Last week in Washington, D.C., directors convened at the National Association of Corporate Directors’ Spring Forum to hear experts discuss how boards can prepare for the future of American business. Panel topics ranged from oversight of emerging risks to talent development and even advertising. The common thread was clear: directors will continue to be confronted with nontraditional challenges.
Case in point: The aftermath of the cyber attack at Target has made the challenge of effectively overseeing cybersecurity risk a priority. ISS recently recommended voting against seven of Target’s ten board members, alleging that those directors inadequately prepared for data risks. Many are looking to the retailer’s tribulations as a sign of things to come: Directors may face additional scrutiny when efforts to oversee quickly evolving, highly technical risks fall short.
Instead of leaving directors anxious, panel discussions throughout the forum honed in on the following actions directors can take to prepare their companies to capitalize rather than capitulate to disruptors:
Leverage Big Data. With massive data collection becoming common practice, former White House CIO Theresa Payton and other speakers suggested using data from your company’s regular web traffic in order to cull anomalous and potentially malicious network activity from baseline data traffic.
Find a Cyber Risk Tolerance. Futurist Edie Weiner said that we can only exist in a state of “cyber insecurity.” Pragmatically speaking, companies cannot fend off every attack, but they can identify their most important assets and ensure they are safeguarded. Insecurity, to some degree, has to be accepted.
Look for Long-Term Trends. Focusing on quarter-to-quarter changes might obscure the large sea-change entire industries may be facing. Erwann Michel-Kerjan, executive director at the Wharton Risk Management and Decision Processes Center, challenged attendees to do their homework before pursuing a strategy, saying that the term “black swan” is too frequently used to describe predictable catastrophes. When given appropriate thought, he said risks can be teased out, analyzed, and planned for.
Secure the Necessary Talent. A powerhouse panel — Tucker Baily, partner at McKinsey & Co.; Earl Crane, former White House director for Federal Cybersecurity Policy; Linda Medler, former director for the capabilities and resource integration at the U.S. Cyber Command; and Krishnan Rajagopalan, managing partner at the global technology and services practice at Heidrick & Struggles—agreed on at least one point: the gravity of having not only those talented in understanding the cyber and IT worlds within the company, but also that those employees are able to discuss these topics with the board in simple and actionable terms.
Transparency is Here to Stay. Jeff Rosenblum, co-founder of Questus, looked through the lens of advertising to show how the connectivity of the social media age is making the machinations of every company more visible. For him, companies in the future ought to be more transparent, disclosing their thinking, actions, and the effects of those actions.
Undoubtedly, the best responses to these rising changes are evolving, becoming more efficient and effective. NACD, through its Directorship 2020 initiative and other programs, remains committed to sharing insights from thought leaders while providing a framework in which directors can better understand a world permeated with risk.
As information technology (IT) continues to evolve, so do the oversight responsibilities of corporate directors. From big data analytics to social media to cybersecurity, technology creates opportunities for companies to innovate, to create operational efficiencies, and to develop a competitive advantage.
These potential rewards can bring significant risks, however. Directors have the task of ensuring technology is integrated into both company strategy and enterprise risk management—and to do so they must first gain a deeper understanding of how technology is impacting their businesses.
The series includes insights from leading technology experts and top executives from AT&T, Citigroup, Dunkin’ Brands, Kaiser Permanente, and Oracle, among others, and focuses on critical IT areas for directors, such as:
how emerging technologies are altering the business landscape;
critical questions boards should be asking about technology;
the role of the CIO;
balancing IT risks and opportunities;
To complement the video series, NACD has additional resources, including white papers, articles, webinars, full transcripts of each video, and a discussion guide for directors who would like to take a deeper dive and bring these topics into their own boardrooms.
To watch The Intersection of Technology, Strategy, and Risk video series and access the supplemental resources, visit NACDonline.org/IT.
Cybersecurity is undoubtedly a critical aspect of board oversight, but an overwhelming majority of directors rate their and their board’s knowledge of IT risk as “in need of improvement.” More than three quarters of directors believe their personal IT knowledge could use a boost and nearly 90 percent believe the same of their board’s IT knowledge. A lack of cyber knowledge at the board level can lead to overreliance on C-suite experts and difficulty by directors in judging an appropriate level of involvement.
Recognizing the disconnect between the need for effective cybersecurity oversight and the boardroom’s lack of IT acumen, NACD, supported by Protiviti and Dentons, convened three roundtable discussions, bringing together directors, executives, and experts in the field of cybersecurity. These meetings provided insight into the numerous and significant risks presented by cybersecurity, while experts pinpointed deficiencies in board responses to threats and possible solutions. Key statements from participants prompted NACD, Protiviti, and Dentons to address issues demanding director attention and action:
Boardroom cyber literacy: “Cyber literacy can be considered similar to financial literacy. Not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business.”
Identifying high-value information targets: “Do not just harden the perimeter, because hackers will get in. Accept that they can get in, and then design the strategy with the assumption they are already ‘inside.’”
Formulating detection and response plans: “When your company is hacked, do not start spending money like a drunken sailor.”
The human factor: “People are the constant weakness. Cybersecurity is a human issue. Often the biggest problems are caused by an inadvertent actor.”