In 2015, Chrysler issued a 1.4 million-vehicle recall to plug a security hole that could enable hackers to take over a car remotely. It’s the frightening reality that internet-connected systems in cars can present new vulnerabilities, which only stand to get worse as such systems proliferate and cars become more autonomous.
Reacting to this danger, Michigan lawmakers initially introduced legislation to make car hacking punishable by up to life in prison. But cybersecurity researchers argued that hacking for testing purposes can be a good thing because it reveals vulnerabilities—as it did for Chrysler—that can then be corrected by manufacturers. Therefore, placing a blanket restriction on car hacking could interfere with keeping the public safe.
It’s only through dialogue between industry and government that such thorny policy problems can be effectively resolved. Doing so is vital to the national interest as well as to individual companies, and boards of directors can play an important role in reviewing the work being done by executives and legal counsel to connect the company to the right partners in government.
Combating Cyber Threats Together
The ever-expanding complexity of cybersecurity drives a need for those with deep expertise to engage policymakers in informed discussion. Given that the increasing adoption of connected technologies makes cybersecurity vital to everything from manufacturing to healthcare, this discussion needs to take place across industries. That’s why lawmakers and regulators rely upon experts with specific industry expertise for input, factoring this advice into their final decisions.
This presents companies across a range of industries an opportunity to engage in meaningful conversations about the threats they are seeing. The board can plan a role in encouraging that dialogue by asking its executives how they are engaging with government officials on information sharing, for instance.
Industry leaders can often spot areas for improvement in proposed regulations that others may miss due to a lack of expertise. For example, in 2013, officials aiming to stop the distribution of hacking technologies to oppressive regimes proposed broad new restrictions on cybersecurity-related software as part of the Wassenaar Arrangement, an international export control agreement.
At Rapid7, we foresaw that the new controls could actually compromise global security by blocking access by legitimate international organizations to the tools they needed to stay secure. So we joined with other cybersecurity firms and experts to publicly comment on the proposed controls. After lengthy discussion, education, and effort—so often a prerequisite for complex issues—the export controls were recently modified to create new protections and exceptions for legitimate cybersecurity activity.
Being a part of the conversation helps avoid policies that are poorly executed or one-sided. And since good policies and a strong industry are in the best interests of each country, lawmakers around the globe often welcome that dialogue.
But what’s the best way for companies to engage? And how should directors oversee work done by their companies to actively work with national and international agencies on cyber issues?
Different Levels of Engagement
Corporate boards can play an important role by ensuring that engagement is incorporated into the company’s broader risk management strategy. Companies can opt into different levels of engagement for policy advocacy, much of it at negligible cost. And while official public-private partnerships generally require more significant resources, less formal opportunities for collaboration are in no short supply.
For example, many industries, such as healthcare, transportation, and the financial sector, have established information sharing and analysis centers (ISACs), providing resources for gathering information on cyber threats, coordinating with government agencies, and disseminating critical advisories.
Another example: Before government bodies issue a policy, report, or guidance, they often solicit public input and feedback. In fact, they’re often required to consider those comments in decision making. At Rapid7, we write letters and comment on policy drafts on topics that we feel are important to the business community at large. To engage on the low end of the bandwidth scale, however, companies can also simply sign on to letters or comments that others have opened to group signatures. Directors should consider asking what the company’s plans are for engaging in such action.
The board can also push the management team to make use of available educational opportunities such as workshops. One we recently attended centered on botnets and other automated attacks. The US Department of Commerce solicited public written comments and held a workshop where the public was encouraged to lend their opinions and expertise. This and other feedback will help shape the final report and subsequent action to tackle the problem.
Engagement for the Greater Good
Cybersecurity is critically important to every major industry. Policymakers want to hear from these industries about the issues they face, and how they overcome them. This provides an opportunity for businesses, experts, and consumers to positively influence policy for the greater good. Conversely, poorly implemented policies can be ineffective, inefficient, and even harmful.
In the case of the Michigan car hacking bill, nearly two dozen cybersecurity researchers, academics, and companies wrote a letter to Michigan legislators detailing concerns about the effect of the proposed law on cybersecurity. Ultimately, the lawmakers created new protections for security research carried out in safe conditions. Without sustained engagement between the business community and policymakers, the result would have been much different.
It may require some effort and even some expenditure of resources, but it is essential that experts at companies work to assist officials with crafting well-informed and effective policies.
Corey E. Thomas is CEO of Rapid7. Read more of his insightshere.
Late last month, the US Securities and Exchange Commission (SEC) approved nonbinding guidance urging public companies to “inform investors about material cybersecurity risks and incidents in a timely fashion.” The guidance, which gives greater urgency to current cybersecurity risks, builds on an earlier document issued in 2011. In the SEC’s words, “Cybersecurity risks pose grave threats to investors, our capital markets, and our country.” A recent report from the Office of the Director of National Intelligence predicts that the world faces “imminent disruption” from cyber threats—potentially on a massive scale with “lethal” consequences.
Meanwhile, not surprisingly, Congress continues to take action on cyber risk, proposing 191 bills so far on the topic.
