Category: Risk Management

Continuing Curiosity: My CES Experience

Published by

Kathleen Misunas

I first attended the Consumer Electronics Show (CES) more than 30 years ago and have visited periodically over the intervening years. Rest assured that the creativity and sheer volume of innovation exhibited there never ceases to amaze and impress me. While some of it is developed and showcased by global companies such as Samsung and Kohler, the showroom floor is also filled with talent previously working behind the scenes at various brands, or by truly start-up entrepreneurs.

This was the first time that I have viewed the show through the eyes of a corporate director. As I walked more than 10 miles through the aisles over the course of CES 2018, I considered the governance implications of what I saw.

To me, one of the benefits of being at CES is being away from daily routines and taking the opportunity to observe and just let your mind cogitate the possibilities. And cogitate I did. In some cases, I wanted to know not only what the product did, but how it was made. In other instances, I wondered how a product could be marketed or sold, what companies would create its competitor products, and what adoption rate was required to make the product financially successful.

So, what did I find exciting? What made the governance wheels in my head turn? Below are a few themes that stood out.

  • Quantum Computers. From a pure technology standpoint, the quantum computer stands out due to its astounding small size yet incredible processing power. Intel, which is one of the leaders of the quantum computing race, kicked the week off by exhibiting its own advancements in engineering one of the most powerful quantum chips yet. The IBM Research group, on the other hand, displayed its quantum computer as a stunning piece of art.
  • Sensors and the Internet of Things. Sensors—which were imbedded in everything from fabrics to headsets, from vehicles to medical products, and in everything else you might imagine would benefit from being connected—continued to impress due to the breadth of their utility. One clever use of sensors was the ShadeCraft patio umbrella whose electronics and robotics allowed it to automatically raise and lower itself based upon current light and weather conditions. This product not only understood sunrise and sunset, but followed the sun throughout the day to properly tilt the umbrella and gauged wind speed or rain to automatically close the umbrella without human intervention. No more worrying about your expensive patio umbrella being turned inside out, upending your table, or taking off as a projectile when you weren’t available to tend it.
  • Autonomous Vehicles. There was an incredible number of offerings around autonomous vehicles. I use the term vehicles instead of cars because the auto-drive implications are also clear for vans, trucks, tractors, forklifts, campers, and other vehicles. Here again the use of sensors was key, and there is no doubt that many of these machines will perform better than the drivers that we currently encounter on the road, human foibles and all.
  • Medical Aids. Regarding other products, I found so many to be interesting. There was an audio system that not only provided a hearing test but progressed to actually construct an ear bud that utilized the results of the hearing test to produce a customized hearing aid. Phenomenal! Anyone who has gone through the rigor of selecting a hearing aid device can appreciate this speedy, streamlined approach, especially when it is at half the price point of today’s offerings. Next, I liked the Gyenno Co., which developed a special spoon that automatically levels its contents to eliminate spilling. This will provide such a caring and practical solution for those with Parkinson’s or other medical issues that have a problem feeding themselves due to tremors.
  • 3D Printing. Another greatly improved invention is 3D printing. Although the method has been around for a while, it is now not limited to plastics or small items. Printers can fabricate in a variety of mediums and to great scale. For example, there was a camper-type van displayed on the showroom floor that was created by 3D printing. It was produced quickly and at much less expense than a traditional van. It is easy to extrapolate the utility of 3D printing to assist various businesses since it permits specialty solutions that previously did not have the volume to be economically feasible from the producer’s perspective, and were not affordable from the buyer’s standpoint.
  • Odds and Ends. Three fun offerings were related to beer, fingernails, and laundry. Although I am not a beer drinker, the PicoBrew easily allows making craft beers at home and would be a hit with many of my friends. And I know those who would like the fingernail machine that can use any photos to create vinyl nails for application at home. Finally I’ll introduce the FoldiMate, a device that folds your laundry when you feed it into the machine. It could be the next best thing since sliced bread for the lazy among us.

