As a member of your company’s board, you know that cybersecurity is a critical risk that simply cannot be ignored, and that should be reported on regularly by the appropriate executives. According to the 2017 NACD Director’s Handbook on Cyber-Risk Oversight, 89 percent of public-company directors say cybersecurity is discussed regularly in board meetings, and 72 percent of private-company directors say the same. Most companies are clearly moving in the right direction.
However, not all directors are familiar with cybersecurity operations and how to assess the associated risks. If you’re a newer member of your company’s board, you may wish to review some of the following topics that you should expect from security and risk teams in their cybersecurity presentations.
Navigating Your First Briefing
If this is your first time listening to a cybersecurity presentation at a board meeting, you can expect the chief information security officer, or CISO, to provide a short background on the company’s cybersecurity practices and how they define cybersecurity in their organization. They’ll also discuss how the board should approach oversight of cybersecurity. The most effective CISOs talk in terms of risk management, which means cutting out technical jargon and focusing on business value. They may also draw the board’s attention to cybersecurity’s impact on stock price and bottom line to establish a common language.
Below are some of the topics you can expect to be reviewed:
How the company generally approaches cybersecurity, including the organizational structure.
The company’s security performance benchmarked against industry peers.
Risks to the company’s cybersecurity environment.
The types of data that security teams think is most critical or sensitive to your company’s continued operations.
The critical operations that could be impacted by a cyber incident.
Some of the key external threats, insider threats, and third-party risks the CISO believes the company faces. This may include examples of cyber incidents that have occurred in other organizations in your sector or beyond.
How they envision board member involvement in cyber-risk oversight and to which types of issues the board should be involved in the response.
The cybersecurity and risk management programs the organization has in place.
They type of information they plan to share in future presentations.
What to Expect Going Forward
Now that you’ve experienced your first cybersecurity presentation as a board member, you can expect that the CISO will continuously educate you and the rest of the board on critical issues. You can expect to be briefed on the effectiveness of the risk management tactics the company is employing. In other words, you should know where and how the company is succeeding or failing (and how that compares to previous quarters), as well as any areas that need strategic improvement.
Here are some topics you can expect from the CISO in their ongoing security presentations to you and the rest of the board:
Technology that the company has purchased and integrated—with a focus on what it is doing for the organization.
Technology the CISO wants to purchase and why.
The accountability metrics the security team has created, categorized in the following ways, and followed by questions directors should ask the reporting CISO:
Do we have any outstanding high-risk findings open from our last audit or assessment?
What percentage of the NIST framework are we implementing?
Operational Effectiveness Metrics
How quickly can we remove employee network access?
How quickly can we (or our vendors) identify and respond to incidents?
What percentage of our users click on spear-phishing training emails?
How did we compare to our peers across certain time spans?
There is a lot to consider and process when listening to an effective cybersecurity presentation. Be sure to prepare yourself beforehand so that you know what to expect and can contribute to future meetings accordingly.
If there is one word that is capturing the new normal pace of the age we are in, it is acceleration. We are accelerating into the digital era, thanks to the explosion of data, accessibility of cheaper computing power, and broad adoption of technologies like machine learning and the growing web of connected devices composing the internet of things. An increasing number of companies are taking advantage of these trends to develop more innovative and compelling experiences for their customers, drive better and faster decisions, streamline their operations, and proactively reduce operational risks within their eco-system.
But while digital transformation promises accelerated innovation and economic advantages, the shift often creates unprecedented challenges for many companies steeped in legacy culture, process, technology, and ways of working. Not surprisingly, business model disruption and technology disruption are ranked as the top trends impacting their company over the next 12 months by the most recent 2017–2018 NACD Public Company Governance Survey. While board members are grappling to understand the implications of these changes for their organization, they must also turn their attention to the digital literacy and preparation of the company’s workforce to prepare it to face new challenges.
One critical challenge that can’t be ignored is the company’s role in preparing its workforce for intelligent automation. The World Economic Forum’s Future of Jobs Report predicts that 7 million jobs could be lost over the next five years through redundancy, automation, or disintermediation, with the most significant losses in white-collar office and administrative roles. Others argue the job losses could be less over the long term and there is much debate among economists, historians, and think tanks on the level of job destruction and creation that will come from automation. But two things are certain: one, in the near-term, we expect much workforce force disruption; and two, as artificial intelligence algorithms increase in sophistication and computational power, the pace of intelligent automation is likely to accelerate and push the workforce to focus on higher value activities. To meet that challenge, the workforce of the future will need to acquire a new set of skills rapidly in order to interact with the future of intelligent systems.
Unfortunately, many companies aren’t entirely equipped to assess and prepare their workforce for this disruption, especially in corporate functions like finance, treasury, risk management, and human resources. Research suggests these critical functions are still struggling to understand the full scope and impact of new technologies. For example, the 2018 AFP Risk Survey, supported by Marsh & McLennan Companies’ Global Risk Center, polled over 600 senior-level treasury and finance executives. The majority of respondents to the annual survey cited artificial intelligence, robotic process automation, and data engineering as technologies that could expose their companies to some risks, including disruption to business operations and regulatory risks. Only 14 percent of the same group surveyed say they are “significantly prepared” to manage these changes effectively and more than half (54%) say they are only “moderately prepared.” Similarly, the 2017 Excellence in Risk Management report, by Marsh and the Risk & Insurance Management Society (RIMS), found an awareness gap among many risk managers on the use of disruptive technologies by their organizations. The survey also found that more than half of organizations have not conducted risk assessments for disruptive technologies.
