Last month when NACD joined the Global Network of Director Institutes (GNDI) to convene a “cyber summit,” the 200-seat event filled quickly with the key to the future: people—namely directors, chief executives, and information executives empowered to build corporate value and form a powerful bulwark against information destruction.
As information technology – including especially cyber security – rises as a board-level priority, the solution for addressing it is talent. Not every board can have a cyber expert, but today directors are all the more eager to hear from IT executives, and to consider them for ever-higher posts of company leadership. Chief technology officers, chief information officers, and chief information security officers form a “cyber-C-suite” that can make a critical difference in companies’ futures.
Every year NACD surveys corporate directors to find out their views on a number of issues, including their “leading issues” for the coming year. NACD’s governance surveys are still in the field, but preliminary data from this year’s survey shows that information technology currently ranks 14th as a board priority; and a newly added category, “cyber security risk,” currently ranks seventh. Information technology ranked tenth in 2014 and thirteenth in 2013.
The NACD’s current survey results also show that boards are gaining more cyber knowledge. Based on responses received so far this year, 37.1 percent of respondents feel that they do not receive enough information regarding cyber security and IT risk, and 27.7 percent are dissatisfied or very dissatisfied with the quality of information of these matters. This represents an improvement in the situation. In 2014, when this was a new survey question, more than half (52.1 percent) indicated a shortage of information and a little more than one-third (35.5 percent) expressed dissatisfaction with cyber information quality.
Moreover, in NACD’s ongoing survey, 13.0 percent of respondents said their boards have “high level of knowledge” of cyber, 66.6 percent said they had “some knowledge, and 19.7 percent said they “little knowledge.” (Incidence of “no knowledge” was less than 1 percent.) These preliminary findings represent a slight improvement over last year, when only 10.5 percent of respondents claimed advanced knowledge.
Cyber Expert on Board?
So how do boards get cyber expertise? Is having an expert on board the answer? Not every board has room. After all, boards need to cover many areas of expertise with their available seats, and the typical board size is smaller than a dozen (8-11 is the range, depending on company size).
To get a handle on board talent recruitment, we asked directors what two attributes were most desirable for new director candidates to possess. The data collected thus far for the 2015 edition of the NACD Public Company Governance Survey shows that information technology ranked fifth, up from eighth in 2014 and up from ninth in 2013.
Preliminary survey findings – subject to change
Dos and Don’ts for Board Reports
Clearly based on the above trends, information technology experts have an open invitation to give reports to the board – an experience that can enhance any career.
If you are an information technology expert who has an opportunity to give a report at a board meeting, here are five imperatives to consider.
Use plain English, not jargon. Present your material in clear, actionable terms.
Help the board understand the quality of leadership. This is not a time to stand out as a company savior; if the CEO is not the smartest one in the room, the company has a problem. As the recent cyber summit showed, cyber security should be viewed not as a technological issue, but as an enterprise risk that is addressed like all other risks disclosed in the MD&A. As such, the CEO is the star of this show.
Link your comments to the company’s strategy – the more concretely the better. If you work for a public company, one of the best places to find the strategy spelled out will be in the CEO’s annual letter to shareholders. As stated in a recent NACD blog, the CIO—and/or or CISO or CTO—can play a significant a role in strategy and tactical decisions.
Help the board prioritize the assets that can be enhanced through IT and protected through cyber security. Companies need to assess their most valuable and vulnerable points, including the potential strengths and weaknesses of third-party contractors.
Show them the money! Working with your CEO and CFO, take any opportunity offered to make the business case for a strong IT function. IT and cyber expenditures may not show up on the balance sheet as assets but they are in fact investments in the company’s future and a major contributor to financial value.
If you follow these suggestions, your company, and your career, will be the better for it!
Note: Ted Sikora, NACD Research Analyst, contributed to this report.
Corporate directors’ mindsets regarding cybersecurity fundamentally need to change. As one participant at April’s inaugural Global Cyber Summit hosted by the Global Network of Director Institutes (GNDI) noted, “We have to go from ‘is it possible we’ll be attacked?’ to ‘it’s probable;’ from ‘how much does it cost?’ to ‘how much should we invest?’; and from ‘can we control cyber threats?’ to ‘how can we keep pace?’”
In the words of another participant, “Yesterday’s approach to cyber at many companies was compliance. Today, the approach is risk management, and the imperative for the future is resiliency.” With the passage of last week’s Protecting Cyber Networks Act and National Cybersecurity Protection Advancement Act, the nation moved one step closer to greater resiliency. Both bills made clear lawmakers’ expectation that companies should share information regarding cyber breaches not just with the government, but also with each other. By sharing information about cyber hacks with peers—via information sharing and analysis centers (ISACs) or information sharing and analysis organizations (ISAOs)—and the Department of Homeland Security, companies may be able to improve their cyber defense. Experts at the summit discussed information sharing in light of the massive threat cyber-breaches pose. While information sharing is important to an effective cyber defense, corporate directors should not view it as a panacea. Instead, “it is another tool in the company’s toolbox.”