It is worth noting that one of the great joys of CES is that everyone is welcome, and that the exhibitors and subject-matter experts arrive from many countries. CES makes clear that the desire to innovate transcends borders and creeds, and that the glue holding this incredible meeting together is not so-called “geekiness,” but a superior level of creativity, intellectual curiosity, and desire for business success—and, perhaps above all, the desire by many to improve living conditions around the world.

I’ll close by saying everyone should attend this show once their life time. As a director, I suggest setting the goal of attending every three to five years. CES presents a soup-to-nuts view of developments in products and technology that consumers will anticipate. Even if you are not affiliated with what is considered a consumer business, you do serve customers that will continue to expect innovation. As I absorbed the week’s events and considered the possibilities around every corner, CES opened my mind about what could or should be considered in the boardroom related to strategy and risk. It was well worth my time, and would be for you, too.

Kathleen Misunas is a director of Boingo Wireless and Tech Data Corp., two publicly traded technology companies. 

Want to learn more about NACD’s CES Experience? Explore dispatches from the event here

Risks Illustrate Imperative to Balance Corporate Ambition with Resilience

Published by

Richard Smith-Bingham

A positive outlook for the global economy notwithstanding, the operating and investment risk for companies in today’s global environment should not be underestimated. Building resilience against a wide and expanding array of potential shocks will be required for sustainable success.

For corporate directors, this is a time for challenging institutional assumptions — and recognizing not just that new risks are appearing on the horizon but that operational risks may become strategic ones, known risks may become unknown, controllable risks may become uncontrollable, and risks assumed to be acceptable may acquire “fat tails.”

The newly released Global Risks Report, prepared by the World Economic Forum with the support of Marsh & McLennan Companies and other partners, evaluates the major threats facing the world over the next decade and provides a rich context to help organizations chart an aggressive growth strategy.

The risk landscape is shifting.

This year’s survey revealed deep pessimism about the direction of international relations. Ninety-three percent of survey respondents from across the global risk community expect that political and economic confrontations between major powers will increase in 2018. There were high levels of concern about an increase in state-on-state conflicts that may draw in other countries. Western respondents also highlighted growing concern about economic protectionism.

Technological risks are seen as a rising global threat. Business leaders in advanced economies consider large cyber attacks to be the number-one risk for doing business in their respective countries, and respondents in most parts of the world anticipate these attacks will get worse in 2018. Societal risk emanating from the increase in media echo chambers and fake news is also expected to grow.

On a longer-term horizon, environmental risks ranked highest in both likelihood and impact. Extreme weather and failure to adapt to climate change showed the greatest leap in concern since last year’s report, perhaps reflecting the hurricanes, earthquakes, and wildfires suffered during September when the survey was open. However, even before the devastating events of 2017, apprehension in this area was strongly reflected in this survey.

Companies are increasingly vulnerable to shocks and disruption.

Positive growth in recent months shouldn’t blind businesses to potential economic fragilities. The debt-to-equity ratio of the median S&P 1500 company (excluding financials) has almost doubled since 2010 and is now well above pre-financial crisis levels. Asset prices in some sectors are at historically high levels. Global debt has risen to a record $233 trillion, and at 318 percent, the global debt to GDP ratio remains near its all-time high.

Persistent low commodity prices continue to rattle exporter countries and their neighbors, which presents political and societal implications. Structural issues such as income inequality, rising health care costs, and diminishing long-term retirement security also show little sign of being resolved.

Against this backdrop, how will investor and corporate confidence fare in the event of a major geopolitical altercation, an aggravated trade stand-off, or a technological catastrophe—none of which are implausible?

A Business Lens

Corporate lifespans are dramatically shortening. The average time companies spend in the S&P 500 index has already decreased from approximately 60 years in the 1950s to 12 years today. The velocity of change in the current environment, creating both new opportunities and new threats, will likely drive this lifecycle down even further. The pressure to define and execute a strategy with both bold ambition and resilience against major shocks has never been higher.

It’s imperative for board members to ensure their company’s leadership makes every effort to reconcile growth and innovation opportunities with risk and security considerations, while rigorously assessing the value of potential initiatives in a wide range of scenarios. A dual focus on prevention and response—given the increased velocity of new and unpredictable risks—is needed.