It is clear that the need to invest in re-tooling the workforce couldn’t have come at a more critical time. At the heart of this investment should be access for the workforce to a digital literacy program. Digital literacy is notably separate from computer literacy. Rather, it should be a focused program that educates employees in emerging fields such as big data, machine learning, process automation, blockchain, and the internet of things. The program would provide practical applications that are contextual to the employee’s role.
Thanks to advancements in online technology, there is now an array of learning opportunities available to employees and to board members alike. For example, Massive Open Online Courses offered through companies like edX and Coursera offer an array of courses, as well immersive, state-of-the-art educational content developed by top technology companies. Many of these platforms cater to the needs of individual enterprises and can customize digital literacy pathways for employees based on their industry and current skillsets. A small but growing number of companies are exploring these platforms as an avenue to accelerate learning within their organization.
A subset of technology companies is also opening up access to core technology courses beyond their employee population as a way to shore up interest in the technology used at the company and to close the skills gap. Microsoft recently announced the Professional Program for Artificial Intelligence for aspiring engineers and analysts with to a basic introduction of AI to mastery of the skills needed to build deep learning models for AI solutions that exhibit human-like behavior and intelligence.
Last but not least, there are more traditional ways to close the digital literacy gap. AT&T Corp., for example, sponsors a low-cost online master’s degree in computer science from the Georgia Institute of Technology’s school of computing and offers a variety of courses to retrain its employees who work in jobs that will become obsolete, such as landline installation and repair.
The concept of digital literacy is still at an early stage, but it is a critical foundational step that companies need to take to prepare their workforce for their future. Technology is disrupting everything in its path—including the demand for, and demands on, the workforce—and it’s not slowing down. The question boards need to ask is whether their organization is prepared to oversee the transformation of their company’s workforce proactively or passively react to the inevitable technological progress that will disrupt down the road.
Leslie Chacko is a director in Marsh & McLennan Companies Global Risk Center and leads research on emerging technologies. He has over 14 years of experience in advising clients in the financial services and high tech industries at the intersection of strategy, technology and risk.
The European Union’s (EU) General Data Protection Regulation (GDPR) is causing a seismic shift in the digital information space, and, whether your company has a presence in Europe or not, the sweeping regulation likely applies. As a director in the era of bet-the-farm digital transformation, familiarity with the basics of GDPR is a must. To that end, Michael Walter and Joel Wuesthoff, experts from Protiviti and Robert Half Legal, respectively, recently presented the ins and outs of the regulation at an NACD Atlanta Chapter program.
Does GDPR even apply to my company?
Effective May 25, 2018, it probably does. The regulation is borderless and applies to all organizations—regardless of size and regardless of whether they have a physical European location—that collect and process personal data of data subjects in the EU. An EU data subject is anyone from whom personal data is collected while in the EU (i.e. data subject is not limited to someone with EU “citizenship”). For example, a skier from Colorado who buys a snowboard online while in the EU may subject the product seller to the GDPR. The rules apply to both data controllers and data processors. The range of information that is protected is quite broad, ranging from vehicle identification numbers to photos to employment information to IP addresses.
If GDPR applies, what’s the big deal?
In the U.S., personal information is often collected as a matter of course, with only an “opt out” offered to consumers. By contrast, GDPR requires that in order to collect information from EU data subjects, an affirmative “opt in” consent must be obtained that clearly specifies how the data will be used. Privacy policies must match. Then, once information is obtained, the EU data subject has the right to request that his or her data be deleted; that is, to invoke the right “to be forgotten.” Incorrect information must be corrected upon request. These rights may seem simple enough, but when data is held in multiple locations, developing a process to handle such requests may be quite difficult.
The burdens of GDPR cannot be outsourced, as companies have joint and several liability with third-party vendors. Due diligence requirements for vendors therefore will be heightened, and all in scope data processors will need to be GDPR compliant.
What if my company has a data breach or fails to comply?
In the event of a data breach involving an EU subject, the breached company has 72 hours to notify regulators and must notify EU data subjects without undue delay under certain conditions.
Fines for failure to comply with GDPR can be up to 20M Euros or four percent of an organization’s annual global turnover, whichever is higher. Further, data subjects can claim compensation for damages from breaches of their personal data.
GDPR won’t be enforced right away, will it?
The expectation is that GDPR likely will be enforced right away against global organizations that collect large volumes of personal data. However, beware. EU countries continue to hire people for enforcement of the GDPR. Also, since individuals have a right of action, it is unclear whether GDPR will be used as a manner of protest against companies that are unpopular with EU data subjects.
What should I be asking management?
The path to compliance with GDPR will require a multi-functional task force, including information technology, legal, human resources, privacy, and other functions. Directors may consider asking about the key phases of compliance:
Discovery and inventory: Have we identified high risk areas to ensure a focused approach?
Gap analysis: Have we determined exposure and prioritized compliance activities?
Compliance remediation: Are we implementing changes to achieve compliance?
Ongoing compliance: Are we prepared to provide evidence of accountability and compliance?
Boards may also want to discuss the appointment of—and ramifications of having—a data protection officer (DPO), required under GDPR for companies processing large scale data; however, bear in mind that the DPO is a unique intermediary between the regulators, the organization and the data subjects who is required to be an independent actor within the organization reporting up to the highest levels of the organization. Care must be taken prior to appointing a DPO as significant obligations attach once this decision is made.
In short, GDPR’s long reach and substantial requirements merit fulsome discussions in the boardroom, even of U.S. companies. Is your company ready?
Looking to learn more about how your board will be impacted by GDPR? Stay tuned. NACD will release an FAQ brief in May. You can also learn more from Protiviti by visiting protiviti.com/gdpr.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.