If you joined the National Association of Corporate Directors (NACD) for its inaugural Dancing With the Start-Ups (DWTS) competition at the 2016 Global Board Leaders’ Summit, you heard from 12 cutting-edge start-ups in the financial, energy, and health care industries. Founders and CEOs from each start-up had four minutes to pitch their companies to a panel of expert judges. NACD recently caught up with the winning companies—Vital Vio, BoostUp, and Disease Diagnostic Group—to see what they have been up to in the past seven months.
Illuminating the War on Germs
Vital Vio created a lighting system that kills bacteria using its proprietary white light continuous disinfection technology. Their products currently are used in major hospital systems, pharmacies, public restrooms, athletic facilities, and—starting in 2017—even your home.
Vital Vio’s under-cabinet light illuminated in eco-mode.
Colleen Costello, president and cofounder of Vital Vio, explained that refining Vital Vio’s disinfecting technology to VioSafe, a single LED light, was a game changer for the company, allowing them to use the technology in the home. VioSafe lights continuously kill germs and, when used in combination with regular periodic cleaning, significantly reduce the number of germs on surfaces. “The individual LED is smaller than a thumbnail,” she noted. “This expanded the opportunities of where continuous disinfection lighting can be placed.” Some popular areas to place the light in the home are under cabinets in kitchens, bathrooms, and offices. These are some of the most-touched surfaces, which also make them the most likely to be covered with a multitude of bacteria.
Vital Vio began to take shape in 2012 when Costello’s grandmother contracted a MRSA infection during a routine hospital stay. Costello, who at the time was studying at Rensselaer Polytechnic Institute, did some research and found that one in 25 patients contract a health-care-related bacterial infection in hospitals. She and a team of researchers worked to develop a better way to control bacteria levels, and Vital Vio was born.
In 2017, Costello’s focus is not only on innovation, but on identifying potential new licensees. The company is working with several strategic partners to increase utilization of Vital Vio’s technology in their products. Vital Vio also was selected as a finalist for the Edison Awards, an annual competition that honors excellence in innovation, creativity, and ingenuity in the global economy.
While Vital Vio has broadened adoption of its products, it faces new challenges. “We’ve moved from the disruptor stage to focusing on further adoption in different markets,” Costello said. “We’d like our technology to be similar to a LEED certification, so it’s a standard practice for facilities.”
Saving Money Made Simpler
Most of us have saved for a major purchase, and we know that saving isn’t easy. BoostUp is an app that helps people establish a daily savings plan and crowdsource additional savings from friends and family, making saving for those big purchases more achievable. Users are further incentivized through special offers from partners. BoostUp founder and CEO John Morgan noted that the app has about 55,000 users who are typically aged between 18 to 34 years. The company also sees other opportunities to engage younger savers, potentially through a parent/child joint savings relationship.
One of the new features that the BoostUp app has added is RoundUp, which is a microsavings tool. Savers connect their most-used credit or debit cards to the app to pay for every-day purchases. RoundUp then automatically rounds up the purchase price to the nearest whole dollar and saves the spare change into the connected BoostUp account.
Morgan suggested that this extra money can be great for vacation funds. “It’s like finding that $20 bill in the pocket of those jeans that you haven’t worn in a few months,” Morgan said. “You set the account up, go about your daily life, and six months later you have extra money in your account. It’s another night out in Vegas, or an upgrade to first class on the plane.”
Morgan noted that BoostUp is partnering with some travel companies to identify related savings incentives. BoostUp is also working with some new partners—including Redfin—and has renewed a multiyear partnership with Hyundai. A new type of partner the company hopes to engage is auto lenders. “The lenders could help consumers who have auto loans through RoundUp,” Morgan explained. “It’s setting money aside passively and getting to a point where you can skip a monthly payment because your RoundUp had enough funds to cover it or you can make an extra loan payment.”
Curing Disease Through Technology
Left to right: Mark Lewandowski, Alphonse Harris, and Founder John Lewandowski.
Using only a laser pointer and refrigerator magnets, Disease Diagnostic Group is saving lives around the globe—in fewer than five seconds and for less than five cents per patient. Disease Diagnostic’s technology screens, tracks, and diagnoses infectious diseases through a portable, reusable device. The company has focused primarily on malaria but in the past few months has broadened the scope of the technology to address a wider platform of diseases, including dengue fever. “Zika is next on our radar,” CEO and Founder John Lewandowski said.
