Four Questions to Ask to Probe Your Company’s Cyber Resiliency

Published by

Kelly Bissell

Cybersecurity is the bedrock of intelligent business. Companies that hope to develop superior customer knowledge, unique insights, and proprietary intellectual property by utilizing digital capabilities will require a robust cybersecurity strategy to underpin the whole. Companies need a strategy that leads to true cyber resilience.

To create a resilient enterprise, companies must make changes in four areas: leadership and governance, funding, organizational culture, and security measurement and monitoring.

Directors and executives should be asking themselves the following questions in order to ensure that they are on the right track.

1. Leadership and governance: Do we really understand what’s at stake for the business?

CEOs and boards of directors fortunately are ramping up their engagement and accountability for cybersecurity. Most CEOs, however, have much more to do. The chief executive’s relationship with his or her chief information security officer (CISO) is critical to the right kind of engagement. The CEO’s relationship with the CISO is also important to the board’s ability to perform sound cyber-risk governance.

CISOs should have oversight of more than just the corporate office, to include functions, subsidiaries, joint ventures, and labs. They should be involved in discussions of any new business initiatives or technologies that will increase cyber risk. CEOs and boards should bring them into the inner circle to help build risk management strategies to support business goals and objectives. The bottom line is that CISOs must become business advisors to leadership and informants of business challenges and successes to boards.

2. Culture: Do we truly put security first?

A big part of embracing a security-first culture is having the right mindset. At the C-suite and board level, cyber resilience and operational performance management should go hand in hand. Security must be a strategic priority tracked and reacted to as part of the tempo of normal business management, much the same as with the profitability of business units. It is a new competence that needs to be built, just like manufacturing excellence or personalization in digital marketing.

This mindset must spread throughout the organization and serve as a spur to proper actions. Line management must understand that they have a primary objective: Protect customers’ data and the company’s digital assets and operations. Fail at this and all else is irrelevant. The same is true for the front lines.

Cultural change must be backed by action and investment, and the buck stops with the board. Ensure your board is asking management whether or not this key culture change is being made across the organization.

3. Funding: How much is the right amount?

Answering this difficult question requires breaking it into two parts:

  1. Is the company brilliant at the basics? This means properly investing to resolve challenges of any magnitude—from intruders who want to get at a particular customer, to attackers after the company’s most critical assets, whether they be data or key intellectual property that differentiates the company in the market.
  2. Is the company innovating to improve its security? The only way to lower the cost of cybersecurity (or at least slow cost increases) while improving overall capability is to innovate upon current security practices.

Getting the basics right isn’t easy. It requires understanding and preparing for the many potential intentions of cyberattackers. It also means hardening high-value assets. Companies must make it as difficult as possible for attackers and limit the damage that’s possible when they do breach the walls.

Breakthrough innovations come from many corners, including business partners, vendors, and alliances across other ecosystems. CEOs and boards should think of the startup community as their company’s route to innovation and experimentation. Once partners demonstrate how their products will integrate efficiently and drive  value in the security mission, security professionals must rapidly scale the innovations across their organizations. The CEO can empower that scaling, and the board should be asking the CEO about plans to do so.

4. Metrics and monitoring: Are we measuring for business relevance?

The metrics used in the past to measure business success won’t help in the future. For example, low, medium, and high compliance scores don’t communicate enough about business risk. Rather than information such as project plans on encryption, CEOs and board members should receive metrics on protecting customer data. Rather than metrics around patching (updating software with the latest, most secure versions), they should hear about how the integrity of production environments is being maintained. Companies need business-relevant scorecards on security.

In addition to receiving better information on more relevant metrics, CEOs and boards should improve their own monitoring and understanding of cyber threats. They need to develop muscle memory by taking part in crisis drills and working through attack scenarios. Such practice helps track improvements and lessons learned, and to be prepared to respond immediately when a threat occurs.

