When it comes to innovation, boards are notorious for sending conflicting messages. They want to hear assurances of innovation and predictability from management in the same breath. Unfortunately, innovation and predictability don’t go hand-in-hand. Simply put, innovation can’t exist without risk. In fact, the two are easily understood as a marriage—they show up together and work in unison.
Those of us who work in cybersecurity—where staying ahead of adversaries can mean life or death for a company—know that better than most. We have to invest in new ideas, technologies, and processes to adapt to an ever-changing threat landscape. Such investment, like any investment, entails some risk.
We can apply lessons learned about cybersecurity innovation to just about any industry. That’s because every company needs to innovate to remain competitive, which inherently means taking risks. How much risk is enough? How much is too much? And what’s the best way to foster innovation while balancing the need to take risks with the need for predictability?
The best way to answer these questions is to develop clear processes around innovation. It all starts with good communication and diversity of viewpoints.
Talk It Through
Effective communication is key between senior leadership and the engineers and others responsible for innovation. Communication reveals ideas worth taking chances on. There are two structural processes that can work well for this that the board could suggest.
Encourage management and engineers to engage in ad-hoc sharing of observations. This means forming groups to share candid observations about what’s working and what’s not working within an organization.
At Rapid7, we pull in team members across the organization to bring a variety of perspectives to the table. I recommend creating small cross-functional teams and getting them in the habit of observing and sharing ideas to generate more innovation. This continuous dialogue pushes people to think more broadly and differently while sharing learnings that can then be reported to the board when discussing innovation.
Facilitate thought-provoking discussions. Encourage management to create thought experiments designed to spark new ideas and challenge conventional thinking. Those facilitating the conversation might start by asking, “If I gave you an unlimited amount of money to double our efficiency, what would you do?” Or, “If we were going to build a business plan to destroy our business and at the same time gain twice the profits and twice the customer loyalty, what would we do right now?”
These processes can be quite powerful in uncovering places to innovate. But in order for a leadership team and those responsible for innovation to maintain a firm grounding in the reality of the industry while also allowing room for creativity, they need a source of external truth. That means urging management to get outside of the company bubble.
Learn from the Field
To gather new ideas, people across functions should spend unmanaged time outside of the organization, bringing observations back to leadership and to their work. Spending time with customers and partners, engaging with peer groups, observing and engaging with competitors, reading, and attending conferences are all ways to gather the insights that are crucial for effective innovation. The board should challenge management to build a culture of curiosity within the company.
That said, directors should beware of herd mentality taking over the minds of management. Emulating companies that have non-sustainable positions or those in which you have too little insight into the success they are having often doesn’t play out well. Instead, encourage management to pay attention to well-performing companies in their quest for ideas that will improve your company’s position.
At Rapid7, I frame these jobs as learning. I don’t need my teams to come back with concrete action steps or specific outcomes but instead with a learning plan and details on what they saw that has the potential to transform the business over the next year.
Anything a team learns that can potentially create an advantage opens the doors to innovation. Therefore, this culture of learning should not focus only on technology, but instead on the combination of process, technology, market, and customer needs.
Create an Innovation Culture
To flourish, innovation also must be nurtured in the culture of the organization as expressed in the attitudes, beliefs, and behaviors of its people. Cultures that punish failure, demand certainty, or reward short term results kill innovation before it can even be expressed as an idea. On the other hand, cultures that emphasize learning, encourage experimentation, and focus on rewarding long-term growth behaviors tend be much better at innovation. One of the keys to this is encouraging transparency and reinforcing that it’s okay to discuss possibilities even when the path to delivery is unclear. Lastly, innovation demands an environment built on trust. When people don’t trust each other, they can’t be vulnerable and share their ideas, hopes, and aspirations. Directors should cultivate a culture of open conversation with their management team, and then encourage the same candor between management and employees across the company.
Embrace the Right Level of Risk
Many organizations pursue the minimal amount of innovation because they fear taking too big a leap and risking too much. Others may aggressively pursue transformational innovation that comes with a high degree of risk. What’s the right balance?
To make that assessment, directors and management can consider the three main levels of innovation, in order of increasing risk.
Incremental improvement innovation. You will generally have a high degree confidence about this level of innovation because others in your industry are already doing it and you have real-world observations to back up planning for those innovations.
Outside-in innovation. Somewhat riskier, this level of innovation involves implementing ideas that you are confident could be successful based on outside observation—perhaps from beyond your industry—and adapting them for your organization.
Moon shot innovation. The ultimate risk, with a potentially high-reward payoff. Think SpaceX’s success at launching a sports car to Mars in its quest to ultimately get settlers there.
For a company that’s doing well inside a stable industry, it’s most likely not wise to take a huge risk. Incremental innovation in this case may be enough, always with an oversight-focused eye on what others in the industry are doing.
A company in a more volatile industry, however, may need to get more aggressive in pursuit of game-changing innovations, with ideas borrowed from other industries. A moon shot in this case, appropriately managed and nurtured over time, may be just what’s needed. Directors should ask management to develop plans and evidence for these innovations that are clear, concise, and geared toward oversight of the project’s successful execution and value creation.