At April’s summit, the GNDI, the National Association of Corporate Directors (NACD), and the Washington Board of Trade convened more than 200 directors and cyber experts from around the world for a three-day conference to explore the board’s role in effectively overseeing their companies’ cyber defenses. Supported by AIG, the Center for Audit Quality (CAQ), and KPMG, the event provided directors the opportunity to gain insight from experts including Shawn A. Bray, director of INTERPOL Washington; Larry Clinton, president and CEO of the Internet Security Alliance; Richard Knowlton, director of the Internet Security Alliance for Europe and group corporate security director at Vodafone; Jan Hamby, rear admiral, U.S. Navy (Ret.) and chancellor of the National Defense University; Tim McKnight, chief information security officer of General Electric; and Arne Shönbohm, president of the Cyber-Security Council Germany.
Five boardroom imperatives emerged from the event:
View cybersecurity as an enterprise-wide risk issue. Without a doubt, cyber-risk poses a significant threat to companies of all shapes and sizes. From the boardroom perspective, however, it should be viewed not as a technological issue, but as an enterprise risk that is addressed like all other risks disclosed in the MD&A. “Security—not merely cybersecurity—is the key.” Directors should ensure that the company is properly structured to respond to an attack and has plans for both breach prevention and cyberattack response. And don’t be complacent. As one participant at the cyber summit advised, “If you ask management how we’re doing on cyber-risk management and they say, ‘great,’ don’t accept that as an answer.”
Identify your critical assets. Throughout the summit, speakers noted the interdependent nature of cyberattacks. No company is an island, so achieving a perimeter-defense strategy that attempts to protect the entire enterprise is virtually impossible. Instead, management must identify what assets, if breached, would bring the company down: the “crown jewels.” Directors should ensure that defense efforts identify and prioritize them. As part of this identification process, the company also can assess its most vulnerable points, making sure to account for third-party contractors’ potential weaknesses. If a vendor in your supply chain is hacked, are your assets still protected?
Ensure adequate resources for your information technology (IT) teams. Cybersecurity should be viewed as an investment in the company’s future, not as a cost center. Panelists noted a growth in the use of a chief information security officer (CISO), separate from a chief information officer (CIO). Regardless of the leadership structure employed, however, directors must remember that cybersecurity is largely a human issue. Does the c-suite have the staff and training needed to effectively defend the company against hacks? If the company is not going to develop an internal security defense program, how will it acquire one from outside? Is the IT team staffed with both technology professionals and security experts? Broadly, the company should run ongoing employee cybersecurity education programs throughout the enterprise.
De-jargon the board dialogue. The technical nature of cybersecurity can create a formidable barrier to effective board oversight. While it is critical for the board to receive reports on the company’s cyber efforts on a continuous basis, CIOs, chief technology officers (CTOs), or CISOs may deliver the reports in jargon. Panelists noted that the solution, however, is not necessarily to invite a cyber expert to sit on the board. Instead, the entire board should comprise directors who are equipped to ask the probing questions necessary for effective oversight. The board can invite experts to speak to the board on cyber issues and ask management to provide “de-jargoned” reports in clear, actionable terms.
Incorporate cyber into your strategy and every business decision. Panelists stressed the need for directors to address cyber issues proactively—starting with prevention—rather than waiting to respond to a breach. To do so, cyber should be an aspect of the front-end of business decisions: strategy, legal, and financial. Does the CIO (or CISO, CTO) play a role in strategy and tactical decisions? Does the CIO have a working relationship with the IT teams at third-party vendors? In an M&A scenario, do you assess the cyber vulnerabilities of the target company? These questions can help bring cyber-consciousness to board decisions.
For more on guidance on the board’s role in cyber-risk oversight, download the NACD Cyber-Risk Oversight Handbook here. Kate Iannelli, Alexandra Lajoux, and Ashley M. Marchand contributed to this report.
It’s a mad, mad, mad, mad world—to echo a movie title from a half century ago—but it’s also a good one when nations cooperate. This is the big takeaway from the global track at NACD’s 2014 Board Leadership Conference, where representatives of nine nations convened to create a global village and to host a series of three staged programs.
The village itself featured colorful, information-rich booths where representatives from the embassies and consulates of Brazil, Canada, China, Germany, Ireland, Malaysia, Mexico, and the Russian Federation greeted trade-minded directors seeking to expand their knowledge.
In addition, the village featured a booth for the Global Network of Director Institutes (GNDI), a network of 12 director institutes (including NACD) and one confederation (ecoDA, in Europe). The GNDI booth offered an opportunity to meet incoming GNDI Chairman Stan Magidson, CEO of the Institute of Corporate Directors (ICD) from Canada; Paul Chan, the acting CEO of the Malaysian Alliance of Corporate Directors; and Simon Arcus, manager, Governance Leadership Center, Institute of Directors, New Zealand. Vicki Jordan, vice president of marketing, ICD, joined me in staffing the booth—a truly appropriate choice, as Canadians/les Canadiens are global by nature. For proof, see this new video produced at Laval University in Quebec (featuring yours truly) created for an exciting new ecoDa educational program also held in October.
The Global Village was home to a series of panels in the Global Track at the Conference. This blog offers takeaways for these dynamic panels.