The Path to Cyber Resilience

CEOs and boards of big organizations that have been successful at demonstrating cyber resiliency are leading wise pivots to new strategies for security. While these pivots are essential to the survival of businesses, they do bring risks and increased attack surfaces to critical digital assets and operations. Business leaders must engage more directly to own this challenge, because in the future, the only resilient business will be one that is cyber resilient.

Basic Income: A Bold Solution to a Big Problem

Published by

Peet van Biljon

While most corporate directors in the United States are focusing on the social and business impact of recent tax reform, some of them have another economic matter on their minds: the concept of universal basic income (UBI). This is our future, says a recent article quoting Silicon Valley’s Ray Kurzweil, Google’s director of engineering. Kurzweil is not alone. Other tech luminaries such as Marc Zuckerberg and Elon Musk have expressed support for it. Meanwhile, public sector leaders from Canada to Kenya are already looking at implementing this economic model.

So, what is UBI? One way to define it is to see what it is not. It was reported recently that Finland has discontinued its year-old UBI pilot. The Finnish government’s discomfort with handing out money with no strings attached got the upper hand. (However, Finland retains its generous unemployment, free college, and universal healthcare benefits.) While Finland is abandoning unconditional income guarantees, it will be lumping all government benefits together in a single monthly sum, a universal social credit. The UK government is following a similar lump-sum approach, the so-called universal credit. But neither is a basic income.

A true UBI is both universal (i.e. paid to every citizen), and unconditional, ( i.e. recipients do not have to meet any obligations to maintain their eligibility). The tax treatment of a UBI is intended to avoid any distortions normally associated with the transition point between social benefits and wage income. This distortion can be a disincentive for benefit recipients to start working. On the other hand, UBI is tax free; only additional income from other sources like wages, called the market income, is taxed. Even as market income goes up, UBI is not taxed. Tax brackets are designed so that a gross income (UBI + market) above a certain level makes an individual a net contributor, meaning what someone pays in taxes will exceed his UBI receipts. For example, with a 33.33 percent flat income tax rate, the recipient of an annual UBI of $12,000 will reach the breakeven point when her taxable market income is $36,000, on which she will be paying $12,000 in taxes balancing out the UBI. Every dollar of market income after that makes her a net contributor of taxes. The system is startling in its simplicity.

The modern idea of a basic guaranteed income has been around since Bertrand Russell made the case for it 100 years ago, but Thomas Paine proposed a form of basic income as far back as 1797. A close variant of UBI is the negative income tax, which entails payments only to those who would be net recipients under the basic income system, like those earning less than $36,000 in the example above.

So, why are so many leaders of institutions (from government and non-governmental organizations to corporations) looking at UBI right now? It is because of the ongoing unemployment trends in recent decades. In countries such as the United States, these trends are better reflected in a 20-year low workforce participation rate and precarious employment than in unemployment claims, which are currently low. There is widespread fear that the elimination of low- and medium-skilled manufacturing and administrative jobs will accelerate as new automation technologies such as artificial intelligence (AI)  spread like brushfire through the economy.

The predictions on the worker dislocation by AI and other automation technologies are piling up: In 2013 Oxford University researchers estimated that 47 percent of U.S. jobs had a high probability of being automated by 2033. This started off a range of estimates and predictions by consultancies, think tanks, and governments. For example, late last year McKinsey estimated that by 2030 between 400 to 800 million jobs worldwide may be lost due to automation, including 73 million lost jobs in the United States. PwC in 2017 estimated that up to 38 percent U.S. jobs are vulnerable to automation by 2030. On the low end is the Organisation for Economic Cooperation and Development’s 2016 measure, which estimated that 9 percent of jobs are highly automatable and another 32 percent have a significant risk of automation. There are also optimistic estimates of millions of new jobs being created by this technology—but most such predictions only offset the job loss. They do not erase the net loss that will surely result.

