Technology is eroding traditional lines between industries and creating opportunities for innovators to disrupt incumbents. Findings from the 2017-2018 NACD Public Company Governance Survey suggest that boards are increasingly concerned about how to navigate technology disruption, with one third of respondents citing this as a trend likely to have the greatest impact on their company in the coming year. The rapid pace of change presents a significant challenge for boards as they look to sharpen their oversight. As such, directors, and the management teams they oversee, are searching for strategies that will enable them to adapt quickly to shifts in the business landscape.
Nichole Jordan speaks with directors.
The National Association of Corporate Directors (NACD), in collaboration with audit and tax specialist Grant Thornton, recently cohosted a director’s roundtable in Chicago, Illinois, where directors and industry experts discussed the tactics that have helped them learn at the pace of disruptive innovation. Special guests from Amazon Web Services (AWS) were also present. Nichole Jordan, national managing partner of clients, markets, and industries at Grant Thornton, discussed the following strategies for getting out ahead of disruptors based on her engagement with clients.
1. Utilize leading technology conferences and events. There are many reputable conferences and events centered around technology and innovation that directors should consider attending each year. These gatherings bring together renowned innovators and thinkers, providing attendees with an insider view that many outside of the technology industry do not have access to. This year, NACD partnered with Grant Thornton to host a group of directors for the CES Experience, a curated, board-focused tour of the Consumer Electronic Show (CES)—the world’s largest and most influential technology show. Participants were introduced to novel products and services and spoke with their peers about potential disruptions to their companies and industries. Outside of CES, Jordan suggested that directors also attend South by Southwest and The Wall Street Journal’s Future of Everything conference, among others.
2. Visitdomestic and internationalcompanies at the forefront of innovation. Corporate executives and directors can now access the innovation centers of leading technology companies including Amazon.com, Google, Microsoft Corp., and Apple. Through offerings as varied as tours of innovative hubs, executive immersion programs, and corporate strategy sessions, boards can gain valuable insights into disruptive trends and how these may impact their own businesses.
Geoff Nyheim, director of US central area at AWS, provided an example of an insurance carrier taking advantage of Amazon’s offering. The insurance carrier was particularly concerned with the predicted growth of autonomous vehicles and the potential impact on their industry. The CEO brought his direct reports to AWS, where they spent three days talking through strategy under the premise that insurance claims would plummet due to disruption caused by the safety of autonomous vehicles. According to Nyheim, “when [operating under] that assumption, all sorts of different paths and creative ideas emerged” for the future of the company. Nyheim added that “a lot of other companies are in the same place, [but to their detriment] lack a similar urgency.”
One director commented that it’s just as important for boards and their management teams to get out of the country to visit innovation centers in India, China, and other emerging markets as it is to visit the ones to home. On such a trip to India, the director visited a General Electric Co. factory that produced equipment used to create computerized tomography (CT) scans, and was amazed by the advanced tools and research that he saw. Directors should find ways to experience a similar sense of wonder that’s applicable to their own industries.
3. Cultivate a collaborative business mentality. Though possibly counterintuitive, businesses need to consider building a sustainable ecosystem of partners for themselves. Jordan called out companies in Grant Thornton’s ecosystem, naming, “Amazon Web Services and NACD as partners.” Directors should challenge members of management to consider developing a set of networks, partnerships, or alliances that can be tapped into to generate and implement innovative solutions. One director agreed, citing an internal study at his company which found that “less than five percent of ideas [generated within the company] actually came to fruition.” The company makes large investments in research, leading the director to conclude that part of the problem may be that it is relying too heavily “on [its] own resources and [is too] unwilling to trust others to help in the innovation process,” one director said. He also briefly outlined how companies can leverage networks to collaborate with a trusted supplier. The tactic assumes that a supplier “gets ten percent of revenue from [your company, so you ask the supplier if they would be willing to] take that ten percent and put it towards creating products for [your company].” This kind of thinking can lead to mutually beneficial and innovative engagements that enhance operational effectiveness.
