Robert P. Silvers is a respected expert on Internet of Things security and effective corporate planning and response to cybersecurity incidents. Silvers is a partner at Paul Hastings and previously served as the Obama administration’s assistant secretary for cyber policy at the U.S. Department of Homeland Security. Silvers will speak at NACD’s 2017 Global Board Leaders’ Summit in October and NACD’s Technology Symposium in July.
Robert P. Silvers
Cybersecurity breaches pose a growing threat to any organization. As we’ve seen in recent years, and indeed in recent weeks, the most sophisticated companies and even governments aren’t immune from cyberattack. Ransomware has become a global menace, and payment data and customers’ personal information are routinely swiped and sold on the “dark web” in bulk. Next-generation Internet of Things devices are wowing consumers, but they are also targets, as Internet connectivity becomes standard-issue in more and more product lines.
How do directors prepare for this landscape? Everyone now acknowledges the importance of cybersecurity, but it is daunting to begin to think about implementing a cybersecurity plan because it’s technical, fast-moving, and has no “silver-bullet” solutions. Most boards now consult regularly with the organization’s information security team, but the discussions can be frustrating because it’s hard to gauge readiness and where the organization really stands in comparison to its peers. Sometimes directors confide in me, quietly and on the sidelines, that their real cybersecurity strategy is one of hope and prayer.
There are steps directors can take now to prepare for incidents so that when they occur the company’s response is well oiled. With the right resources and preparation, boards can safely navigate these difficult and unforeseen situations. Three key strategies can assist directors as they provide oversight for cybersecurity risks:
Building relationships with law enforcement officials
Having incident response plans in place (and practicing them)
Staying educated on cybersecurity trends
1. Building Relationships With Law Enforcement Officials
It’s no secret that relationships are central to success. Building the right relationships now, before your worst-case scenario happens, will help manage the situation. The Federal Bureau of Investigation is generally the lead federal investigative agency when it comes to cybercrime, and the United States Secret Service also plays an important role in the financial services and payment systems sectors.
Boards should ensure company management educates law enforcement officials from these agencies about the company’s business and potential risks. In turn, the company should ask law enforcement to keep it apprised of emergent threats in real time. There should also be designated points of contact on each side to allow for ongoing communications and make it clear whom to contact during an incident. This is critical to ensuring that the company has allies already in place in the event that a cyberattack occurs.
2. Having—and Practicing—Incident Response Plans
Directors should ask to see copies of the company’s written cyberbreach response plan. This document is essential. A good incident response plan addresses the many parallel efforts that will need to take place during a cyberattack, including:
a. Technical investigation and remediation;
b. Public relations messaging;
c. Managing customer concern and fallout;
d. Managing human resources issues, particularly if employee data has been stolen or if the perpetrator of the attack is a rogue employee;
e. Coordination with law enforcement; and
f. Coordination with regulators and preparedness for the civil litigation that increasingly follows cyberattacks.
An incident response plan is only valuable if it is updated, if all the relevant divisions within a company are familiar with it, and if these divisions have “buy in” to the process. If the plan is old or a key division doesn’t feel bound by it, the plan isn’t going to work. Directors should insist the plan be updated regularly and that the company’s divisions exercise the plan through simulated cyber incidents, often called “table-top exercises.” Indeed, table-top exercises for the board itself can be an excellent way to familiarize directors with the company’s incident response plan and its cyber posture more generally.
3. Staying educated on cyber security trends
As your board is building relationships with law enforcement officials and preparing an incident response plan, directors should also be educating themselves on cyber risk. Cybersecurity becomes more approachable as you invest the time to learn—and it’s a fascinating subject that directors enjoy thinking about. Do you know what a breach will look like for your company? What protocols do you have in place in case something happens?
According to the 2016–2017 NACD Public Company Governance Survey, 89 percent of public company directors said cybersecurity is discussed regularly during board meetings. Since a majority of directors in the room agree that cybersecurity is worth discussing, directors should collectively and individually prioritize learning the ins and outs of cyber risks.
One easy way to stay up to date on the latest is to ask the company’s information technology security team for periodic reports of the most significant security events that the company has encountered. This will give directors a feel for the rhythm of threats the company faces day in and day out.
Another option is for directors to take a professional course and get certified. The NACD Cyber-Risk Oversight Program is a great example of a course designed to help directors enhance their cybersecurity literacy and strengthen the board’s role in providing oversight for cyber preparedness. Consider these options to keep yourself as educated and informed as possible.
The more you can prepare individually, the better off you will be when you have to provide oversight for a cybersecurity breach at your company.
Paul S. Williams is a partner in the Chicago office of Major, Lindsey & Africa, the nation’s leading executive legal search firm, andis a member of the board of directors for three public companies: Bob Evans Farms, Compass Minerals, and Essendant. He recently was named president of the NACD Chicago Chapter, and has served as the lead independent director of State Auto Financial Corp. The NACD team recently sat down with Williams to discuss his insights on board diversity and to ask him how to make the most of the 2017 Global Board Leaders’ Summit.
NACD: You are a fierce advocate for greater diversity in the boardroom. Could you tell us why diversity at the highest level of a company is so important?
