Tag Archive: 2016-2017 Public Company Governance Survey

Why Are People Part of the Cybersecurity Equation?

Published by
Sedova_Masha

Masha Sedova

The following blog post is one installment in a series related to board oversight of corporate culture. The National Association of Corporate Directors (NACD) announced in March that its 2017 Blue Ribbon Commission—a roster of distinguished corporate leaders and governance experts—would explore the role of the board in overseeing corporate culture. The commission will produce a report that will launch during NACD’s Global Board Leaders’ Summit Oct. 1–4.

As many as 95 percent of breaches to companies’ data have a human element associated with them. It is no wonder, then, that security teams call people “the weakest link” in securing an organization and choose other investments for defense. Despite companies’ deep investments in security technology over the years, security breaches continue to increase in frequency and cost.

The conventional approach misses a significant opportunity to utilize people as a defense strategy against the ever-changing threat landscape. In fact, only 45 percent of respondents in the National Association of Corporate Director’s 2016-2017 Public Company Governance Survey reported that their boards assessed security risks associated with employee negligence or misconduct. Organizations that have fostered intentional security cultures from the boardroom to the server room have managed to transform employees into their strongest asset in defending against attacks, gaining advantages in both protecting against and detecting cyber threats.

What is security culture?

SecurityCulture

From the boardroom to the server room, people could be your greatest security asset.

Culture-competent boards and management teams understand that culture is the set of behaviors that employees do without being told. In simpler terms, it’s “the way things are done around here.” There are many sub-cultures within an organization, and security culture is one that often looks quite different from the expectations set by policy. Security culture has the power to influence the outcome of everyday business decisions, leaving an employee to judge for themselves the importance of security in a decision. For instance, some frequent questions that employees might encounter include:

  • Is it ok to release insecure code or should we test more, resulting in a delay?
  • Do I feel safe to report that I may have incorrectly shared a critical password?
  • Do I prioritize a secure vendor over a less expensive one?

Each of these decisions, when chosen without security in mind, add to the organization’s security debt. While likely that none of these decisions on their own will lead to the downfall of the organization, each risky action increases the probability of being targeted and successfully compromised by cyber-attackers. On the other hand, if the decisions to the questions presented above are chosen with a secure mindset, over time an organization can expect to see more secure code, better data handling processes, and an increased ability to detect cyberattacks, just to name a few examples. A positive, security-first culture makes it more difficult for an attacker to find and exploit vulnerabilities without detection, incentivizing a different choice in target. Directors at companies across industries should carefully evaluate whether management has established a security-first culture as part of their greater cyber-risk oversight strategy.

It is worth realizing that security-minded employees will not solve all security headaches. However, a company’s talent is an essential third leg of the business stool, partnered with technology and processes. An organization that does not invest in training and empowering its employees to prioritize security is only defending itself with two-thirds of the options available to it.

How do you practice it?

The first step boards and executives can take to shape security culture is to identify the most critical behaviors for your employees. Historically speaking, security culture programs used to be based on compliance and asked, “How many people completed a training?” or “How much time is an employee spending on education?” These are not the right questions. Instead, we should ask, “What will my people do differently after my program is in place?”

Prioritize behaviors by their impact on the security of your organization, customers, and data. Ideally this will distill down into two to three measurable actions that boards and executives can encourage employees to take in the short-term to be security minded. Most mature security culture programs have the following three capabilities to help develop these behaviors: measure, motivate, and educate.

1. Measure It is critical to have measures in place to show progress against culture change. When an organization can measure its key desired behaviors, it can start answering critical questions such as:

–  Are my campaigns effective at changing this behavior?
–  What groups are performing better? Why?
–  Has the company already met its goals? Can I focus on the next behavior?

Measuring culture is notoriously tricky because of its qualitative nature, but it can be done using measures such as the number of malware infections, incident reports, or even surveys that test for the knowledge of, and adherence to, policy and process. Surveys should also test for employees’ perception of the burden of security practices, as well as a self-assessment of individual security behavior.

2. Motivate Effective behavior change requires motivation. Spending the time explaining the purpose behind each security measure goes a long way in getting employees on board. As an example, sharing case studies of successful attacks and lessons learned helps demonstrate to employees that the threat is real and applicable to their work. Some other great ways of providing motivation to follow through on security behaviors are public recognition of outstanding behavior, gamification, or rewards for success.

3. Educate Employees cannot act to change their behavior if they are not fully trained to do so. Ensure employees have the knowledge and tools to complete the security tasks. Ideally, the information presented should be tailored by role and ability level to make it as relevant and interesting to the employee as possible. One key focus should be on educating senior executives on the trade-offs between risk and growth in a company. Consider providing scenarios based on real cyber-attacks that explore the long-term impact of risky business decisions. Add these discussions opportunities into existing leadership courses to help model security-mindset as a valued leadership trait.

Senior level engagement

While the above is a framework that boards and executives can use to drive security behavior change from the bottom up, leadership has an important role in setting the security culture as well. Executives can publicly share the value of security as an employee themselves, which will reinforce the importance they see in proper security culture to the organization and to the customers they serve. Executives should hold their businesses accountable for executing on key security behaviors and publicly call out examples that have impacted the security of the organization, either positively or negatively. Finally, boards should press executives to ensure that the focus of their people-centric security program is on the highest area of risk, not just what is easy to measure.

Masha Sedova is the co-founder of Elevate Security, a company delivering interactive and adaptive security training based on behavioral science. Before Elevate, Masha was a security executive at Salesforce.com, where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers.

How Are Public Company Boards Transforming Themselves?