4. Integrate technology briefings into your daily routine. Directors should be purposeful about incorporating reading about technology into their everyday lives, and can do so by seeking out reputable publications that report on the business of technology. The Wall Street Journal’s technology department, Recode, TechCrunch, and Wired magazine are widely considered reliable publications that bridge the gap between management and technology. Following leading organizations and their CEOs on social media—Jeff Bezos, Elon Musk, Shelley Palmer, or Gary Shapiro, for instance—can also enrich directors’ technology diets. One participant observed that maintaining relationships with individuals in late-stage venture capital funds can also facilitate learning. Venture capitalists “evaluate hundreds [if not] thousands of proposals,” she said, and could keep directors apprised of bleeding-edge developments.
5. Monitoryour company’s progress on innovation relative to its customers. Effective benchmarking of technology initiatives’ success will vary from company to company. As such, innovation efforts should be wedded to the current and future needs of its customers. Jeffrey Traylor, head of AWS solutions architecture for the US Central area at Amazon, Traylor suggested Amazon’s value of working backwards as a strategy for customer-centered innovation. “Before we [even] write the first line of code, we write a press release for three years from now, then write an FAQ,” Traylor said. “We ask [ourselves the following]: Who is the customer? What problem are we solving? What are the most important benefits to the customer? What does the customer experience look like?” For Amazon, innovation is about high intentionality and requires planning out how any new offering will benefit the end-user’s experience.
The board should also ensure that management views emerging technologies as a means to achieving long-term value creation, rather than an end in itself. As noted by a director at the event who oversees a company in the healthcare and life sciences industry, companies cannot succeed sustainably if they don’t innovate alongside the customer. “When we talk about innovation, it’s the people whose lives we’re going to make better. We innovate around the patients,” she said. For her company, “It’s not just about [developing a different] drug delivery system or [a new] device, [but rather] how can we prevent unexpected events, and connect caregivers and care systems to the patient.”
Jeffrey Burgess, national managing partner of audit services at Grant Thornton, rounded out the conversation, pointing out that innovation should not only be limited to the board and management, but also be instilled at every level of the company. “I think [of] innovation [as] more and more on the front lines,” Burgess said. “You need a culture [that] embraces change, and you need change management methodologies, procedures, and processes that drive innovation.” To meet these challenges, directors need to ensure that they are surrounded by intellectually curious and well-informed peers who can work with management to develop a forward-looking vision for the company. As Traylor cautioned, companies with boards that do not cultivate this curiosity may leave themselves vulnerable to the “ruthless and unsparing” effect of innovation.
Aligning with your company’s new chief information security officer (CISO) is a great opportunity to provide better protection for your organization, ensure regulatory compliance, and align previously siloed teams to gain clarity on how your business will respond in the event of a cybersecurity crisis. That’s why I urge board members to initiate early communication with those directly in charge of maintaining the enterprise’s vision for security by asking questions and collaborating on cybersecurity strategies.
According to a new study from the Enterprise Strategy Group and the Information Systems Security Association a lack of alignment between the security leader and the business can contribute to high CISO turnover. This is especially true if the CISO doesn’t feel welcome to participate in the boardroom meetings with executives.
This is a two-way street, of course. Board members often lack the knowledge they need to converse with information technology (IT) and cybersecurity professionals. They also tend to lack an understanding of how these groups contribute to effective enterprise risk management. Below we go through a few tips that will help put you on the right track and align these critical parties.
Understanding Your Company’s Risk Tolerance
First, in order for the board to understand the company’s cybersecurity posture, its members need to understand what level of risk is appropriate for your company. Each company’s individual strategy for growth, innovation, and safety should determine the extent to which it manages various types of risk, be it safety risks, operational risks, environmental risks, or technology risks (keeping in mind that technology plays a role in just about every category of risk).
