Over the next few years, the digital revolution will force many organizations to undertake radical change programs and, in some cases, completely reinvent themselves to remain relevant and competitive. Ask executives and directors what their company’s biggest threats are, and chances are the answer will include the threat of disruptive innovation. That said, is disruptive innovation sufficiently emphasized on the board agenda?
Our experience indicates that most boards do not fully grasp the opportunities and risks associated with digital transformation. There are four important activities for organizations to consider as they contemplate what digital means to their business and strategy.
1. Assess digital competencies. Protiviti’s original research has identified more than 30 competencies at which digital leaders excel. These competencies consist of empirically supported capabilities and structural characteristics that can be used to benchmark the organization. They are arrayed across six core disciplines that many traditional businesses struggle with:
vision, mission, and strategy;
management and employee culture;
organization, structure, and processes;
communication, marketing, and sales;
technology innovation and development;
and big data, analytics, and automation.
An example of a competency related to “vision, mission, and strategy” is that executive management must have a clear understanding of the potential impact of digital disruption in the industry segments in which the organization operates and be able to articulate a clear strategic vision fit for the digital age. In addition, digital strategy-setting and review should be a continuous activity for the business and in the boardroom.
Competencies can be useful when plotting the path toward digital maturity. The strategy should reflect the competencies that currently define the organization and address the absence of those which present barriers to success. This is important because the digital age is forcing organizations to radically rethink how to engage with customers and pursue design breakthroughs for improving processes and functions continuously. That means they must balance outside-the-box thinking with the practical considerations of repositioning the business. Many strategies ignore these fundamental issues, resulting in a business that is digital on the edges but not at the core. Our view is that a truly digital business has a digital core.
2. Define and refine continuously the digital vision and strategy. Organizations need to make a conscious decision about whether they are going to lead as the disrupter of the industry or, alternatively, play a waiting game, monitor the competitive landscape, and react only when necessary to defend market share. For many companies, the answer may be somewhere in between. For organizations choosing not to actively disrupt the status quo, their challenge is to be agile enough to react quickly as an early mover. Few are ready for that challenge, however.
A leader of the organization must own responsibility for understanding the competitive landscape, the opportunities emerging technologies present, and the threats to existing revenue streams. Management must frame the digital vision and the strategic initiatives supporting it around the enterprise’s core competencies. The vision must reflect the direction in which relevant digital technology is trending. It should express how technology can elevate the company’s differentiating core competencies and deliver unique customer experiences. With technology and regulations changing, and innovation happening so rapidly, the business needs to review and refine its digital priorities constantly.
3. Define the target operating model. Too often policies, processes, and organizational structures get in the way of a business becoming and remaining digital. The key is to empower, trust, and monitor people, not control them. That’s a different way of thinking for organizations rooted in “command and control” structures. The business should clearly define where it’s going in its vision and strategy, and management must recruit and train the right people while ensuring that the enterprise’s policies, processes, and systems are suitable to compete in a digital world.
Accordingly, management should define the processes, organization, talent, methodologies, and systems comprising a future operating model that remains true to the company’s identity and brand promise. In the rush to become digital, the importance of policies shouldn’t be forgotten to address risks and ethical questions leaders must consider.
With the current and future states defined, improvement plans should be developed to close the gaps based on industry best practices and reviewed with executive management and the board. The risks associated with the target state should be identified and assessed against the entity’s risk appetite. In this respect, management should be careful to avoid understating the hyper-scalable business model component of digital transformation. Digital thinking requires organizations to solve the problem of rapid growth and scalability to rely primarily on technology rather than people, as opposed to the traditional focus on scaling ahead of demand.
4. Align the organization with the needed change. Using digital technologies to improve products, services, and processes requires focus and discipline. To enable continuous or breakthrough change with confidence, buy-in must be obtained from executive management and the board for significant changes in strategy, processes, and systems. Support also is needed from business-line leaders, operating personnel, and process owners affected by the change. The communication of change and its implications must address why a digitally-focused culture is necessary for the entity to survive and thrive, and offer a compelling case that the interests of employees and the enterprise are inextricably tied to effecting change.
Depending on a director’s perspective, the exciting or worrisome truth is that the digital revolution is just getting started. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult to have the vision or foresight to anticipate the nature and extent of change. That is why every organization must chart its own digital journey.
To that end, the board should be engaged in all of the above activities, from readiness assessment to organizational alignment. When addressing digital, directors should recognize the signs of organizational short-termism and executive management’s emotional investment in traditional business models. Ultimately, the board must ask the necessary questions to encourage management to advance the enterprise’s digital journey at a pace that will sustain the company’s sources of competitive advantage and market position.