Williams: As a director, I feel a sense of obligation to make sure that I am helping to pave the way for diversity on boards. Unfortunately, there have not been many people of color that have served on public company boards. I think when you step back and think of the credibility of these boards—the credibility of corporate boards with the rest of the business world and the rest of society—it’s incumbent upon us to demonstrate that diversity within companies should start with the board.
When I say that I am a staunch advocate of diversity, I don’t want to limit it to ethnic diversity. I feel strongly about gender diversity, as well as diversity of ethnicity and sexual orientation. I truly believe these boards need to be diverse in all aspects.
Boards also need to be diverse experientially. Directors can’t all be people with similar backgrounds and ways of looking at critical business issues. It’s important that the discussions in our respective boardrooms include truly diverse views.
NACD: What kind of impact do you think a diverse board has on company culture?
Williams: I think it has a tremendous impact. When a management team sees a diverse board talking the talk and walking the walk, it sends a message that the board has taken to heart the importance of diversity. As a board, we don’t want to be hypocritical. Boards without diversity undermine the management team’s ability to bring about change.
A diverse board definitely impacts corporate culture in a number of ways, starting with the commitment to diversity within the company. There’s a sense of appreciation for people who bring different perspectives. It sets a tone of progressiveness and the mandate of being open to different ideas.
Diversity as a concept is somewhat intangible. Compared with financial results, it’s harder to measure. Yet I believe a company can’t have impressive financial results without an underlying culture that is productive and effective.
How can directors learn more about the importance of diversity?
Last year I attended NACD’s Global Board Leaders’ Summit. It was uplifting to be able to go to Summit and meet a number of other diverse directors. I knew that I would be assuming leadership of the NACD Chicago Chapter and thought it would be great to meet other chapter leaders. I had heard rave reviews about the programs and I wasn’t disappointed.
The sheer number of attendees at Summit is impressive. There is such a diversity of experience and expertise at Summit. It gave me an opportunity to meet people from around the country to network with and discuss the challenges boards are facing in terms of board diversity and other challenges.
What advice would give to someone attending Summit for the first time?
Get out of your comfort zone and meet new people. It can be tempting for people who are more introverted to stay with the people they know. Sit at a table with folks you have never met, or who are from a different part of the country, or who sit on boards that are in different industries.
Have a game plan in advance, especially in terms of programs you plan to attend. It’s important to know which programs you want to focus on.
Most importantly, have fun! Really allow yourself to enjoy the things that come up in the spur of the moment, whether it’s talking to someone that you didn’t anticipate meeting, or going up to one of the speakers after a program and asking a follow-up question.
Click here to learn more about diversity-specific programming offered at the 2017 Global Board Leaders’ Summit.
Greg Conderacci is a personal energy expert. He teaches marketing at the Johns Hopkins University Bloomberg School of Public Health and consults on change management and corporate identity. Conderacci will speak at NACD’s 2017 Global Board Leaders’ Summit in October on the power of energy and how to harness it within your business.
Are boards keeping up with today’s fast-paced and complex business environment?
The message is clear: you cannot govern a twenty-first-century company with a twentieth-century board.
What are the traits of a high-performing, modern board? The commission says it without saying it directly. It’s energy. Underlying the challenge of keeping up are a few key facts:
You can’t get more time; there are only 24 hours in a day; and
You can get much more energy.
There’s a reason that the popularity of Starbucks, Red Bull, and a host of other energy drinks and potions is booming. Unfortunately, if your board is low on energy, serving 5-Hour Energy drinks at its meetings won’t solve the problem.
Changing the expectations for board membership will. In the past, board members were typically asked if they had the experience, insight, wisdom, expertise—and the time—to serve. While time is still important, we need to add energy to the list. Indeed, energy is one of the most important, often-ignored attributes for board members. Director skills and insights must be applied to benefit an organization. And that takes energy.
Specifically, board-level engagement demands four separate kinds of energy: physical, intellectual, emotional, and spiritual. If the board is not capable of overseeing the ever-changing priorities of the company, the board might need an energy refresh. Here’s a fast, four-part diagnostic tool to find out if your board could stand a little pick-me-up.
Physical Energy. This is the least important type of energy associated with directorship, and the one most associated with age. Can the members show up to all planned meetings and events? If yes, this basic requirement has been met.
Intellectual Energy. This is the type of value that directors are recruited to contribute. Are directors’ intellectual contributions creating long-term value for shareholders and the enterprise? Do directors willingly take on additional challenges? Will they tackle messy, complicated problems that demand creativity and resourcefulness? Are they “ahead of the curve” or just reactive? Do they stay engaged between meetings and prepare adequately before meetings?
Emotional Energy. This critical energy is often the undervalued elephant in the room. Is the boardroom atmosphere charged with good energy? Do members dread going to meetings? Do they approach difficult issues with zest, or is the board table covered with automatic negative thoughts? After inevitable conflicts are resolved, do the seeds of an ongoing feud remain? Or do they leave as an energized team?
Spiritual Energy. Are the members true to the vision, mission, and values of the organization? Are they willing to retool them, if necessary? Do they have a passion for the company’s products and services and compassion for the people who deliver them? Do they have the courage to adapt to market shocks, to admit failure, and to deal with leadership problems (including those on the board)?
For a board to be a strategic asset in the twenty-first century, directors have to do much more than put in their time. They have to help contribute the energy to “supercharge” the organization. And that’s critically important—no matter their age.