Both job losses and job creation have indeed been part of previous industrial revolutions, but that does not mean serious disruption can be avoided in the transition. We could have one or more lost generations of workers before the system rights itself. Just this past month, Brookings researchers provided a grim warning that with job dislocation around 38 percent (a forecast mean), “Western democracies likely could resort to authoritarianism as happened in some countries during the Great Depression of the 1930s in order to keep their restive populations in check. If that happened, wealthy elites would require armed guards, security details, and gated communities to protect themselves, as is the case in poor countries today with high income inequality. The United States would look like Syria or Iraq, with armed bands of young men with few employment prospects other than war, violence, or theft.”

This is a bleak future we all want to avoid. What’s needed is a policy response equal in size to the disruption. UBI may be a big part of the answer, but the concept is too often met by skepticism or outright hostility from business leaders who have a distaste for anything that smells like socialism.

Concerns for personal responsibility immediately come up when UBI is discussed: Won’t it take away the incentive for people to work? Won’t some people abuse it? Perhaps no one better addressed these concerns than that paragon of free market capitalism, Milton Friedman, in a famous 1968 article titled “The Case for a Negative Income Tax: A View from the Right.” Friedman pointed out that onerous conditions for social assistance interfere with personal freedom and dignity when large numbers of government bureaucrats have to screen and police recipients to make sure they do not violate eligibility requirements. It is also highly inefficient. Friedman argued that replacing the multitude of existing welfare measures with one unconditional payment would be much more efficient, increase the incentive to work, and reduce the number of permanent poor living off government programs.

More practically, if the UBI is set at a low-enough amount, and recipients keep their after-tax income from employment, ample incentives remain for people to find work to improve their status in life. For example, the Ontario pilot UBI for individuals is set at only $13,000 US per year per individual, and $19,000 US per couple. This is hardly enough to live a life of luxury on the dole.

For the same reason, companies need not worry that a modest UBI will drive up wages for low-wage workers, because the UBI might depress the labor supply.  It may do the opposite, that is enable more people to take low-wage jobs similar to the current situation where many low-wage workers in the United States are supported by the Supplemental Nutrition Assistance Program (SNAP, previously known as food stamps) program. It is estimated that U.S. taxpayers already provide working families  with over $150 billion in annual public support through the current patchwork of state and federal programs like SNAP, Temporary Assistance for Needy Families, Medicaid, and the Children’s Health Insurance Program. By design, UBI eliminates the so-called poverty trap in which people are discouraged to take work because they may earn less from wages than from the sum of these benefits. And since everyone from the CEO to janitor will get a monthly UBI directly from the government, there is no regulatory or administrative burden for companies. Furthermore, the UBI becomes a permanent safety net for laid-off employees who have exhausted their termination and unemployment insurance benefits.

Will UBI give struggling people the opportunity to lift themselves up or will it create a permanent underclass? Preliminary anecdotal feedback from the Ontario pilot is that participants are eating healthier, retiring debt, and feeling less stressed, enabling them to focus on economic advancement. This is consistent with the so-called Maslow argument for UBI. Longitudinal data is needed to properly assess the societal welfare effects of UBI and these are scarce, which is precisely why properly designed UBI pilots should be supported. One of the only UBI-like programs to have existed for years is the payment funded by casino royalties (currently about $12,000 annually) to every member of the Eastern Band of Cherokee Indians in North Carolina. The program has been extensively studied by social scientists who found compelling benefits: a 40 percent decrease in behavioral problems among poor children to a level equal to non-poor children, and a 22 percent decrease in minor crimes which means fewer kids in jail, and higher high school graduation rates.

The last big concern is the cost burden of UBI for a country. A full-scale UBI implementation could be partially funded by absorbing many existing programs into the single universal payment. Significant savings will also come from collapsing the large government bureaucracies currently employed in administrating those programs. A tiny new bureaucracy can send every citizen a monthly check or bank transfer, and the existing tax bureaucracy (e.g., the Internal Revenue Service) will process any taxable income and payments as usual. But some incremental public spending will likely be needed, and new revenue sources found for it.

Earlier this month, Canada’s Parliamentary Budget Office estimated the cost of extending the Ontario pilot to every Canadian citizen at the current rates, net of expected savings in existing spending, to be in the order of $23 billion (Canadian). To scale this to other economies like the United States, this is roughly one per cent of gross domestic product, and could be paid for with about three additional points on the federal Canadian general sales tax (GST).