Equifax is not just another organization that was breached. The company was named one of Forbes’ “World’s 100 Most Innovative Companies” for three years straight, from 2015 to 2017. The recent breach of the company’s U.S. online dispute portal web application has raised serious questions about whether boards of directors and senior management are asking the right questions about actions their organizations are taking to protect themselves from cyberthreats. Are boards probing to discover what they don’t know?
In September, Equifax announced a massive breach exposing the personal information of over 40 percent of the U.S. population. The company’s stock declined almost 14 percent after the announcement, and heads rolled over the ensuing three weeks—first the chief information officer (CIO) and chief information security officer (CISO), and then the CEO. The pervasive headline effect of this incident has been as persistent as any in memory.
There are many important aspects of cybersecurity that the board is expected to tend to, including understanding what the organization’s “crown jewels” are, business outcomes management seeks to avoid, understanding the ever-changing threat landscape, and having in place an effective incident response program, to name a few.
But this discussion is more specifically about the systems vulnerabilities we know about. That’s the elephant in the room.
The sage advice—if your flank is exposed, fortify it before you get overrun—seems to apply here. Even noncombatants understand the value of protecting exposed flanks in desperate battle. A known vulnerability is most certainly an exposed flank, particularly when sensitive data is involved.
Enter the role of software patches.
A patch is a software update installed into an existing program to fix new security vulnerabilities and bugs, address software stability issues, or add a new feature to improve usability or performance. Often a temporary fix, a patch is essentially a quick repair. While it’s not necessarily the best solution to address the problem, it gets the job done until product developers design a better solution for a subsequent product release.
The Equifax incident raises the question as to why the company didn’t implement the appropriate patch to its systems when the vulnerability was first identified. To be fair, other companies have suffered a cybersecurity event because they failed to implement a patch in a timely manner, and we have no insights into the unique circumstances at Equifax. Admittedly, patching software at a large organization with multiple, complex systems takes a considerable amount of time. But, for boards and executive teams everywhere, the Equifax episode serves as a stark reminder of the importance of understanding the company’s cybersecurity strategy and tactics to pinpoint whether they know what they need to know.
Often, in our security and privacy consulting business at Protiviti, we see companies implementing patches within 60 to 90 days of discovering a systems vulnerability. We have seen some high-risk patches not applied at all for fear of breaking legacy applications; in effect, the organization simply accepts the risk of not applying these patches and, as an alternative, works to mitigate it. Based on our experience, 30 days from release to deployment is typically the “gold standard” for the time it takes apply a patch.
Is the gold standard enough? Companies are essentially leaving themselves exposed for 30 days. Meanwhile, they may lack the advanced detection and response capabilities to detect unauthorized activity occurring during that time. Organizations with a well-designed vulnerability management program quickly patch known vulnerabilities for critical public-facing services. For example, we see companies setting service level agreement targets of 72 hours, with some striving for 24 hours or less to limit the damage of an attack.
Simply stated, boards need to inquire as to the target duration from release to deployment to shore up cybersecurity vulnerabilities and, if it’s 30 days (or more), question whether that is timely enough, especially when public-facing systems are involved and sensitive personal information is exposed. Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image cry out for this oversight.
It is vitally important to scan public-facing systems immediately upon notification of critical vulnerabilities; “same day” should be the target. In addition, patch deployment should be tracked and verified as part of a comprehensive information technology (IT) governance process. It’s not enough to merely push out a patch. A comprehensive IT governance process should confirm that the risk truly has been mitigated on a timely basis.
Directors and executives should also be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Given the increasing sophistication of perpetrators, simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and security teams can respond timely.
We know that an organization’s preparedness to reduce an incident’s impact and proliferation after it begins is an issue (i.e., the lapsed time between the inauguration of an attack and its detection is too long). Often, it takes over 100 days until suspicious activity is discovered; about 50 percent of the time, organizations learn of breaches through a third party.
In nearly every penetration test Protiviti conducts, the client authorizing the test fails to detect our test activity. Many organizations seem to think that if they outsource to a managed security service provider (MSSP), the problem will be solved —as if a box has been checked. However, we see time and again that this is not the case. Often, there are breakdowns in the processes and coordination between the company and the MSSP that result in attack activity occurring unnoticed. Not many organizations are focusing enough on this failure of detective controls to identify breach activity in a timely manner.