The imperative for boardrooms to conduct sound cyber-risk oversight is here to stay—in the boardroom and in the halls of legislation. Luckily, resources abound for corporate directors to get up to speed on what their companies need to know and disclose while awaiting regulations and rulemaking about cyber-risk oversight.
Ubiquity of Cyber Risk
The ubiquity of cyber risk poses a fundamental operating problem for all enterprises. Most businesses today depend on digital technologies to operate, which leaves sensitive data and other assets vulnerable to cyber risk. The new Berkshire Hathaway 2017 annual report puts it well. After listing cyber threats in great detail, the report notes that “These are risks we share with all businesses.” Hacking, phishing, malware, viruses—you name it, it’s happening for all of us. Such events can present a material, existential threat to corporations, and possibly could even physically harm the people who work for them or that they serve. That is why Berkshire’s founder and leader Warren E. Buffett has stated famously that cyberattacks are the “number one problem with mankind.”
Directors on Alert
Corporate directors by and large are keenly aware of their companies’ responsibilities around cyber-risk oversight. NACD’s 2017 survey of 660 US public company boards’ members indicated that only 37 percent of directors feel “confident” or “very confident” that their company is properly secured against a cyberattack. This result, which demonstrated lower confidence in a company’s preparation for a cybersecurity incident than in 15 other risk areas, is down from 49 percent the previous year.
Does this mean that companies are less prepared? I read things differently. It means that directors are less complacent.
More directors may be realizing that cybersecurity incidents are inevitable. Directors also are learning more about the topic, with 85 percent of boards reporting at least some knowledge of the topic, up from 78 percent two years before. (In 2015, 22 percent of directors reported that their boards had no or very little knowledge of cyber risk. That dropped in 2017 to 15 percent.)
If you’re feeling either behind or a little foggy on your understanding of these risks, you might consider brushing up with these resources:
Hundreds of directors have enhanced their cybersecurity literacy through the NACD Cyber-Risk Oversight Program, offered in partnership with Ridge Global and Carnegie Mellon University’s CERT Division of the Software Engineering Institute. More than 175 corporate directors and senior executives have completed the course, the world’s first and only program of its type, while an additional 135 now enrolled in the program are progressing to complete the CERT Certificate in Cybersecurity Oversight.
NACD offers the Director’s Handbook on Cyber-Risk Oversight, published jointly with the Internet Security Alliance (ISA) and available to all regardless of NACD membership status. The handbook is the most downloaded publication in NACD history, and the only private-sector publication that has been endorsed by the Department of Homeland Security and the Department of Justice, as well as a wide variety of private-sector organizations such as the US Chamber of Commerce and the International Auditors Association.
ISA and NACD also jointly produce summits on cybersecurity exclusively for corporate boards, where recognized experts and seasoned directors share best practices. As an outgrowth of this initiative, NACD and ISA will cohost our first international dialogue, the Global Cyber Forum, in Geneva, Switzerland, in April 2018.
In all these venues, NACD’s resources on cyber-risk oversight keep driving home several key challenges:
Cyber risk is a global challenge that now threatens to undermine governments, markets, and businesses around the globe. Most cyberattacks are cross-border.
Cyber risk is also systemic, given our reliance on digital networks and devices for commercial, government, and personal use.
For corporations, cyber risk is a strategic, enterprise-wide matter demanding active board engagement. Continuous learning is a must, even for specialists, given how quickly technology and threats are evolving.
Questions to Help You Learn About Your Company’s Security Posture
In closing, I’d like to share some applicable questions shared recently with our members in our Weekend Reader e-newsletter. For your next board meeting, consider asking some of these pointed questions to begin establishing a deeper understanding of cybersecurity across the enterprise.
Which cyber risks are communicated to our company’s shareholders, and in what format?
Has our management team determined what constitutes a material cybersecurity breach?
How effective is our internal escalation process when incidents are discovered?
Have we set clear thresholds for when senior management and the board should be notified?
How is our company’s cyber-risk assessment process integrated into the overall risk-management process?
Can material risks be mitigated by insurance, and does the corporation have sufficient coverage?
Does our company’s cyberbreach response plan include an investor communications strategy?
Under what circumstances is it necessary to inform law enforcement, customers, and other relevant stakeholders?
While corporate directors have some catching up to do, we’re a community of curious, dedicated professionals. Let’s commit to continuous learning and applying that knowledge to sound cyber-risk oversight. We owe it to our shareholders, our customers, and to the security of our economy.
When it comes to innovation, boards are notorious for sending conflicting messages. They want to hear assurances of innovation and predictability from management in the same breath. Unfortunately, innovation and predictability don’t go hand-in-hand. Simply put, innovation can’t exist without risk. In fact, the two are easily understood as a marriage—they show up together and work in unison.
Those of us who work in cybersecurity—where staying ahead of adversaries can mean life or death for a company—know that better than most. We have to invest in new ideas, technologies, and processes to adapt to an ever-changing threat landscape. Such investment, like any investment, entails some risk.
We can apply lessons learned about cybersecurity innovation to just about any industry. That’s because every company needs to innovate to remain competitive, which inherently means taking risks. How much risk is enough? How much is too much? And what’s the best way to foster innovation while balancing the need to take risks with the need for predictability?
