Companies today fall into two groups: those that have been breached and know it, and those that have been breached but don’t know it. The realities of managing cyber risks are that breach risks are impossible to eliminate, resources for managing them are finite, risk profiles are ever-changing, and getting close to secure is elusive.
Our December 2017 discussion with a group of active directors during a dinner roundtable at a National Association of Corporate Directors (NACD) event identified some interesting insights into cyber-risk oversight at the board level.
Winning battles does not necessarily win the war. The discussion focused on how state-sponsored attacks targeting government institutions, industrial facilities, infrastructure, and many business organizations are increasing in both power and sophistication. Combatting so-called advanced persistent threats (APTs) requires faster detection and more advanced response tactics. In the arms race to keep pace (or, in most cases, catch up) with these threats, organizations need to commit adequate resources to tapping into available government intelligence and using it to facilitate their preparedness. Directors should suggest to their management team that they develop and maintain relationships with the correct contacts in the government sector needed to stay informed of emerging risks.
Upgrading detection capabilities. If management and the board believe the entity is an APT target based on what it represents, what it does, and the intellectual property it owns, the directors raised concerns over the maturity of most companies’ cybersecurity countermeasures and what can be done from the board level to encourage more effective mitigation of the risks. Capabilities need to be upgraded beyond the controls, tools, and response mechanisms traditionally used to contain sophisticated attackers and corporate insiders. Our experience is that detective and monitoring controls remain immature across most industries relative to the evolving threat landscape.
Clarifying expectations with management. One director noted that when a chief information officer (CIO) or chief information security officer (CISO) asserts, “Don’t worry, we’re taking care of that,” or delivers a similar pushback, it tends to stifle the dialogue and leaves directors with nowhere to go and an incomplete understanding of cyber-risk mitigation. The group’s ensuing discussion pointed to several themes. Directors should ask the right questions (an appendix in the 2017 NACD publication on cyber risk oversight suggests relevant questions), consider changing board composition if more expertise is necessary, and establishing a separate cybersecurity or technology committee of the board. Although directors have limited time to get into details, they should set clear expectations for management at all levels with respect to cyber incidents that can affect the company’s reputation, brand image, and standing with customers. Expectations regarding cybersecurity strategy and risk tolerances should be incorporated into the entity’s risk appetite statement.
Improving board cybersecurity reporting and metrics. The severity of the Equifax breach as well as others raises the question as to whether boards are probing deeply enough to determine what they don’t know. To that end, the directors noted that too often board reports deliver high-level information only. So, the question then becomes, what reporting and metrics on cybersecurity should the board request? The discussion pointed to several examples of key areas to consider:
The number of system vulnerabilities
The length of time required to implement patches
The length of time to detect a breach
The length of time to respond to a breach
The length of time to remediate audit findings
Percent of breaches perpetrated through third parties
The number of security protocol violations
Paying attention to “blocking and tackling.” The group brought up several cybersecurity issues, including prioritizing high-risk patches, raising awareness of phishing, implementing security segmentation, and refreshing incident response and recovery plans continuously. One director noted that every organization should have multi-factor authentication access controls in place; accordingly, the board should discuss this security measure with management.
Conducting independent cybersecurity assessments. As innovative transformation initiatives constantly expand an organization’s digital footprint, they outpace security protections companies have in place. Accordingly, organizations should consider assessing the current state of their overall cybersecurity using an established framework, in relation to their desired state. If such reviews identify gaps or areas of weakness requiring immediate remediation, the board should satisfy itself that management addresses those areas in a timely manner.
Being aware of challenges in the information technology (IT) and security organizations. The point was raised that many organizations need to seriously consider re-architecting themselves from both a technology and security standpoint. The question the board needs to ask management is: How quickly are we able to get an issue resolved? Management assertions that a solution will disrupt existing operations and legacy systems and, thus, will take time to implement, are a red flag. Our discussion also touched on the issue of inadequate IT and security resources, and the need to innovate the business. The point is, cybersecurity must be focused on what’s important and cannot consume the entire budget.
Considering the value of cybersecurity insurance. One director brought up the importance of cybersecurity insurance coverage as a means to transfer some of the financial risk associated with a variety of cybersecurity incidents, including data breaches, business interruption, and network damage — particularly since the entity’s directors and officers liability policy may not cover these issues. If a company invests in a cybersecurity policy, the insurer may require the business to follow certain guidelines and provide evidence through a cybersecurity assessment, as discussed earlier. If the company hasn’t benchmarked itself against an appropriate framework, directors should inquire as to why not.
Dig into deeper insights from Protiviti by visiting their Board Perspectives piece on the challenges directors face when overseeing cybersecurity risks.
It seems recently that one can’t escape reading stories about poor leadership gone wrong. It’s time for action from the boardroom, and it’s no longer good enough to ask unstructured questions about a company’s helpline. Nor is good enough to rely on one’s own experience, instinct, and blind spots in the boardroom to hold management accountable for a healthy culture.