UBI is a bold new mechanism for social support. But so was unemployment insurance and Social Security in their time. There are details to be worked out, and hypotheses to be tested, before rolling out such massive programs nationwide. The best way to do that is to proceed with, and copy, controlled experiments like the current pilot in three cities in the Province of Ontario. Board members and other business leaders would do well to monitor these developments and to keep an open mind on UBI. It may just save our society from the social havoc that could be wreaked by artificial intelligence.

Peet van Biljon is founder and CEO of BMNP Strategies LLC. He advises clients on strategy, innovation, and new business building. He focuses on Industry 4.0 and transformative technologies such as artificial intelligence, digitization, fintech, and the Internet of Things. He previously managed McKinsey’s global innovation practice from 2010 to 2015. Peet is an adjunct professor at Georgetown University, where he teaches a graduate course on innovation. He co-chairs the General Principles Committee of the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems (A/IS). Peet authored a book on business ethics, Profit with a Higher Purpose, and has developed Ethics-driven Innovation, an innovation process to help clients meet the highest ethical standards. He is an electrical engineer, licensed as a professional engineer in Ontario, and also has degrees in accounting and economics. All thoughts expressed here are his own and do not necessarily reflect those of NACD.

How Does Your Board Define Age Diversity?

Published by

Paula Loop

Age diversity is an important factor to achieving diversity of thought. That’s how 91 percent of directors responded in our 2017 Annual Corporate Directors Survey. They even rated age diversity higher than any other element of diversity, including gender and race. However, we noticed that more than half (52%) of directors said they have age diversity on their board and don’t need any more of it. Herein lies the disconnect: Our definition of age diversity differs from that of most directors.

So what does age diversity mean to corporate directors? Maybe it means their board has directors who are in their 50s, 60s and 70s. Or perhaps they have one director who is 55 and one who is 80. With an average age of 63 for independent directors on S&P 500 boards (and going up), what it likely means is that they don’t have many directors who are 50 or younger. In fact, there are more directors aged 75 or older in S&P 500 boardrooms than there are 50 or under, according to our new research paper, Board composition: Consider the value of younger directors on your board. That figure demonstrates that there really isn’t a broad definition of age diversity.

To find out more about age diversity on US public company boards, we analyzed the population of directors aged 50 or under serving on boards of S&P 500 companies as of the end of 2017. We wanted to see who these directors are and what their board service looks like. What we found out is that there really aren’t many of them at all: According to our analysis of BoardEx data, directors aged 50 or under make up only 6 percent of the seats on S&P 500 company boards.

What does this mean for your board? First, if it hasn’t already, your board should consider age diversity and determine what it means for your company. Second, you might consider adding a younger director or two to the board. Most younger directors (96%) have active jobs or roles, so they can bring critical workforce skills and know-how back to the boardroom. They are more likely to have hands-on experience with newer technologies like artificial intelligence or the internet of things, technologies that companies are investing in and adopting to get ahead and stay competitive. And, in many cases, younger directors are closer to the consumers that their companies are targeting. They’re also closer to millennials, whose spending habits and workplace expectations are turning traditional marketing and human resources processes and plans on their heads.

We know that board composition and refreshment is a hot topic today, and the topic of age diversity is a good conversation for boards to have. Though there’s not one accepted dictionary definition of what age diversity is, boards may also want to develop an agreed-upon understanding about what it means to their board—and why all aspects of diversity make for healthy board discussions and better board performance.

One of the most interesting data points that came out of our new report details how companies made room for younger directors. For 62 percent of the S&P 500 board seats held by independent directors 50 and under, companies increased their board size to accommodate them. The board did not wait for traditional succession planning tools to play out, such as a director leaving the board due to retirement or term limits. Increasing board size to bring younger directors on as soon as possible indicates a real desire for and appreciation of the value those individuals would bring to the boardroom. That alone should tell you that age diversity is something to consider for your board.