One additional challenge Disease Diagnostic faces is finding test groups. “These diseases are rare, and it’s hard to get in touch with the right samples and the right individuals,” Lewandowski explained. “You need to find the right authorities to help you on the path toward commercialization. Sometimes you outgrow whom you are working with, or your path and priorities change.”
Over the long term, Lewandowski said he hopes that the company will continue to expand the technology to test for even more diseases. To do this, Disease Diagnostic will continue to focus on finding the right strategic partners. “To pitch a new product, you’re fighting two battles,” Lewandowski said. “One, you’re in a new market and need to convince people [to invest], and two, to prove the effectiveness of the device. On top of that, you need to prove the technique of the device as well.”
The inner working of the simple device that diagnoses malaria.
Disease Diagnostic is prepared to work through these challenges. If successful, the company is poised to be a game changer for global health. Imagine a future where more diseases could be diagnosed less expensively and effective treatment could be administered immediately. Lewandowski said that while the company is only able to work on one to two diseases at a time, the more the company is able to prove the effectiveness of its diagnostic technology, the broader its impact could be. “If we prove the business case, then we can be licensing out to flu, TB, anything a particular partner has of interest, and develop specific applications,” he said. “The solution is potentially here, and you can put it in the hands of almost anybody.”
Join Us to See the Next Generation of Stars
Back by popular demand, NACD will host its second DWTS at this year’s Global Board Leaders’ Summit on October 1 in National Harbor, MD. Participating start-ups will be announced soon. Check our website for the most up-to-date information.
This special supplement to Jim DeLoach’s recent blog post provides several questions to empower effective conversations about the state of a company’s cyber-risk oversight practices.
I recently shared several business realities that boards should consider as they oversee cybersecurity risk. These realities point to the need for companies and their boards to ensure that cyber-risk management efforts are focused, targeted, cost-effective, and continuously improving. While these realities are important to bear in mind, the board must inform its understanding of the company’s cyber-risk capabilities by asking the right questions.
Following are suggested questions that directors may consider, in the context of the nature of the entity’s risks inherent in its operations.
As a board, are we sufficiently engaged in our oversight of cybersecurity? For example:
Do we include cybersecurity as a core organizational risk requiring appropriate updates in board meetings?
Do we have someone on the board, or someone advising the board, who is the point person this topic?
Are we satisfied that the company’s strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted?
Does the board receive key metrics or reporting that present the current state of the security program in an objective manner?
Is there a policy on securing board packets and other sensitive material communicated to directors? If not, is there potential exposure from sharing confidential information through directors’ personal and professional email accounts and free file-sharing services that are not covered by the company’s cybersecurity infrastructure?
Have we identified the most important business outcomes (both unanticipated successes of the digital initiative, as well as adverse events) involving critical data and information assets (the crown jewels)? With respect to those outcomes occurring:
Do we know whether and how they are being managed?
Does our security strategy differentiate them from general cybersecurity?
Do we assess our threat landscape and tolerance for these matters periodically?
Are we proactive in identifying and responding to new cyber threats?
Does the company have an incident response plan? If so:
Have key stakeholders supported the development of the plan appropriate to the organization’s scale, culture, applicable regulatory obligations and business objectives?
Have we thought about the impact specific cyber-events can have and whether management’s response plan is oriented properly and supported sufficiently?
Is the plan complemented by procedures providing instructions regarding actions to take in response to specific types of incidents? Do all the stakeholders for a planned response know their respective roles and responsibilities? Is it clear for which events the board should play a key role in overseeing the response efforts?
Are effective incident response processes in place to reduce the occurrence, proliferation, and impact of a security breach?
Are we proactively and periodically evaluating and testing the plan to determine its effectiveness? For example, does management have regular simulations to determine whether the detective capabilities in place will identify the latest attack techniques?
In the event of past significant breaches, have we made the required public disclosures and communicated the appropriate notifications to regulators and law enforcement in accordance with applicable laws and regulations?
The dialogue resulting from these questions stand to lead to improvements in cybersecurity, if any are needed. Be sure to check out my earlier blog for further discussion of this important topic.