Cybersecurity programs need to address an expansive and ever-changing threat landscape. They should include strategies to identify how vulnerable the organization is, determine whether or not they are compromised, and enhance operational efficiencies. During the first 90 days of his or her tenure, directors should be sure to get input from the new CISO on all of these areas, as well as a documented approach to how they will monitor the overall risk to the business based on these elements.
Understanding the risk tolerance of the business is the first step, but in order to properly determine this the CISO must be able to answer several questions. And knowing which questions to ask, and how these questions relate to managing risk within the company, will go a long way toward effective cyber risk management. To get a full understanding of your company’s cybersecurity posture, and ensure your security team is focused on the right things, ask your new CISO to answer the following questions in his or her first 90-day board report.
Does our security team have a full, well-informed view of our organization’s vulnerabilities? What are our top three cyber threats? How do we identify and deal with emerging threats?
What have we learned from past cybersecurity incidents?
Does management have a clear vision of the cyber risks to our organization? Can you provide any past examples of C-suite executives supporting the cybersecurity objectives of the company?
Are we managing cyber risks in alignment with the appropriate level of risk for our company and industry?
What steps are we taking to ensure compliance with all requirements for our industry? Do we follow any cybersecurity industry best practices such as the Center for Internet Security’s Critical Controls?
What is our cybersecurity incident response plan? Do we maintain an internal and external communications plan as a component of that? Has a tabletop exercise been completed to test the effectiveness of the plan?
How is our security team collaborating with our IT and development operations teams? Look for examples of a strong security operations (SecOps) practice, such as shared data and integrated processes, helping to make security inherent within all business operations and innovation.
How are we ensuring that our partners take appropriate security measures? For example, when engaging outside firms for services, are those other companies protecting sensitive information such as our marketing strategies and customer information? How is this being enforced? This could include signing agreements and performing regular assessments of vendor security practices.
How do you measure the effectiveness of our cybersecurity program and initiatives?
What investments can we make to further reduce our risk? What do we need and why?
Encourage your board as they review the information provided by the CISO to ask for relevant specific examples and documentation. While your fellow board members might not know the underpinnings of cybersecurity, they will have a fresh point of view around the resources and implementation of these processes. For instance, a comprehensive incident response plan should be thoroughly documented and readable for all involved parties so that they are aware of their role during a security incident.
By asking the CISO these probing questions, verifying the responses, having a knowledgeable senior executive or board member sponsors, and partnering with a trusted cybersecurity advisor, your organization will have a defined understanding of its cyber risks and will be prepared to make informed investment decisions.
Only 44 percent of cybersecurity professionals surveyed by the Enterprise Strategy Group and the Information Systems Security Association believe that CISO participation with executive management and boards of directors is at the right level. Clearly, more needs to be done to inform risk-based cybersecurity decision making as well as deeper integration of SecOps into core IT and development responsibilities. How can you buck that trend?
After the 90-day report from the CISO is a perfect time to discuss the answers to these questions. Follow up with your CISO to identify areas of concern and where more support from the board or executives might be needed for them to succeed. An ongoing dialog is critical, and will fine-tune cyber-risk management. It will also allow management to make informed technology investments, identify what training needs to happen, and provide ongoing cybersecurity governance aligned to risk tolerance and business goals.
The time is now for boards to improve the quality of dialogue with CISOs. Initial conversations and expectation-setting will minimize the possibility of overlooking cyber risk that could be detrimental to the corporation and its shareholders, while also making sure that everyone involved in the oversight of security gets on the same page.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.
Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.
Some corporate directors struggle to answer questions such as:
What is our ability to prevent, detect, contain and respond to a cyberattack?
How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
What is our overall risk tolerance?
How does our level of preparedness compare to our competitors?
What is the potential impact of a cyber incident to our balance sheet?
What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?
After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.
One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.
There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”
Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.
In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.
Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.
It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.
Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.
Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.
As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.