The best way to answer these questions is to develop clear processes around innovation. It all starts with good communication and diversity of viewpoints.
Talk It Through
Effective communication is key between senior leadership and the engineers and others responsible for innovation. Communication reveals ideas worth taking chances on. There are two structural processes that can work well for this that the board could suggest.
Encourage management and engineers to engage in ad-hoc sharing of observations. This means forming groups to share candid observations about what’s working and what’s not working within an organization.
At Rapid7, we pull in team members across the organization to bring a variety of perspectives to the table. I recommend creating small cross-functional teams and getting them in the habit of observing and sharing ideas to generate more innovation. This continuous dialogue pushes people to think more broadly and differently while sharing learnings that can then be reported to the board when discussing innovation.
Facilitate thought-provoking discussions. Encourage management to create thought experiments designed to spark new ideas and challenge conventional thinking. Those facilitating the conversation might start by asking, “If I gave you an unlimited amount of money to double our efficiency, what would you do?” Or, “If we were going to build a business plan to destroy our business and at the same time gain twice the profits and twice the customer loyalty, what would we do right now?”
These processes can be quite powerful in uncovering places to innovate. But in order for a leadership team and those responsible for innovation to maintain a firm grounding in the reality of the industry while also allowing room for creativity, they need a source of external truth. That means urging management to get outside of the company bubble.
Learn from the Field
To gather new ideas, people across functions should spend unmanaged time outside of the organization, bringing observations back to leadership and to their work. Spending time with customers and partners, engaging with peer groups, observing and engaging with competitors, reading, and attending conferences are all ways to gather the insights that are crucial for effective innovation. The board should challenge management to build a culture of curiosity within the company.
That said, directors should beware of herd mentality taking over the minds of management. Emulating companies that have non-sustainable positions or those in which you have too little insight into the success they are having often doesn’t play out well. Instead, encourage management to pay attention to well-performing companies in their quest for ideas that will improve your company’s position.
At Rapid7, I frame these jobs as learning. I don’t need my teams to come back with concrete action steps or specific outcomes but instead with a learning plan and details on what they saw that has the potential to transform the business over the next year.
Anything a team learns that can potentially create an advantage opens the doors to innovation. Therefore, this culture of learning should not focus only on technology, but instead on the combination of process, technology, market, and customer needs.
Create an Innovation Culture
To flourish, innovation also must be nurtured in the culture of the organization as expressed in the attitudes, beliefs, and behaviors of its people. Cultures that punish failure, demand certainty, or reward short term results kill innovation before it can even be expressed as an idea. On the other hand, cultures that emphasize learning, encourage experimentation, and focus on rewarding long-term growth behaviors tend be much better at innovation. One of the keys to this is encouraging transparency and reinforcing that it’s okay to discuss possibilities even when the path to delivery is unclear. Lastly, innovation demands an environment built on trust. When people don’t trust each other, they can’t be vulnerable and share their ideas, hopes, and aspirations. Directors should cultivate a culture of open conversation with their management team, and then encourage the same candor between management and employees across the company.
Embrace the Right Level of Risk
Many organizations pursue the minimal amount of innovation because they fear taking too big a leap and risking too much. Others may aggressively pursue transformational innovation that comes with a high degree of risk. What’s the right balance?
To make that assessment, directors and management can consider the three main levels of innovation, in order of increasing risk.
Incremental improvement innovation. You will generally have a high degree confidence about this level of innovation because others in your industry are already doing it and you have real-world observations to back up planning for those innovations.
Outside-in innovation. Somewhat riskier, this level of innovation involves implementing ideas that you are confident could be successful based on outside observation—perhaps from beyond your industry—and adapting them for your organization.
Moon shot innovation. The ultimate risk, with a potentially high-reward payoff. Think SpaceX’s success at launching a sports car to Mars in its quest to ultimately get settlers there.
For a company that’s doing well inside a stable industry, it’s most likely not wise to take a huge risk. Incremental innovation in this case may be enough, always with an oversight-focused eye on what others in the industry are doing.
A company in a more volatile industry, however, may need to get more aggressive in pursuit of game-changing innovations, with ideas borrowed from other industries. A moon shot in this case, appropriately managed and nurtured over time, may be just what’s needed. Directors should ask management to develop plans and evidence for these innovations that are clear, concise, and geared toward oversight of the project’s successful execution and value creation.
Manage the Learning Cycle
Innovation takes time, starting with the learning cycle.
In our experience, the learning cycle takes about a year, and is crucial for properly managing the risk involved in investing further. For implementation, two to four years is a good rule of thumb to start to see a return on investment. Here’s the typical timeline from idea to implementation.
Year 1: Learn a concept.
Year 2: Decide to learn more or kill it.
Year 3: Learn a few more things and try some ideas. Refine the concept.
Year 4: Get traction.
A successful organization prepares for innovation in the same way a runner prepares for a marathon. Innovations and marathons both take time, conditioning and learning the course. That includes understanding the role that risk plays in innovation. Starting with that foundation will put boards and the companies they serve on the right track for success now and into the future.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.