Cyber risk, which is among the top five risks for organizations across many industries, presents a moving target. As innovative information technology (IT) transformation initiatives expand the digital footprint, they outpace the security protections companies have in place. Security and privacy internal control structures that reduce risk to an acceptable level today will inevitably become inadequate in the future—and even sooner than many may realize.
As companies continue the battle to protect their resources, boards remain concerned with the security and availability of information systems and the protection of confidential, sensitive data. Many executives think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board engagement with cybersecurity.
Our research indicates that board engagement in information security matters is improving. In the spirit of further improvement, following are eight business realities directors should consider as they oversee cybersecurity risk.
1. The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening—it’s also about handling the upside of a company’s successful digital initiatives. As companies harvest new sources of value through digitization and business model innovation, the wise course is to plan for incredible success. Directors should ensure that the organization’s cybersecurity systems are resilient enough to handle that success.
2. It is highly probable that the company is already breached and doesn’t know it. The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening—now. Boards should be concerned about the duration of significant breaches before they are finally detected.
Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators. Simulations of likely attack activity should be performed periodically to ensure that defenses accurately detect breaches and that responses are timely. Boards should focus on the adequacy of the company’s playbook for responding, recovering, and resuming normal business operations after an incident. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in a breach’s wake.
3. The board should focus on adverse business outcomes that must be managed. While most businesses know what their crown jewels are, they forget to focus on the business outcomes they are looking to manage when they assess security. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than those developed around specific assets and systems.
For example, if an application is deemed to be key for business processes and is exposed to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter. Employee users have access to data, regularly download it, and might even e-mail it, either ignoring or forgetting the business imperative to protect it. Therefore, controls over what happens to critical data assets once downloaded cannot be ignored. IT leaders must look at information security risks holistically and consider user leakage an integral part of the adverse outcomes to be managed.
4. Cyberthreats are constantly evolving. Because the nature and severity of threats in the cybersecurity environment change incessantly, protection measures must evolve to remain ahead of the threat profile. Boards should inquire as to how the organization’s existing threat management program proactively identifies and responds to new threats to cybersecurity, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model, and its visibility as a potential target. Directors should also insist on an assessment of the related risks resulting from major systems changes.
5. Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of adversaries, waiting and ready with an arsenal of technology, people, processes, and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short when combating the ever-changing threats to businesses. Security functions need to change the way they deliver protective services and move far beyond initiatives to create enterprise-wide awareness of cyber risk. Accordingly, boards should expect:
– A clear articulation of the current cyber risks facing all aspects of the business;
– A summary of recent cybersecurity incidents, how they were handled, and lessons learned;
– A short-term and long-term road map outlining how the company will continue to evolve its cybersecurity capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
– Meaningful metrics that provide supporting key performance and risk indicators of successful management of top-priority cyber risks.
6. Cybersecurity must extend beyond the four walls. Notable gaps in knowledge of vendors’ data security management programs and procedures currently exist between top-performing organizations and other companies—particularly in areas that might stand between an organization’s crown jewels and cyberattackers. As companies look upstream to vendors and suppliers (including second tier and third tier), and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors should expect management to collaborate with third parties to address cyber risk in a cost-effective manner across the value chain. Attention should be paid to assessing insider risk because electronic connectivity and use of cloud-based storage and external data management obfuscates the notion of who constitutes an “insider.”
7. Cybersecurity issues cannot dominate the IT budget. Over the past decade, IT departments have been reducing operations and maintenance costs consistently, funneling those savings to fund other priorities like security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets for innovation.
With a strained budget, it becomes critical for IT leaders to target protection investments on the business outcomes that can adversely impact the organization’s crown jewels, understand the changing threat landscape and risk tolerances, and prepare for the inevitable incidents. Without this discipline, cybersecurity will continue to consume larger portions of the IT budget. Innovation will then suffer, and the business could ultimately fail—not because a severe threat is realized, but because the spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and innovators. Therefore, as important as the imperative for sound cybersecurity practices is, directors should not allow it to stifle innovation.
8. Directors should gauge their confidence in the advice they’re receiving. While there is no one-size-fits-all solution, boards should periodically assess the sufficiency of the expertise they rely on for cybersecurity matters. There may be circumstances where the board should strongly consider adding individuals with technology experience either as members of the board or as advisers to the board.
Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. Boards of directors need to ensure the organizations they serve are undertaking focused, targeted efforts to improve their cybersecurity capabilities continuously in the face of ever-changing threats.