Trust-but-verify culture might be a good way for boards to move forward. While it is critically important to have trust in the CEO, blind trust can only lead to blind alleys where bad cultures can fester and become toxic. The board needs to be equipped with a way to periodically and in a customized and simultaneously adaptable manner understand the company’s culture.
The need for directors of companies to get under the skin of the culture of their organization has never been greater—or more necessary and daunting. Witness the many culture disasters we have recently seen from Uber, Wells Fargo & Co., The Weinstein Co., and Wynn Resorts. Over the past 25 years as a corporate executive, advisor, and board member, I have witnessed and advised on responses to similar instances of culture gone wrong—the good, the bad, the ugly, and, in one or two cases, the uglier. And I have also seen what a good culture can do to propel a company to greater reputational and financial heights (and returns).
It is important to share some of the tools, lessons learned, and insights on how the board can peel back the layers of the culture onion to begin to understand what is going on inside their companies, above and beyond the surface that boards are usually privy to. We start with a look at what happened in 2017 to understand the workplace culture maelstrom that the #MeToo moment has ushered in and crystallized.
A Year in Culture Dysfunction
2017 was a year filled with tales of organizational culture gone wrong. We learned about negative and destructive behaviors in the workplace, mostly perpetrated by powerful leaders, causing serious human, economic, and reputational costs for people and organizations. The toxic workplace cultures extended from the pinnacles of political power to the front lines of manufacturing facilities.
Powered by the ubiquity and raw reach of social media, the #MeToo story quickly became universal—told first by the more glamorous denizens of Hollywood and then extending to the most vulnerable hotel, restaurant, and factory floor workers. All of them were victims of a toxic workplace culture of abuse of power, shame, and lies. Worse still, many victims are submitting to terrible work conditions, are sidelined from needed jobs, or are permanently derailed from pursuing desirable careers and professional passions.
Time magazine’s choice for the 2017 Person of the Year, the “Silence Breakers,” said it all. Though sparked by the Weinstein exposé, the #MeToo story represents the culmination of decades of pent-up workplace silence, lies, cover-ups, manipulation and anger. The overwhelming impact of the #MeToo phenomenon can only be explained by the explosion and maturation of social media, which has led to the amplification and acceleration of reputation risks tied to workplace culture.
Why 2017 Stands Out
Two other relatively recent periods of corporate cultural moments, if we can call them that, come to mind: 2002 and 2008. The downfall of Enron, WorldCom, and others resulted in an uproar about financial accountability and the adoption of Sarbanes–Oxley in 2002. Nearly six years later, we witnessed the downfall of financial giants Lehman Brothers Holdings and Bear Stearns Cos., leading to the humiliation of the U.S. financial sector in general for the massive mortgage and derivative-related scandals, leading to social awakenings such as Occupy Wall Street and the adoption of the Dodd-Frank Act.
While these two watershed moments were important, 2017 was arguably the most momentous year yet for matters of corporate culture. In both the 2002 and 2008 cases, the cultural issue revolved around financial malfeasance. The cultural issue of 2017 is qualitatively different. Challenges are being made against toxic personal behaviors in the workplace perpetrated mainly by leaders against their subordinates, and those actions demand a qualitatively different approach to oversight that is more proactive and requires the ability to look behind the numbers and the dashboards.
By 2017 we had also arrived at the convergence of two other significant developments not fully present or developed before:
the rise of the importance to business of environmental, social and governance (ESG) issues (especially in the US, as Europe has long focused on ESG); and
the acceleration and amplified impact of reputation risk associated with ESG risk (which includes workplace cultural issues) because of the age of social media and hyper-transparency.
Companies can no longer reactively manage their reputation in this hyper-transparent environment. Companies have to earn it proactively and watchfully, and getting to the bottom of the culture of their organization is of paramount importance for the C-suite and board.
In this era, the excuse that only shareholders matter no longer holds. Boards and management are responsible to all of their stakeholders for ESG results as well (shareholders, employees, customers, and beyond), which include proactively maintaining and nurturing a healthy workplace culture. In the age of hyper-transparency, it does not pay to turn a blind eye or to wait for a crisis to hit. The rapid-fire downfall of not only Harvey Weinstein but of his entire company, including its damaged board and board members, is the cautionary tale of the day.
On the positive side, there is plenty of evidence that while a toxic culture destroys value, a strong and resilient culture fully championed and embodied by the very top of the organization (read: CEOs and directors) can and will add long-term sustainable value to the company’s reputation and financial bottom line. Such values protect the organization from the crises that will inevitably come and add bottom line financial value, as the famous Johnson & Johnson Tylenol case first demonstrated.
Is our Current Culture Moment Fleeting or Momentous?
We are certainly witnessing a cultural moment. The real question is this: will this moment pass with no more than a whimper, or will it become momentous?
