It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.
Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.
Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.
At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.
Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.
Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.
Without a doubt, directorship has changed. In the last 10 years, the effects of legislation and regulatory activity such as Sarbanes-Oxley and Dodd-Frank have significantly expanded the role of the director. Taking into account the current trends of increased shareholder activism, heightened media scrutiny, emerging technologies, and disruptive innovations, it is expected that this role will continue to morph. As these shifts in the economy increase in amplitude and frequency, it is necessary for those in the boardroom to understand and prepare for the future structure of directorship—today.
With this in mind, NACD has launched NACD Directorship 2020 to help directors define and prepare for the emerging challenges and opportunities expected to impact boardrooms in five to seven years. More than an initiative, NACD Directorship 2020 extends from educational programs and roundtable exchanges to published research. Using topics informed by an advisory council composed of boardroom luminaries, academics, and governance experts, feedback from educational programs will shape ensuing research on leading practices for the future. In the coming months, several symposiums will be held across the nation, and the conversation will be continued at our annual Board Leadership Conference in October.
This week, NACD held the first of such symposiums at the Harvard Club in New York City. More than 100 directors attended the afternoon session to discuss two areas: the future state of the risk agenda, and how to select performance metrics that will engender sustainable organizational profit. The symposium was led by NACD President and CEO Ken Daly; Akamai Technologies Lead Director and Audit Committee Chairman Martin Coyne; and former Bell and Howell CEO, current NACD Director, and Northwestern University Professor Bill White. During the highly interactive sessions, questions were posed to attendees who were then able to discuss and provide thoughts among their peers. Takeaways from the event include:
Composition and resourcing is essential to navigating the current and future risks to the boardroom. With the right resources and information and the right people around the table, the boardroom can effectively engage in the critical issues.
Inherent in their role as part-time overseers, directors will always run the risk of information asymmetry: management has the full suite of information about the company’s operations that is then selected and parsed out to the board. The challenge for the board is to communicate its expectations on the type and amount of information it needs for effective oversight.
It is essential that directors trust, but verify. In the boardroom, the culture should be fostered so the executive staff feels they are able to report on the high-risk items and things that keep them up at night. To verify the information presented, directors should go beyond the C-suite, even outside the company. This can include meeting with the heads of business units, or gleaning outside sources of data.
In risk oversight, the board can informally meet with senior management and the internal audit team to develop a list of the top organizational risks. After these risks are identified, the board can have an executive session with an outside expert to gain more knowledge of the areas.
Industry experts on the board may not anticipate the disruptive technologies that have the potential to pose either a huge risk or opportunity to the company. While extremely valuable at the table, industry experts may not always be able to see beyond their acumen. Boards can recruit experts from other industries—who bring the perspective and knowledge of different risks and market forces—to serve as directors.
Total shareholder return (TSR) and financial and operational metrics reflect hindsight. These data can be bolstered with a healthy balance of “early warning” metrics derived from the company’s strategy, such as customer and employee satisfaction, dollar investment per employee, or retention.
Metrics are the operationalization of strategy. If the strategy’s underlying assumptions are flawed, however, the metrics have less significance. Is the board looking at metrics that question the strategy itself? This could include a measurement of the organization’s adaptability changes in the marketplace.
Reputational and stakeholder risk is an area that should receive boardroom attention. Directors should encourage metrics that foster stakeholder engagement as a strategy for risk mitigation.
The long-term health of most companies is determined by its success in being innovative. The company should establish early warning metrics that monitor how its innovation systems generate sustainable cash flows.
The next NACD Directorship 2020 events will be held July 16 in Chicago and Sept. 10 in Los Angeles. Between events, NACD’s blog will feature viewpoints and research from our NACD Directorship 2020 partners—Broadridge, KPMG, Marsh & McLennan Companies, and PwC—that will take a deeper look into the emerging issues and trends that will redefine directorship.
One of the popular questions that the presidential candidates repeatedly ask is “Are we better off today than we were four years ago?” In the Forecasting the Economic Climate session, Leo Abruzzese, global forecasting director for the Economist Intelligence Unit, referenced the same question in his remarks about the U.S. economic outlook, but he also offered some answers.
Four years ago, the United States was at the beginning of the worst six months it had faced in seven years. The economy was shrinking by 4 percent, and it got worse in the first quarter of 2009. In 2012, the United States economy will probably grow by 2 percent this year. By that standard, Abruzzese noted that we are certainly better off, but that 2 percent is “nothing to write home about.” In past years, the economy typically grew by 3 to 4 percent. “The truth is we’re all underperforming right now [the United States, Europe, etc.].”
Abruzzese then turned his focus on offering an outlook on risks and opportunities for next two years. He noted that we are currently in a “dangerous phase.” The global economy is composed of three engines: The United States, which is still the largest economy in world, the European Union, which is about same size as the United States economically, and China. None of those three engines are performing as well as they should, he said. Europe is in a recession, so there is little growth and China isn’t doing as well as usual. China’s economy is growing 7.5 percent, but they are accustomed to growing by 9 to 10 percent.
Four years after the recession, the United States is working on stimulating the economy. The Federal Reserve is turning on the printing press again and printing half a trillion dollars over next year to get the economy going. And it’s not just in the United States; central banks in other countries are trying to stimulate the economy. All this means a couple trillion dollars are going to hit global economy in next 12 to 18 months.
Outlook for 2013
Abruzzese suggested that 2013 most likely won’t be better than 2012 because the financial recession is not a normal business cycle recession and takes years to work through. 2013 will be filled with slow, uneven growth, high unemployment, and less government spending. Additionally, emerging markets will see less export demand. Abruzzese noted that the employment rate has a strong impact on the economy. Seventy percent of what happens in U.S. economy is consumers spending. If they don’t have jobs, they aren’t buying, he explained.
However, in 2014 he suggested the environment will begin to improve.
Looming Fiscal Cliff
The much hyped fiscal cliff is expected to hit in January. Abruzzese says that the worst will not materialize, noting that if it does, it would push us back into a recession. “As dysfunctional as the political system is in United States, whoever controls government won’t let this happen.”
China 2013 Forecast
As noted above, China’s growth has slowed. However, Abruzzese noted they are throwing fuel on the fire to stimulate the economy and beginning to see evidence it’s working. Also in play is the fact that China is becoming more of a consumer, which is good news for every other country interested in selling to them. China has already matched the United States in retail sales.
In 2007, 10 U.S. companies were in the world’s 20 largest companies by market cap. Despite the recession and slow recovery, as of last month, there were 14 U.S. companies on the list. “As long as most of the best companies in the world are still based in the United States, it gives us a reason to be optimistic,” Abruzzese said.