American Airlines Group director Alberto Ibargüen recently led a fireside chat with the company’s CEO and Chair Doug Parker during the NACD Florida Chapter’s season kick-off event at Miami International Airport. With more than 100 in attendance, the program featured insights into the highly competitive airline industry along with some key considerations for directors.
A New Day for the Airline Industry
From left to right: Sherrill Hudson, NACD Florida Chapter Chairman; Lauren Smith, NACD Florida Chapter President: Doug Parker, American Airlines Group Inc. and American Airlines CEO and Chairman, and American Airlines director Alberto Ibargüen
From 1978 until deregulation of the airlines, the airline industry yielded no return on capital; however, since the merger of American Airlines and US Airways less than four years ago, American has generated $20 billion in profits. Three airlines—American, Delta, and United—are now leading the pack in rationalizing and leveraging the hub model to offer passenger service across the globe while generating positive returns. Parker insists this is the industry’s “new normal” and spends a great deal of time convincing constituents that the industry is not simply experiencing a temporary “up” in a long-term cycle.
Parker explained that the company must now invest in its people and its products, taking a long-term view of the business. For example, American invested in new aircraft and now has the youngest fleet of any U.S. airline. With regard to employees, many of whom are unionized, Parker raised wages in the middle of a contract term in order to fulfill his promises to them during the merger. He explained, “I use the ‘look them in the eye’ test when it comes to the 120,000 people on the American payroll,” emphasizing the importance of transparent communication with employees. Another area of investment is data protection, and the board routinely raises the issue of cyber risk.
“Never undertake a merger when there’s not a clear strategy,” cautioned Parker, when talking about the successful US Airways and American merger. Recognizing the herculean amount of work required to meld systems and go-to-market philosophies, he added, “You shouldn’t put your team through one unless two plus two will equal five, not 4.2.”
In terms of building a post-merger board, the merged company board consisted of two American board members, three US Airways board members, including Parker, and five members from the creditors’ committee. With this blended group, directors did not focus on the “this is how we did things” historical perspective, but rather the group was able to move forward as a relatively cohesive unit from the beginning.
Communication and tone at the top became priorities for the board and management after the merger as well. Parker began holding town hall-style meetings, taking questions from employees. These sessions are recorded and offered to American’s employees worldwide.
A Strategic-Asset Board Focused on the Customer Experience
Parker emphasized that by asking the right questions, the board has had an enormous impact on management, “ensuring that the team has a strategic focus.” Given the day-to-day demands of running an airline, pulling the team from those responsibilities can be challenging. Still, the board insisted on an offsite focused on strategic planning, which proved to be very valuable. “I put off the retreat for two years because we were so busy with the integration,” said Parker. “But the offsite was valuable because we were forced to articulate our strategy in a way that could be understood by others, like the teams and investors.”
American Airlines director Susan Kronick, who was in the audience, added that the board works well because it is diverse. “Our board is diverse in terms of gender, ethnicity, and, most importantly, points of view,” she said. “We have rich discussions, and everyone is moving forward together.” She added that a keen focus on the customer experience is a unifying factor. “We take the proactive perspective that the culture of the company is a competitive advantage for us with customers.”
Parker added that the board members aren’t afraid to speak up, and his job is to ensure his team is communicating well to the board. He also echoed the board’s focus on the customer.
“We are transporting people at 525 miles per hour, so we are constrained by the laws of physics,” said Parker. “But we can make sure the rest of the experience is as efficient and comfortable as possible.”
The NACD Florida Chapter would like to thank American Airlines and Miami International Airport for supporting this event and the behind-the-scenes airport tour that preceded the program.
Kimberly Simpson is an NACD regional director, providing strategic support to NACD chapters in the Capital Area, Atlanta, Florida, the Carolinas, North Texas and the Research Triangle. Simpson, a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in 2005.
Equifax is not just another organization that was breached. The company was named one of Forbes’ “World’s 100 Most Innovative Companies” for three years straight, from 2015 to 2017. The recent breach of the company’s U.S. online dispute portal web application has raised serious questions about whether boards of directors and senior management are asking the right questions about actions their organizations are taking to protect themselves from cyberthreats. Are boards probing to discover what they don’t know?