As our recent paper on Getting Practical with Emerging Risks notes, clarity on the sorts of intelligence expected and opportunities for the board to discuss weak signals will help achieve a cohesive approach to sense-making and alignment with senior management on the way ahead. Boards that engage with complex uncertainties will be best positioned to help their firms negotiate today’s dynamic risk environment laden with potential shocks and disruption.

Richard Smith-Bingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads MMC’s thinking on the evolving macro-level risk landscape and how companies and governments can best anticipate and negotiate rising threats. 

Ask Your Security Team These Questions in 2018

Published by

Corey E. Thomas

As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.

To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.

1. Does the security team have a full, well-informed view of the organization’s security posture?

One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.

You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.

It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.

Here are some additional questions you can ask:

  • Which threats are most relevant to the company, and which assets are most vulnerable, and which are most likely to be targets? Ask the security team to explain their answers.
  • Does the security team share threat information with security teams at other organizations of a similar profile?
  • Does the security team have full visibility and control of our entire technology environment, including assets we lease rather than own? Does the team have a detailed inventory of key assets, who is using them and how, and what known risks relate to them?
  • Is the security team part of the procurement process for all technology products and services? Do they vet technology vendors on the security of their products or services? Do they investigate the vendor’s practices for reporting and patching vulnerabilities?
  • Does the security team know who has access to what applications and services? Have they locked access down as far as possible, so people only have the privileges needed to perform their day-to-day role?

2. Is our organization resilient to attack?

Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.

Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.

  • Is all company and customer data encrypted at rest and in transit? If not, which data is being encrypted and when?
  • Has the security team segmented the company’s networks to reduce an attacker’s ability to move through the network and reach valuable assets?
  • Does your organization regularly back everything up to reduce susceptibility to ransomware attacks? Do you run regular backup and restore drills?
  • Do you know how susceptible our employees are to phishing? Are you investing in education programs to raise security awareness?
  • Do you have multi-factor authentication in place on all of our technical services and applications?
  • Does the organization have cyber insurance to help it recoup any costs of a security incident? Which scenarios or factors are not covered by the insurance?

3. Is the security team confident it can detect and respond quickly to security incidents?

According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.

A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.

Some relevant questions include:

  • Does the security team map normal behavior (both for human users and machine entities) on the network? Are they able to detect anomalous behavior?
  • Is the security team able to investigate and verify alerts quickly? Do they have sufficient resources committed to monitoring systems that alert suspicious activity?
  • How quickly could the security team investigate a potential breach or determine which technology assets and users may have been compromised? Does the security team have sufficient visibility across all technical assets to investigate fully? Does the security team log any information that would be needed to investigate a security incident?

Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?

4. How do you measure the effectiveness of our cybersecurity program and initiatives?

Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.

Some questions to ask your security team include:

  • Is the security team proud of the company’s patching program? Do they feel adequately supported by the IT team in their efforts?
  • Who is responsible in the organization for initiating testing of organization-wide breach readiness?
  • How frequently does the security team test the company’s defenses for effectiveness? Do they hire external security consultants to try to penetrate the network and facilities?
  • Is the security team able to track progress over time?
  • Does the security team have a view of the maturity of its program? Is there a clear roadmap for future progress?
  • What measures has the security team taken in the past six months to improve security posture? What results have they seen? How will they adjust the program moving forward?

5. Do political or financial considerations impact your ability to protect the organization effectively?

It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.

The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.

Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.

  • Are there any budgetary or political roadblocks to implementing foundational security controls?
  • Does the security team have adequate headcount and resources? How is the answer to this question determined? If not, in which areas are we below critical mass?
  • Does the head of security have the opportunity to be heard among the most senior executives in the organization?
  • Do the business leaders across the company truly understand the potential costs and implications of the business of being breached? Do they discuss risk tolerance and prioritization payoffs in an open, strategic way? Do they build resilience plans based on these discussions?
  • Is security considered an audit function, or does the organization strive to build security into its products, services, and operations by design?

Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.

Corey Thomas is CEO, president, and a member of the board of Rapid7.