December 1, 2022
December 1, 2022
Uber Technologies, Rockstart, Crypto.com, Microsoft Corp., and the International Committee of the Red Cross were the victims of some of the worst cyberattacks in 2022. While these are well-known organizations that were breached within less than a year of each other, experts have long recognized cybersecurity as a business essential. The Future of the American Board report from NACD identifies technological change and cybersecurity as one of the leading forces boards will face in the future. Yet, in my time as an executive, board member, and investor, I have discovered that directors often delegate oversight of the cybersecurity strategy to executives, outside consultants, or at most one board member. It is possible to take your oversight to the next level with a few simple changes.
One of the biggest pitfalls when communicating with technology professionals is using technical terms. In our buzzword-driven world, words and phrases have different meanings in management, the advertisement industry, academia, and among technical experts. Take artificial intelligence (AI), machine learning, predictive algorithms, and deep learning. Academia has well-thought-out definitions for the last three and a less well-defined one for AI. The same is true for many current hot topics, from cryptocurrencies and blockchains to cloud computing and Kubernetes, an open-source software to speed up software deployment.
As a result, strategy discussions can be challenging if everyone present uses the same terms but with different meanings. It can even become outright dangerous when each person is talking about something different but assumes everyone is on the same page.
When discussing cybersecurity and technology in the boardroom and with executives, the most important aspect is to first agree on the definition of the words and terms used. That’s especially relevant since board members should come from diverse backgrounds, which means they will by design bring varied ideas of different tech terms to the table.
If you follow the news on cybersecurity or technology in general, you will often find that a significant amount of it looks backward. The most recent breach, the last data leak, and black eyes from service downtimes will most likely get the most attention. After all, accidents and catastrophes large and small sell. It’s human nature that those risks are more likely to be on everyone’s mind. However, these are the risks that are already out there. They are known risks that have a known defense.
A strategy and strategic risk assessment, though, need to be forward-looking. They should focus on the future, considering risks that are one or even five years out. With this approach comes the obligation to consider how to best prepare for these risks.
Consequently, the board should request that executives prepare forward-looking strategies that target threats that are coming up or are still in the theoretical realm. At the same time, the board should maintain awareness that the risks might also present unexpected opportunities to differentiate the company from its competitors.
When considering all kinds of potential threats that may arise in the future, boards should always keep in mind the fact that employees and customers are the main pathways into a company’s network. Recent events significantly highlight the serious dangers of social engineering, social deception, and a lack of training. Given the reputational risks for large companies and the existential challenges smaller players face, it is surprising that security training is not pushed more in information technology (IT) governance and strategy.
We mostly hear about incidents where the breach affects a company’s customers. Yet in a connected world where overseas competitors are too keen to access someone else’s intellectual property, these publicized cases are only the tip of the iceberg.
As long as human resources (HR), continuing education, and talent growth strategies do not encompass adequate training in cyber risks, we cannot expect most employees to change their behavior. Experts keep stressing the importance of this point again and again, therefore boards should ensure that IT and HR have a clear focus on a security-first strategy.
In a world where rapidly changing technologies are affecting every business, boards cannot abdicate their oversight responsibilities and delegate them to experts and management. If they do, overseeing a company’s leadership becomes a simple approval process. No one will expect board members to understand the finer details of identity management, data storage, or firewalls. Yet gaining a 10,000-foot view that includes basic understanding of standard terms, asking tough questions, and keeping an eye on the future will help boards provide valuable feedback and diverse perspectives to senior management.
A broader range of viewpoints, in turn, helps quantify and reduce risk and pays other dividends. It ensures that management takes planning seriously and may even make them aware of the next growth opportunity.
Kevin Korte, NACD.DC, is president of Univention North America.
NACD: Tools and resources to help guide you in unpredictable times.