcare company.

 

Sam Glick is a partner in Oliver Wyman’s Health and Life Sciences practice who focuses on consumer-centric healthcare.

Five Leading Practices for Governing Innovation

Published by

Technology is eroding traditional lines between industries and creating opportunities for innovators to disrupt incumbents. Findings from the 2017-2018 NACD Public Company Governance Survey suggest that boards are increasingly concerned about how to navigate technology disruption, with one third of respondents citing this as a trend likely to have the greatest impact on their company in the coming year. The rapid pace of change presents a significant challenge for boards as they look to sharpen their oversight. As such, directors, and the management teams they oversee, are searching for strategies that will enable them to adapt quickly to shifts in the business landscape.

Nichole Jordan speaks with directors.

The National Association of Corporate Directors (NACD), in collaboration with audit and tax specialist Grant Thornton, recently cohosted a director’s roundtable in Chicago, Illinois, where directors and industry experts discussed the tactics that have helped them learn at the pace of disruptive innovation. Special guests from Amazon Web Services (AWS) were also present. Nichole Jordan, national managing partner of clients, markets, and industries at Grant Thornton, discussed the following strategies for getting out ahead of disruptors based on her engagement with clients.

1. Utilize leading technology conferences and events. There are many reputable conferences and events centered around technology and innovation that directors should consider attending each year. These gatherings bring together renowned innovators and thinkers, providing attendees with an insider view that many outside of the technology industry do not have access to. This year, NACD partnered with Grant Thornton to host a group of directors for the CES Experience, a curated, board-focused tour of the Consumer Electronic Show (CES)—the world’s largest and most influential technology show. Participants were introduced to novel products and services and spoke with their peers about potential disruptions to their companies and industries. Outside of CES, Jordan suggested that directors also attend South by Southwest and The Wall Street Journal’s Future of Everything conference, among others.

2. Visit domestic and international companies at the forefront of innovation. Corporate executives and directors can now access the innovation centers of leading technology companies including Amazon.com, Google, Microsoft Corp., and Apple. Through offerings as varied as tours of innovative hubs, executive immersion programs, and corporate strategy sessions, boards can gain valuable insights into disruptive trends and how these may impact their own businesses.

Geoff Nyheim, director of US central area at AWS, provided an example of an insurance carrier taking advantage of Amazon’s offering. The insurance carrier was particularly concerned with the predicted growth of autonomous vehicles and the potential impact on their industry. The CEO brought his direct reports to AWS, where they spent three days talking through strategy under the premise that insurance claims would plummet due to disruption caused by the safety of autonomous vehicles. According to Nyheim, “when [operating under] that assumption, all sorts of different paths and creative ideas emerged” for the future of the company. Nyheim added that “a lot of other companies are in the same place, [but to their detriment] lack a similar urgency.”

One director commented that it’s just as important for boards and their management teams to get out of the country to visit innovation centers in India, China, and other emerging markets as it is to visit the ones to home. On such a trip to India, the director visited a General Electric Co. factory that produced equipment used to create computerized tomography (CT) scans, and was amazed by the advanced tools and research that he saw. Directors should find ways to experience a similar sense of wonder that’s applicable to their own industries.

3. Cultivate a collaborative business mentality. Though possibly counterintuitive, businesses need to consider building a sustainable ecosystem of partners for themselves. Jordan called out companies in Grant Thornton’s ecosystem, naming, “Amazon Web Services and NACD as partners.” Directors should challenge members of management to consider developing a set of networks, partnerships, or alliances that can be tapped into to generate and implement innovative solutions. One director agreed, citing an internal study at his company which found that “less than five percent of ideas [generated within the company] actually came to fruition.” The company makes large investments in research, leading the director to conclude that part of the problem may be that it is relying too heavily “on [its] own resources and [is too] unwilling to trust others to help in the innovation process,” one director said. He also briefly outlined how companies can leverage networks to collaborate with a trusted supplier. The tactic assumes that a supplier “gets ten percent of revenue from [your company, so you ask the supplier if they would be willing to] take that ten percent and put it towards creating products for [your company].” This kind of thinking can lead to mutually beneficial and innovative engagements that enhance operational effectiveness.

4. Integrate technology briefings into your daily routine. Directors should be purposeful about incorporating reading about technology into their everyday lives, and can do so by seeking out reputable publications that report on the business of technology. The Wall Street Journal’s technology department, Recode, TechCrunch, and Wired magazine are widely considered reliable publications that bridge the gap between management and technology. Following leading organizations and their CEOs on social media—Jeff Bezos, Elon Musk, Shelley Palmer, or Gary Shapiro, for instance—can also enrich directors’ technology diets. One participant observed that maintaining relationships with individuals in late-stage venture capital funds can also facilitate learning. Venture capitalists “evaluate hundreds [if not] thousands of proposals,” she said, and could keep directors apprised of bleeding-edge developments.

5. Monitor your company’s progress on innovation relative to its customers. Effective benchmarking of technology initiatives’ success will vary from company to company. As such, innovation efforts should be wedded to the current and future needs of its customers. Jeffrey Traylor, head of AWS solutions architecture for the US Central area at Amazon, Traylor suggested Amazon’s value of working backwards as a strategy for customer-centered innovation. “Before we [even] write the first line of code, we write a press release for three years from now, then write an FAQ,” Traylor said. “We ask [ourselves the following]: Who is the customer? What problem are we solving? What are the most important benefits to the customer? What does the customer experience look like?” For Amazon, innovation is about high intentionality and requires planning out how any new offering will benefit the end-user’s experience.

The board should also ensure that management views emerging technologies as a means to achieving long-term value creation, rather than an end in itself. As noted by a director at the event who oversees a company in the healthcare and life sciences industry, companies cannot succeed sustainably if they don’t innovate alongside the customer. “When we talk about innovation, it’s the people whose lives we’re going to make better. We innovate around the patients,” she said. For her company, “It’s not just about [developing a different] drug delivery system or [a new] device, [but rather] how can we prevent unexpected events, and connect caregivers and care systems to the patient.”

Jeffrey Burgess, national managing partner of audit services at Grant Thornton, rounded out the conversation, pointing out that innovation should not only be limited to the board and management, but also be instilled at every level of the company. “I think [of] innovation [as] more and more on the front lines,” Burgess said.  “You need a culture [that] embraces change, and you need change management methodologies, procedures, and processes that drive innovation.” To meet these challenges, directors need to ensure that they are surrounded by intellectually curious and well-informed peers who can work with management to develop a forward-looking vision for the company. As Traylor cautioned, companies with boards that do not cultivate this curiosity may leave themselves vulnerable to the “ruthless and unsparing” effect of innovation.