In September, Equifax announced a massive breach exposing the personal information of over 40 percent of the U.S. population. The company’s stock declined almost 14 percent after the announcement, and heads rolled over the ensuing three weeks—first the chief information officer (CIO) and chief information security officer (CISO), and then the CEO. The pervasive headline effect of this incident has been as persistent as any in memory.
There are many important aspects of cybersecurity that the board is expected to tend to, including understanding what the organization’s “crown jewels” are, business outcomes management seeks to avoid, understanding the ever-changing threat landscape, and having in place an effective incident response program, to name a few.
But this discussion is more specifically about the systems vulnerabilities we know about. That’s the elephant in the room.
The sage advice—if your flank is exposed, fortify it before you get overrun—seems to apply here. Even noncombatants understand the value of protecting exposed flanks in desperate battle. A known vulnerability is most certainly an exposed flank, particularly when sensitive data is involved.
Enter the role of software patches.
A patch is a software update installed into an existing program to fix new security vulnerabilities and bugs, address software stability issues, or add a new feature to improve usability or performance. Often a temporary fix, a patch is essentially a quick repair. While it’s not necessarily the best solution to address the problem, it gets the job done until product developers design a better solution for a subsequent product release.
The Equifax incident raises the question as to why the company didn’t implement the appropriate patch to its systems when the vulnerability was first identified. To be fair, other companies have suffered a cybersecurity event because they failed to implement a patch in a timely manner, and we have no insights into the unique circumstances at Equifax. Admittedly, patching software at a large organization with multiple, complex systems takes a considerable amount of time. But, for boards and executive teams everywhere, the Equifax episode serves as a stark reminder of the importance of understanding the company’s cybersecurity strategy and tactics to pinpoint whether they know what they need to know.
Often, in our security and privacy consulting business at Protiviti, we see companies implementing patches within 60 to 90 days of discovering a systems vulnerability. We have seen some high-risk patches not applied at all for fear of breaking legacy applications; in effect, the organization simply accepts the risk of not applying these patches and, as an alternative, works to mitigate it. Based on our experience, 30 days from release to deployment is typically the “gold standard” for the time it takes apply a patch.
Is the gold standard enough? Companies are essentially leaving themselves exposed for 30 days. Meanwhile, they may lack the advanced detection and response capabilities to detect unauthorized activity occurring during that time. Organizations with a well-designed vulnerability management program quickly patch known vulnerabilities for critical public-facing services. For example, we see companies setting service level agreement targets of 72 hours, with some striving for 24 hours or less to limit the damage of an attack.
Simply stated, boards need to inquire as to the target duration from release to deployment to shore up cybersecurity vulnerabilities and, if it’s 30 days (or more), question whether that is timely enough, especially when public-facing systems are involved and sensitive personal information is exposed. Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image cry out for this oversight.
It is vitally important to scan public-facing systems immediately upon notification of critical vulnerabilities; “same day” should be the target. In addition, patch deployment should be tracked and verified as part of a comprehensive information technology (IT) governance process. It’s not enough to merely push out a patch. A comprehensive IT governance process should confirm that the risk truly has been mitigated on a timely basis.
Directors and executives should also be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Given the increasing sophistication of perpetrators, simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and security teams can respond timely.
We know that an organization’s preparedness to reduce an incident’s impact and proliferation after it begins is an issue (i.e., the lapsed time between the inauguration of an attack and its detection is too long). Often, it takes over 100 days until suspicious activity is discovered; about 50 percent of the time, organizations learn of breaches through a third party.
In nearly every penetration test Protiviti conducts, the client authorizing the test fails to detect our test activity. Many organizations seem to think that if they outsource to a managed security service provider (MSSP), the problem will be solved —as if a box has been checked. However, we see time and again that this is not the case. Often, there are breakdowns in the processes and coordination between the company and the MSSP that result in attack activity occurring unnoticed. Not many organizations are focusing enough on this failure of detective controls to identify breach activity in a timely manner.
These two fronts—how long it takes to implement a patch, as well as detect a breach—inform the board’s cyber-risk oversight. Every organization should take a fresh look at the impact specific cybersecurity events can have and whether management’s response plan is properly oriented and sufficiently supported. For starters, directors should ensure they are satisfied with the elapsed time:
For patching identified system vulnerabilities;
Between the initiation of an attack and its ultimate discovery;
Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact; and
Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators, and law enforcement in accordance with applicable laws and regulations.
Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image beg for careful oversight.
Organizational cybersecurity is one of the biggest challenges facing companies today. The most recent in a string of headline-grabbing data breaches involved U.S. credit-reporting company Equifax, an event that exposed the private information of some 143 million customers. Grilled on Capitol Hill about the episode, Equifax’s chair and CEO said that “mistakes were made” in the company’s response to the attack, which has prompted dozens of private lawsuits and precipitated a drop in the company’s share price.
As corporate directors are ultimately responsible for their companies’ future, the urgency to address cyber risk is accelerating. There is general agreement across the C-suite that cyber risk is a top priority, according to a recent Marsh global survey regarding corporate cyber risk perception. But survey results also revealed that there is less alignment inside companies regarding how cyber risk is reported to corporate directors and about what is most important.
The Information Disconnect Between Board and C-Suite
When survey respondents were asked what type of reporting on cyber risk the board of directors received, something surprising surfaced. For every type of report we asked about, respondents who indicated they were corporate directors said they received far less information than respondents from the C-suite said they were supplying to directors.
Click to enlarge in a new window.
For example, 18 percent of surveyed directors said they received information about investment initiatives for cybersecurity initiatives. Yet 47 percent of chief risk officers, 38 percent of chief technology or information officers, and 53 percent of chief information security officers said they were already providing reports to board members on investment initiatives.
Whether it’s optimizing risk finance though insurance or other resiliency measures, such investment initiatives are critical to preparing for an attack as well as to managing an incident. Organizations need to ensure that board members are receiving—and carefully reviewing—this vital information.
Tellingly, corporate directors say the type of cyber risk reporting they most often receive consists of briefings on “issues and events experienced.” It’s clearly important for any corporate director to learn about cybersecurity incidents that the company has faced, but it is an after-the-fact activity. There are a number of reasons for boards to be most cognizant of the material they receive regarding an event that has already happened.
Click to enlarge in a new window.
The survey’s C-suite respondents listed “cyber program investment initiatives” as the type of reporting their boards were most likely to be receiving. But with fewer than one-in-five corporate directors saying they received such reports, there is an issue that needs to be addressed, especially given that understanding—and directing—corporate investment in cybersecurity is a key to building effective resiliency measures.
No Incident Can Be Completely Avoided
Many boards seem to focus their oversight on security activities over resiliency best practices. For example, a high number of corporate directors in our survey said their organization did not have a cybersecurity incident response plan. Why? The top reason cited was that “cybersecurity/firewalls are adequate for preventing cyber breaches.” C-suite respondents did not share the same view.
Click to enlarge in a new window.
As firm after firm of all sizes and across geographies have fallen prey to attacks, the belief that one can have enough defenses in place to completely avoid a cybersecurity incident has been widely debunked by real-world events. Thus, the mantra among the organizations with the most sophisticated cyber-risk management programs is: “It’s not a matter of if you will be breached, but when.”
Cyber threats are constantly evolving and the potential threat actors are multiplying. No organization is impenetrable, no matter how strong their security posture may be.
Strong Companies Are Already Preparing for GDPR
One of our key findings regarding corporate readiness involves the lead-up to the EU’s General Data Protection Regulation (GDPR), which is scheduled to take effect in May 2018.
We found that companies that are already preparing for GDPR are doing more to address cyber risk overall than those that have yet to start planning. Survey respondents who said their organizations were actively working toward GDPR compliance—or felt that they were already compliant—were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cybersecurity resiliency measures than those that had not started planning for GDPR. This is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management strength.
The most forward-looking corporate boards recognize the GDPR compliance process as an opportunity to strengthen their organizations’ overall cyber risk management posture on a much broader level, effectively transforming regulations that might previously have been viewed as a constraint as a new competitive advantage.
The lesson here—even for directors of organizations not subject to the GDPR—is that good cyber-risk oversight requires engaging on a number of fronts, both defensive and responsive. Whether it’s playing an active role in attracting highly-skilled talent, seeking cross-functional enterprise alignment on priorities, or viewing regulatory compliance as part of a holistic plan, an engaged board can make the critical difference in how a company assesses, reports on, and addresses the impact of cyber risk on the company.
To receive a copy of Marsh’s report, GDPR Preparedness: An Indicator of Cyber Risk Management, click here.