Published by

The National Association of Corporate Directors (NACD) released the 2016–2017 NACD Public Company Governance Survey late in 2016. The survey, which NACD has administered for two decades, helps directors affirm that their governance practices are effective, fit for purpose, and clearly communicated to shareholders. Our members find value in benchmarking their companies’ approach in areas such as board structure, composition, education, recruitment, and evaluation year over year, and they use the results to identify opportunities for improvement and validate board priorities for the coming year.

What did we learn about changes to public company governance in the previous year?

Although we did not see any seismic shifts in how public companies govern themselves, the data indicate that corporate boards are slowly adapting to heightened expectations about their contributions and performance.

Let me share 10 key takeaways from this report and illustrate some of the changes we have observed in our analysis.

Pub Co Blog Graphs-011. Overseeing Uncertainty Economic uncertainty and business-model disruption are among the top concerns for corporate boards in 2017. Respondents also report that major industry changes, growing regulatory demands, and cyberattacks will significantly affect their companies over the next 12 months. Global economic uncertainty was selected by 60 percent of respondents as one of the five trends that will have the great­est impact on their companies over the next 12 months, most likely in light of ongoing economic turbulence that includes the fallout from Brexit, emerging markets volatility, and the protectionist trade stance of the new US administration.

2. Deeper Board Engagement with Strategy Setting Growing external uncertainty seems to accelerate the momentum for increased board leadership in strategy. For more than half of boards, active involvement in the development of strategy is a goal for major improvement over the next 12 months. Recognizing that successful strategy setting and execution in this volatile environment are challenges, boards are eager to move from the traditional review-and-approve process to more active strategy engagement earlier and on an ongoing basis, allowing directors to examine underlying assumptions, competitive dynamics, and alternatives.

Pub Co Blog Graphs-023. The Tyranny of Short-Termism Maybe the most important structural barrier to board engagement in strategy setting is the intense short-term performance pressure placed on both boards and management. Seventy-five percent of respondents report that management’s focus on long-term value creation has been compromised by pressure to deliver short-term results, while 29 percent report that pressure on boards to focus on short-term performance inhibits their ability to effectively oversee long-term strategy development.

4. Risk Oversight Moves to a Higher Standard Board risk oversight is becoming a robust practice, with a large number of boards looking beyond a review of the top risks to consider the linkage between risk and strategy, the impact of incentives, and the strength of their company’s risk culture. Many boards now receive frequent reports on key components of risk management, including summaries of top risks, emerging risks, and their mitigation. According to our survey, 63 percent of them perform in-depth reviews of specific top risks. Perhaps in response to the recent corporate debacles in the auto industry and banking sector, more than 57 percent of boards now assess whether incentives used in the company’s compensation structure could inadvertently create or exacerbate risks.

Pub Co Blog Graphs-035. Struggling to Meet the Cybersecurity Challenge Directors continue to wrestle with effective oversight of cyber risk. Many of them lack confidence that their companies are properly secured and acknowledge that their boards do not possess sufficient knowledge of this growing risk. Fifty-nine percent report that they find it challenging to oversee cyber risk, and only 19 percent of respondents report that their boards possess a high level of knowledge about cybersecurity. While 37 percent of respondents feel confident and 5percent feel very confident that their company is properly secured against a cyberattack, many of their boards may lack sufficient expertise or adequate information to confidently assure that cybersecurity defenses are indeed effective.

6. Managing a Growing Board Agenda The average director time commitment has stayed relatively flat at 245 hours per year, with more time spent on preparations and less time on travel compared to last year. The average number of meetings has also remained flat. Facing ever-expanding agendas, boards struggle to effectively prioritize their scarce meeting time. When asked about time allocation over the last 12 months, more than a third of respondents indicate that their boards spent too little time on director education, executive leadership development, cyber-risk oversight, board succession planning, sustainability, CEO succession, and information technology oversight.

7. Information Rich, Insight Poor Boards receive much information from management but express concerns about the quality of that information. While directors noted an average increase of 12 hours for document review in preparation for meetings, roughly 50 percent of respondents noted a glaring need for improvement in the quality of information provided by management.

8. Increased Shareholder Engagement Boards are increasing their shareholder engagement, but their level of preparedness to address activist challenges is uneven. This year, 48 percent of respondents indicate that a representative of their board held a meeting with institutional investors over the past 12 months, compared to 41 percent in 2015. Only 25 percent of respondents have developed a written activist response plan, which may be a critical tool to effectively address a forceful challenge from an activist.

9. The Increasing Reliance On Search Firms for Director Recruitment Boards no longer primarily rely on personal networks to recruit new directors, signaling increased professionalism and a desire to tap into a wider network of candidates. For the first time since NACD began to survey its members on this issue, search firms were the leading source boards used to identify their most recently recruited director.

10. Only a Minority of Boards Conduct Individual Director Evaluations Only 31 percent of respondents report that improving the board evaluation process is an important or very important priority for their boards in the next 12 months. In fact, just 41 percent of boards now use individual board evaluations, and an even smaller number use the results of these evaluations to make decisions about replacing directors.

To learn more, visit a previous blog with an infographic of the survey’s findings

At a Glance: The Cycle of Continuous Improvement

Published by

As the bar for director performance continues its steady rise, public company boards are expected to ensure that composition, skill sets, and core processes remain fit-for-purpose. The following infographic derived from the 2016–2017 NACD Public Company Governance Survey illustrates the different mechanisms boards are using to keep board composition and director turnover attuned to the organization’s evolving needs.

For more insights, download a complimentary copy of the executive summary of the survey.

NACD Public Survey Infograph