March 12, 2019
March 12, 2019
It’s generally accepted that the development of technology is rapidly accelerating. So too has the speed of integration of new technologies into our day-to-day lives. Consider this: since mobile phones were first introduced, it took 12 years before 50 million people had one. In contrast, it took Facebook only 2 years since its debut to reach that same milestone, and the mobile phone game Pokemon Go only needed two days.
At such a pace of proliferation, it’s difficult to fully synthesize the full ramifications of a new technology before the next wave of change comes rolling in. And if you’re a company that is under pressure to digitize its operations, being too aggressive about staying on the cutting edge of digital transformation can lead to potentially catastrophic risk exposures. It’s an area where board insight and oversight is especially needed—but knowing exactly how to approach the issue might not seem equally crystal clear.
This was the subject of a recent roundtable hosted by NACD in partnership with Accenture. According to Robert Kress, managing director at Accenture, there’s no single panacea.
“You need to tailor your thinking to the environment you’re working in,” he said. “So, what do you do about it? Think about leadership in governance across three key dimensions: within your organization, within your ecosystem, and within and across industries. Looking within your organization, ask: What is the scope of your CISO’s responsibility? Looking within your ecosystem, realize that every organization is more dependent on other players within your ecosystem. Many of the breaches that occur come through that channel. Look across industries because the Internet is fragile. Think about when it was created and what it was created for—and it was not designed to defend against cyberattacks. There is a lot of work needed to reinvent the Internet—and that is only going to happen if organizations are working together and working with the government.”
“I would say that it’s not as complex a picture as you have painted,” Vikram Desai, global managing director at Accenture said in counterpoint. “I do think that while each company has a unique fingerprint, there’s a value chain associated with how businesses operate and there are simple pain points along the way. And there are some very basic things you need to get right to make it more difficult for an attacker to target you. Within industries, exchange information on best practices, work with service providers to understand the real-time status of attacks. It’s incumbent on every board member to make sure that there are techniques and exercises consistently executed [throughout the organization] to make sure the people are sensitized to these issues.”
Desai went on to underscore the importance of the chief information security officer (CISO). To begin with, selecting the right person for that role is difficult because most CISOs are technologists who lack business savvy and the ability to communicate what they know to a lay audience—so ensuring that the person who steps into that role receives the requisite training to effectively communicate to senior leaders and the board is critical for his or her success. Boards should also ensure that there is a CISO succession plan in place. Generally speaking, a CISO stays with a company for about 24 months. With such a high turnover, ensuring that there is a pipeline of talent within the organization that can capably fulfill the duties of that role is critical.
“Understand the role of the CISO and what you expect from that person,” Desai said. “Does the CISO have direct exposure to the board, or are they blocked by a tech person? Does the CISO understand the top business objectives for your company and how security can enable those objectives? The CISO needs to show how things can be done and what the associated risk and rewards are. If there’s alignment, you’ve got a great running start.”
Visit NACD BoardTalk later in the week for additional coverage from this event as director attendees grapple with cyber-risk oversight best practices.