Global Panel 1: Trade and Business in North America
Moderator: Dean A. Pinkert, vice chairman, U.S. International Trade Commission (USITC). Panelists: Gilles Gauthier, minister, Economic Affairs, Embassy of Canada; Francisco J. Sanchez, chairman, CNS Global; former under secretary at the Department of Commerce.
Know your trade agreement. A well-known example of a free trade agreement is the North American Free Trade Agreement (NAFTA), now 20 years old, which has been a success for all the economies This is why it is important to support the new and emerging free trade agreements of other regions namely: Transatlantic Trade and Investment Partnership (TTIP), and the Trans Pacific Partnership (TPP).
Give bipartisan support to good trade agreements. Although free trade is often associated with the pro-business Republican party and opposition is often associated with the pro-union Democratic party, good trade agreements such as NAFTA get bipartisan including union support—especially considering that one can always seek a trade remedy to cure imbalances.
Think beyond tariffs. If trade unfairness arises, a variety of trade remedies are available. Tariffs—charging duties on imports—are only one way to correct imbalance. Even more constructive is regulatory cooperation and harmonization of standards.
Tell your company’s story so stakeholders and the public will understand. Reatha Clark King, chair of the NACD board of directors, noted that boards need to do a better job of ensuring that companies are more forthright in disclosing information about their global nature: where they are headquartered, where they employ people, where they source their products, and where they sell their products, among other topics. By revealing their global nature, they will build more informed support for free trade.
Global Panel 2: Translating Corporate Culture Across Borders
Moderator: Dennis Whalen, partner-in-charge and executive director, KPMG’s Audit Committee Institute. Panelists: Orlando Ashford, director, ITT Corp., Executive Leadership Council, and Streetwise Partners; senior partner, Mercer; Michael Marquardt, director, Commonwealth Trust Co., Delaware Theatre Co., American Cancer Society (South Atlantic), and CEO, Global Compass Strategies Inc.
Live “la vida local.” Many companies think locally and act globally, when they must do the opposite. As a company, value your local talent; as an individual, live your local life. Companies acquiring outside their borders used to send in executives from headquarters. Now, they are more likely to hire and promote locals—including expatriates who want to stay longer on an assignment.
Check your culture and mark your calendar. One of the best examples of culture arrogance is when we are oblivious to non-U.S. national holidays. Not all are marked on global calendars. For example, don’t try to schedule a meeting in Berlin on November 9 – when the fall of the Berlin wall is commemorated.
Focus on outcomes. When two companies get combined, focusing solely on process may result in getting buried in protocol. Instead, focus on desirable outcomes—for example an effective workplace. This was the case for Orlando Ashford when he learned that as a matter of policy, a particular non-U.S. division of a U.S. company had collected information on blood type, then run a blood drive for an employee’s relative, and published the results, causing some disharmony at work. He changed the policy.
Insource HR. It may be tempting to ask a local company to hire your talent but it is worth your own time. While professional support can be valuable, human capital is too important to leave entirely to third parties.
Know your agents. Enacted some four decades ago, the Foreign Corrupt Practices Act (FCPA) does hold companies—and, by extension, boards—accountable for certain internal controls. Directors should ask for assurance from management that the people who are involved with selling the company’s products and services act within the boundaries of the law.
Global Panel 3: The Global Start-Up Revolution
Moderator: Andrea Bonime-Blanc, chair, Epic Theatre Ensemble; audit chair, Counterpart International; CEO and founder, GEC Risk Advisory. Panelists: Andre Averbug, founding partner, Rankpad Consulting, Inc.; Mark Little, CEO and founder, Storyful; Bernard Moon, cofounder and partner, SparkLabs Global Ventures.
Be “hyper-transparent.” In the new economy, “reputations can be lost or improved overnight.” Learn what the market wants to know about you and provide that information as soon as possible.
Look around you. Any place and every place can fuel a start-up revolution. Berlin, Dublin, Nairobi, Seoul, and Tel Aviv are all current examples. Places with a long-established rule of law are ideal for startups, but no place is off limits. In these unexpected places, new ideas are finding the capital they need to become viable businesses—often in areas that do not require a large amount of funds to launch. (Cost of entry in technology-based businesses is generally lower than in traditional industries that require manufacturing plants, for example.)
Respect Silicon Valley—and look beyond it. Silicon Valley is rightly known for the entrepreneurial ecosystem so important in the second phase of growth—a system that includes both financial capital (venture cap, angel investors, banks) and intellectual capital (fellow innovators, universities), not to mention savvy law firms. But such ecosystems are evolving elsewhere as well.
Fail better. Don’t be afraid to start a business that may fail. Panelists noted that in the U.S., bankruptcy laws can be relatively forgiving. In locations where the bankruptcy laws are harsh, changes may be under way, and adaptations are possible. Also, remember that you need not go it alone. In a climate where the new form of research and development is mergers and acquisitions, a possible option may be to sell your start up to a larger company before a lack of funds brings the company to a halt.
Give back. If you develop a successful startup, consider investing at least part of it in other new ventures, the way Google and Facebook founders have done. You can keep the global start-up movement going. Vive la revolution!