The 2017 stories have definitely awakened awareness at the very top of corporate leadership—at least for now. In one day in December at two major governance gatherings sponsored by NACD in New York City—at Leading Minds of Governance and the NACD Director 100 Gala—this author witnessed how the #MeToo movement was top of mind for directors in general and dominated discussions both public and private throughout that day. Energized directors and experts who were present underscored the importance of action in this moment for the boardroom, and how this topic must be addressed in the long term as part of the board’s responsibility.
Thus, I would argue that this moment is not a fleeting one. The importance of this moment cannot be over-emphasized. It’s one that will be captured by responsible leaders and boards. Indeed, this is a unique time for leaders to step up to their responsibility for creating and owning a healthy workplace culture and for boards to acknowledge and embrace their responsibility: exercising proactive oversight of—and holding management accountable for—creating and maintaining a healthy workplace culture.
The Culturally Attuned Board
The culturally attuned board is one that is organized to understand the company in depth and to leverage that understanding for the success of all its stakeholders. What does that mean in real terms? It means, first, that the board has the tools necessary to understand what the culture really is—to peel that onion to get to the heart of what the tone is not only at the top (in the C-Suite), but also at the grass roots—including among entry-level employees. Second, it means that the board is aware of the red flags that might tip them off to a culture issue or problem. And third, it means that the board does not rest on its laurels but makes the culture conversation a permanent fixture of its work with the CEO, C-suite, and employees generally.
The next blog in this series will describe three specific tools that boards should implement, as well as the ten questions the board should ask to dig deeper and what should be on the board’s culture dashboard.
Dr. Andrea Bonime-Blanc is founder and CEO of GEC Risk Advisory, a strategic governance, risk and ethics advisor, board member, and former senior executive at Bertelsmann, Verint, and PSEG. She is author of numerous books including The Reputation Risk Handbook (2014) and The Artificial Intelligence Imperative (April 2018). She serves as Independent Ethics Advisor to the Financial Oversight and Management Board for Puerto Rico, start-up mentor at Plug & Play Tech Center, life member at the Council on Foreign Relations and is faculty at the NACD, NYU, IEB and Glasgow Caledonian University. She tweets as @GlobalEthicist. All thoughts shared here are her own.
Over the years, the Consumer Electronics Show (CES) in Las Vegas has featured miles of technology and millions of people—2.75 million square feet for 3,900 booths and nearly 185,000 attendees in 2018 alone.
Under those tents are innovations that will disrupt markets and your companies. The question is, which ones?
Not every innovation is disruptive, and not every market is vulnerable. According to a recent blog by Harvard professor Clayton M. Christensen, written shortly before the most recent CES event in January, “disruptive innovation,” a term Christensen coined in 1995, is “the process by which products and services, often less expensive and less sophisticated, move upmarket until they displace established competitors.”
Displacement is no fun; it generally means downsizing and can mean demise. So directors naturally want their companies to disrupt, rather than be disrupted. That’s why NACD launched the NACD CES Experience in partnership with Grant Thornton. Participants enjoyed a director-curated tour and program that explored the technology trends of greatest relevance to business, helping attendees see implications for their own companies.
General trends highlighted on the tour included the impact of artificial intelligence, machine learning, chip and processing technologies, and sensor technologies on human-machine interface. The small group of directors also witnessed new technologies in voice input and response, image and vision interactions, biometrics, digital assistants, computational photography, shoppable images, virtual environments, and biometric trackers.
NACD inaugurated a similar annual event last July, the NACD Technology Symposium, where directors toured businesses in Silicon Valley, interacting with innovators there. And in April 2018, NACD will host a Global Cyber Forum in Geneva, Switzerland. NACD, working with others, has been providing cyber-risk oversight guidance for directors since the year 2000, most recently with the NACD Director’s Handbook on Cyber-Risk Oversight, 2017 edition. Also our Emerging Issues resource center has a segment on the impact of technology change.
Such programs, encouraging focus amid complexity and change, are models for what board leadership is all about: focused oversight. Based on my own board service, and on my decades of dialogue with directors, I believe that identifying and prioritizing issues for oversight is the single most important value that boards bring to organizations. It’s opposite of the “shiny thing” syndrome, in which our attention darts to whatever is new and interesting.
In a video interview with several directors at the opening day of CES, NACD Chief Programming Officer Erin Essenmacher asked why they came. Lianne Pelletier, whose views on CES were recently featured in the Wall Street Journal, focused on infrastructure, a key topic at Expeditors International, where she serves as a director. John Hotta, a director at First Washington Robotics, focused on the accessibility of platforms like Amazon’s Alexa. Maureen Conners, on the board of Fashion Incubator San Francisco, said that directors should bring the top “three to five” issues to the attention of their CEO to ask for a report on strategic implications.
In short, all the directors interviewed said that they wanted broader horizons but would continue to focus straight ahead.