These two fronts—how long it takes to implement a patch, as well as detect a breach—inform the board’s cyber-risk oversight. Every organization should take a fresh look at the impact specific cybersecurity events can have and whether management’s response plan is properly oriented and sufficiently supported. For starters, directors should ensure they are satisfied with the elapsed time:
For patching identified system vulnerabilities;
Between the initiation of an attack and its ultimate discovery;
Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact; and
Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators, and law enforcement in accordance with applicable laws and regulations.
Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image beg for careful oversight.
Organizational cybersecurity is one of the biggest challenges facing companies today. The most recent in a string of headline-grabbing data breaches involved U.S. credit-reporting company Equifax, an event that exposed the private information of some 143 million customers. Grilled on Capitol Hill about the episode, Equifax’s chair and CEO said that “mistakes were made” in the company’s response to the attack, which has prompted dozens of private lawsuits and precipitated a drop in the company’s share price.
As corporate directors are ultimately responsible for their companies’ future, the urgency to address cyber risk is accelerating. There is general agreement across the C-suite that cyber risk is a top priority, according to a recent Marsh global survey regarding corporate cyber risk perception. But survey results also revealed that there is less alignment inside companies regarding how cyber risk is reported to corporate directors and about what is most important.
The Information Disconnect Between Board and C-Suite
When survey respondents were asked what type of reporting on cyber risk the board of directors received, something surprising surfaced. For every type of report we asked about, respondents who indicated they were corporate directors said they received far less information than respondents from the C-suite said they were supplying to directors.
Click to enlarge in a new window.
For example, 18 percent of surveyed directors said they received information about investment initiatives for cybersecurity initiatives. Yet 47 percent of chief risk officers, 38 percent of chief technology or information officers, and 53 percent of chief information security officers said they were already providing reports to board members on investment initiatives.
Whether it’s optimizing risk finance though insurance or other resiliency measures, such investment initiatives are critical to preparing for an attack as well as to managing an incident. Organizations need to ensure that board members are receiving—and carefully reviewing—this vital information.
Tellingly, corporate directors say the type of cyber risk reporting they most often receive consists of briefings on “issues and events experienced.” It’s clearly important for any corporate director to learn about cybersecurity incidents that the company has faced, but it is an after-the-fact activity. There are a number of reasons for boards to be most cognizant of the material they receive regarding an event that has already happened.
Click to enlarge in a new window.
The survey’s C-suite respondents listed “cyber program investment initiatives” as the type of reporting their boards were most likely to be receiving. But with fewer than one-in-five corporate directors saying they received such reports, there is an issue that needs to be addressed, especially given that understanding—and directing—corporate investment in cybersecurity is a key to building effective resiliency measures.
No Incident Can Be Completely Avoided
Many boards seem to focus their oversight on security activities over resiliency best practices. For example, a high number of corporate directors in our survey said their organization did not have a cybersecurity incident response plan. Why? The top reason cited was that “cybersecurity/firewalls are adequate for preventing cyber breaches.” C-suite respondents did not share the same view.
Click to enlarge in a new window.
As firm after firm of all sizes and across geographies have fallen prey to attacks, the belief that one can have enough defenses in place to completely avoid a cybersecurity incident has been widely debunked by real-world events. Thus, the mantra among the organizations with the most sophisticated cyber-risk management programs is: “It’s not a matter of if you will be breached, but when.”
Cyber threats are constantly evolving and the potential threat actors are multiplying. No organization is impenetrable, no matter how strong their security posture may be.
Strong Companies Are Already Preparing for GDPR
One of our key findings regarding corporate readiness involves the lead-up to the EU’s General Data Protection Regulation (GDPR), which is scheduled to take effect in May 2018.
We found that companies that are already preparing for GDPR are doing more to address cyber risk overall than those that have yet to start planning. Survey respondents who said their organizations were actively working toward GDPR compliance—or felt that they were already compliant—were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cybersecurity resiliency measures than those that had not started planning for GDPR. This is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management strength.
The most forward-looking corporate boards recognize the GDPR compliance process as an opportunity to strengthen their organizations’ overall cyber risk management posture on a much broader level, effectively transforming regulations that might previously have been viewed as a constraint as a new competitive advantage.
The lesson here—even for directors of organizations not subject to the GDPR—is that good cyber-risk oversight requires engaging on a number of fronts, both defensive and responsive. Whether it’s playing an active role in attracting highly-skilled talent, seeking cross-functional enterprise alignment on priorities, or viewing regulatory compliance as part of a holistic plan, an engaged board can make the critical difference in how a company assesses, reports on, and addresses the impact of cyber risk on the company.
To receive a copy of Marsh’s report, GDPR Preparedness: An Indicator of Cyber Risk Management, click here.