Category: Technology

The Future-Ready Workforce: Lead the March

Published by

Brian Baker

Some claim that seven million jobs will be lost, and more than half of jobs will be replaced. Others claim that 2.3 million jobs will be created, exceeding the 1.8 million that it will removed. These are just some of the forecasts pundits are making about the impact artificial intelligence (AI), automation, robotics, and more will have on jobs and the changing nature of work in the United States.

When taken together with many other forecasts, there is really only one conclusion. We really don’t know what the impact will be. What we do know is this: change is happening and it’s happening fast. And beware, we humans tend to underestimate the amount of change that will happen in the next 5 years. Don’t get caught. One of the single biggest questions the board needs to be asking of their CEOs is, “Is our workforce strategy built for the future of work?”

Despite all of the rhetoric about advanced and emerging technologies creating massive job losses, our economy will continue to function as the “human operating system” that will power organizations of all sizes. The most adept leaders will recognize advanced technologies as opportunities to unlock the full potential of humans rather than considering those technologies as simply a way to replace jobs and reduce costs. Our capacity for curiosity, customer devotion, empathy, problem-solving, relationship building, and more will be difficult to replace.

Technology, automation, robotics, AI, side-by-side with the human operating system, is the new currency in a workforce prepared for the future of work. Importantly, 62 percent of organizations rate themselves as ineffective at this type of workforce planning.

Board members in companies of all sizes should be asking, therefore, the following questions of the C-Suite.

What should our workforce look like in five and 10 years, and what is our plan to achieve that end state? So far, only one in five human resources leaders have begun implementing strategies to develop their workforce for tomorrow. While this figure is surprisingly low given the urgency with which company leaders need to act, it’s these leaders who are positioning their companies ahead of the curve and widening their competitive moat against those who choose to delay or take no action at all.

What are the external trends defining the future of work that we are harnessing for success? Which ones could prevent us from delivering on our goals? Mercer’s 2018 Global Talent Trends report is a good starting point to learn more.

Is the leadership team and workforce ready for the speed of change required to win? Only 18 percent of C-Suite leaders describe their organization as agile enough today to succeed through change.

Should we be measuring the long-term health of our company differently than just earnings or stock price given the changing nature of work? What are we doing to develop and retain talent? Does our mission statement reflect the need for customer devotion and a purpose-driven culture? How are we measuring whether or not we are delivering on our mission?

What are we doing to upskill and reskill our workforce to improve their digital literacy? Only 15 percent of company leaders consider themselves leaders a digital organization, with 53 percent reporting they have not yet begun their journey or have a long way to go. That makes it even more surprising that only 15 percent of C-Suite leaders believe that upskilling and reskilling employees for new and changed roles, driven by digital and technology, will make a sizable difference to business performance.

Today’s board members and leaders can’t afford to wait any longer. The technology innovation curve is a hockey stick and many believe we are about to hit the elbow as AI and other technology capabilities begin to approach and surpass human intelligence. Those leaders who embrace the pace with urgency will set themselves up for accelerating growth while those who don’t will find that the notion of being able to catch up has vanished.

No business is immune, and how the workforce will morph and adjust needs to be at the center of gravity in all board room discussions. Think about these facts from the World Economic Forum:

  • 35 percent of the core skills of today could change by 2020
  • 65 percent of the jobs our own children in elementary school will be doing in the future do not yet exist

These are just a couple of data points that capture the significant change ahead. Are you ready? If you believe your C-Suite is behind in developing a workforce strategy to compete in the digital age, now is the time to leap forward. If you believe they are ahead, it’s time to invest in accelerating their march.

Brian Baker is a Partner in Mercer’s New York office and the US Digital Workforce Leader. He is focused on helping business leaders determine and build their Workforce for the Future strategy and execution plans.

Talk to Your Auditors About Cybersecurity

Published by

Cindy Fornelli

If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.

Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.

The Importance of Communicating About Cybersecurity

Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.

Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”

Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.

At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.

CPA Firms and Cybersecurity: Bringing Expertise and Values

Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.

  • Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
  • Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.

Key Topics to Discuss with Your Auditor

So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.

How the Financial Statement Auditor Considers Cybersecurity Risk

An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).

A talk with the external auditor might involve the following questions.

  1. How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
  2. If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
  3. Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
  4. What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
  5. In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?

How CPA Firms Can Assist Boards in Cyber-Risk Oversight

Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.

One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.

Here are seven questions to ask CPA firms about these initiatives.

  1. How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
  2. How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
  3. What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
  4. The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
  5. What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
  6. What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
  7. What other types of engagements are available to help board members with cybersecurity risk oversight?

These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.

Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.

What New Directors Should Expect from Cybersecurity Briefings

Published by

Tom Turner

As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.

However, not all directors are familiar with cybersecurity operations and how to assess the associated risks. If you’re a newer member of your company’s board, you may wish to review some of the following topics that you should expect from security and risk teams in their cybersecurity presentations.

Navigating Your First Briefing

If this is your first time listening to a cybersecurity presentation at a board meeting, you can expect the chief information security officer, or CISO, to provide a short background on the company’s cybersecurity practices and how they define cybersecurity in their organization. They’ll also discuss how the board should approach oversight of cybersecurity. The most effective CISOs talk in terms of risk management, which means cutting out technical jargon and focusing on business value. They may also draw the board’s attention to cybersecurity’s impact on stock price and bottom line to establish a common language.

Below are some of the topics you can expect to be reviewed:

  • How the company generally approaches cybersecurity, including the organizational structure.
  • The company’s security performance benchmarked against industry peers.
  • Risks to the company’s cybersecurity environment.
  • The types of data that security teams think is most critical or sensitive to your company’s continued operations.
  • The critical operations that could be impacted by a cyber incident.
  • Some of the key external threats, insider threats, and third-party risks the CISO believes the company faces. This may include examples of cyber incidents that have occurred in other organizations in your sector or beyond.
  • How they envision board member involvement in cyber-risk oversight and to which types of issues the board should be involved in the response.
  • The cybersecurity and risk management programs the organization has in place.
  • How employees are trained on security internally.
  • The cybersecurity policies the company has in place today and the effectiveness of compliance with those policies.
  • They type of information they plan to share in future presentations.

What to Expect Going Forward

Now that you’ve experienced your first cybersecurity presentation as a board member, you can expect that the CISO will continuously educate you and the rest of the board on critical issues. You can expect to be briefed on the effectiveness of the risk management tactics the company is employing. In other words, you should know where and how the company is succeeding or failing (and how that compares to previous quarters), as well as any areas that need strategic improvement.

Here are some topics you can expect from the CISO in their ongoing security presentations to you and the rest of the board:

  • Technology that the company has purchased and integrated—with a focus on what it is doing for the organization.
  • Technology the CISO wants to purchase and why.
  • The accountability metrics the security team has created, categorized in the following ways, and followed by questions directors should ask the reporting CISO:
    • Audit & Compliance Metrics
      • Are we ISO-27001 compliant?
      • Do we have a vendor risk management program?
      • Do we have any outstanding high-risk findings open from our last audit or assessment?
      • What percentage of the NIST framework are we implementing?
    • Operational Effectiveness Metrics
      • How quickly can we remove employee network access?
      • How quickly can we (or our vendors) identify and respond to incidents?
      • What percentage of our users click on spear-phishing training emails?
      • How did we compare to our peers across certain time spans?

There is a lot to consider and process when listening to an effective cybersecurity presentation. Be sure to prepare yourself beforehand so that you know what to expect and can contribute to future meetings accordingly.

 

Tom Turner is CEO and President of BitSight.