Tag Archive: American Express

The Boardroom Reality of Cyberattacks

Published by

It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.

Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.

Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.

At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.

  • Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
  • Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
  • Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
  • Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
  • Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
  • Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.

Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.

 

Technology In the Boardroom

Published by

Add another skill to the list of qualities every director should possess: technological literacy. Technology-specific issues can get short shrift in the boardroom, because most directors lack “expertise” in the field. However, there are constantly stories of the pervasive aspects of technology, an area no longer reserved for companies such as Google, Apple or Microsoft. Just this week, it was revealed that some smartphones track and collect user location, and there was a potential security breach at a popular online game platform.

It would be unfathomable for a director to ignore a discussion about the company’s financials, because they were not an “audit expert.” Technology should be viewed in the same manner. The topic of IT risk oversight has been covered recently in both this blog site, and in a recent NACD white paper, “Taming Information Technology Risk: A New Framework for Boards of Directors,” published in collaboration with Oliver Wyman. This white paper details four areas of IT risk a firm could be exposed to:

  • Competitive risk
  • Portfolio risk
  • Execution risk
  • Service & security risk

Of the four areas mentioned, recent data has placed a spotlight on the oversight of competitive risk, or the risk of competitors getting to the market faster. According to Arbitron and Edison Research, the amount of time Americans spend consuming radio, television and the Internet increased by roughly 20 percent over the past decade, from a daily average of 6 hours and 50 minutes in 2001 to a daily average of 8 hours and 11 minutes in 2011. This dramatic increase in consumer use of technology should be considered in all strategic planning, which is consistently ranked by directors as the top boardroom priority[1].

Boards are also directly experiencing the pervasive quality of technology. A recent article from the Wall Street Journal noted the increased use of videoconferencing at the boardroom level. Once avoided due to slow connections and poor visuals, Cisco Systems has improved the technology in its “telepresence,” a system that simulates in-person meetings. Many high profile boards use advanced videoconferencing for meetings, including American Express Co., Wal-Mart Stores Inc. and PepsiCo Inc. While virtual meetings are unlikely to create the collaborative dialogue created by in-person meetings, their use can supplement those in-person meetings, reduce travel expenses and potentially facilitate more international diversity in the boardroom.

Learn more about the risk areas and the right questions to ask on Wednesday, May 4 at 12:00 PM (ET) for a complimentary NACD webinar: Board/C-Suite Interaction: Skills of the IT Team


[1] According to the 2010 NACD Public Company Governance Survey