Last week in Washington, D.C., directors convened at the National Association of Corporate Directors’ Spring Forum to hear experts discuss how boards can prepare for the future of American business. Panel topics ranged from oversight of emerging risks to talent development and even advertising. The common thread was clear: directors will continue to be confronted with nontraditional challenges.
Case in point: The aftermath of the cyber attack at Target has made the challenge of effectively overseeing cybersecurity risk a priority. ISS recently recommended voting against seven of Target’s ten board members, alleging that those directors inadequately prepared for data risks. Many are looking to the retailer’s tribulations as a sign of things to come: Directors may face additional scrutiny when efforts to oversee quickly evolving, highly technical risks fall short.
Instead of leaving directors anxious, panel discussions throughout the forum honed in on the following actions directors can take to prepare their companies to capitalize rather than capitulate to disruptors:
Leverage Big Data. With massive data collection becoming common practice, former White House CIO Theresa Payton and other speakers suggested using data from your company’s regular web traffic in order to cull anomalous and potentially malicious network activity from baseline data traffic.
Find a Cyber Risk Tolerance. Futurist Edie Weiner said that we can only exist in a state of “cyber insecurity.” Pragmatically speaking, companies cannot fend off every attack, but they can identify their most important assets and ensure they are safeguarded. Insecurity, to some degree, has to be accepted.
Look for Long-Term Trends. Focusing on quarter-to-quarter changes might obscure the large sea-change entire industries may be facing. Erwann Michel-Kerjan, executive director at the Wharton Risk Management and Decision Processes Center, challenged attendees to do their homework before pursuing a strategy, saying that the term “black swan” is too frequently used to describe predictable catastrophes. When given appropriate thought, he said risks can be teased out, analyzed, and planned for.
Secure the Necessary Talent. A powerhouse panel — Tucker Baily, partner at McKinsey & Co.; Earl Crane, former White House director for Federal Cybersecurity Policy; Linda Medler, former director for the capabilities and resource integration at the U.S. Cyber Command; and Krishnan Rajagopalan, managing partner at the global technology and services practice at Heidrick & Struggles—agreed on at least one point: the gravity of having not only those talented in understanding the cyber and IT worlds within the company, but also that those employees are able to discuss these topics with the board in simple and actionable terms.
Transparency is Here to Stay. Jeff Rosenblum, co-founder of Questus, looked through the lens of advertising to show how the connectivity of the social media age is making the machinations of every company more visible. For him, companies in the future ought to be more transparent, disclosing their thinking, actions, and the effects of those actions.
Undoubtedly, the best responses to these rising changes are evolving, becoming more efficient and effective. NACD, through its Directorship 2020 initiative and other programs, remains committed to sharing insights from thought leaders while providing a framework in which directors can better understand a world permeated with risk.
It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.
Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.
Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.
At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.
Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.
Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.