Manage the Learning Cycle
Innovation takes time, starting with the learning cycle.
In our experience, the learning cycle takes about a year, and is crucial for properly managing the risk involved in investing further. For implementation, two to four years is a good rule of thumb to start to see a return on investment. Here’s the typical timeline from idea to implementation.
Year 1: Learn a concept.
Year 2: Decide to learn more or kill it.
Year 3: Learn a few more things and try some ideas. Refine the concept.
Year 4: Get traction.
A successful organization prepares for innovation in the same way a runner prepares for a marathon. Innovations and marathons both take time, conditioning and learning the course. That includes understanding the role that risk plays in innovation. Starting with that foundation will put boards and the companies they serve on the right track for success now and into the future.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
At some point, your organization is likely to encounter a crisis situation. As CEO of a cybersecurity company, I work with many organizations responding to security crises, such as breaches or disclosure of security issues in their products. How companies respond to these situations can make or break their reputation and customers’ trust in the organization, and impact the cost of the incident. This is also true for non-security-related incidents.
As board members, you can support—or even mandate—a response that will see your business weather the storm as well as could be hoped. Nobody likes to think about worst-case scenarios, but as board members you must hold the organization accountable for doing just that to ensure it is prepared in case disaster strikes.
My seven steps to minimizing fallout through crisis response are as follows:
1. Determine your guiding principle. Before you begin planning for, or responding to, a crisis, determine the overarching goal or guiding principle that drives decision-making throughout the organization’s response. This should be a principle that has been articulated in advance and is well understood by all stakeholders.
Guiding principles can vary greatly, and could include: protecting users, investors, or employees; minimizing disruption or cost to the business; or demonstrating leadership in your community. Spend time with the executive team and other key leaders in your organization to determine what makes the most sense for your business. Be sure to discuss the risks, benefits, requirements, and payoffs of various approaches.
2. Preparation is key. Next, identify a handful of crisis scenarios that could affect your business, and to determine which key players will drive the response. This will likely change from scenario to scenario. Once you know your scenarios and stakeholders, assign an owner to build response plans. These plans should include basic workflows for every scenario and a detailed matrix of roles and responsibilities for all stakeholders. The owner should work through the processes and expectations to ensure that everyone understands their role, and what their teammates will need throughout the process.
As a board member, you can support this by asking:
Do we have an up-to-date incident or crisis response plan for the organization? What scenarios are covered? Are there applicable scenarios that have not been included?
Who was involved in creating, reviewing, and approving the plan? Do all stakeholders understand what is expected of them?
What assets most need protecting to ensure effective business continuity?
3. Practice makes perfect. There is no such thing as perfect when it comes to crisis management, but ensuring that your organization’s response plan has been practiced will help you identify potential kinks in the process before they become significant issues. It will also help your cross-functional team build trust and better understand each other’s processes and needs.
As a board member, you can support this by asking:
When was the last time we ran a drill for our crisis response process?
What points were identified as improvement areas in our last crisis drill?
How frequently does our response team run drills or tabletop exercises?
How many different scenarios have been walked through?
4. Build trust among core stakeholders now. If you have followed steps 1 through 3, then you know who your core team is for a variety of scenarios. Depending on the size and complexity of your organization, the key stakeholders may not know each other well and may have minimal experience working together. A crisis is an incredibly challenging time to begin building relationships and trust.
Encourage your crisis response leaders to get to know each other sooner than later, possibly through presenting the crisis response plan to the board. When presenting, ask them to demonstrate familiarity with each other and their alignment. For example:
Ask them to explain each other’s role and goals through a given crisis response scenario.
Ask how they collectively judge the success of a crisis response.
Ask them to explain what they need from each other and the board or leadership team, and what they will provide themselves.
5. Set clear expectations. As much as the crisis response leaders need to build a plan and determine workflows for crisis scenarios, the board should also establish clear expectations and share them in advance. Bear in mind that your role is to help, not hinder, the organization’s ability to respond to a crisis, so whatever expectations you set with the crisis leaders or executive team should be as minimal or efficient as possible.
Consider the following:
When do you want to be informed of a potential crisis situation? For example, when it’s first discovered? Once it’s been verified? Once it’s resolved? Are there any industry-specific regulatory requirements for the timing of reporting on a crisis?
How do you want to be informed? Do you want communication to be over email, or should everyone get together for a call?
Are there categories of incident severity that trigger different responses? For example, will there be situations that you don’t need to know about, some that can just be included in the regular board reporting, and others that warrant dedicated communication?
6. Glide like a swan. As board members, you are no doubt adept at maintaining a professional demeanor in the face of stressful situations. Never is this more vital than during a crisis response. You need to set a tone for the executive team and crisis response team. If you get heated or upset, that will likely perpetuate the same behavior, and a lack of calm generally encourages mistakes to be made and people to become less effective.
Similarly, a lack of calm among responders and executives will likely reveal itself to others, whether inside or outside the organization. This may result in speculation that does more harm to employee or customer morale, or to stock price, than the incident itself. Avoid being the cause of additional stress for those managing the response, and keep in mind point 5 above. It’s fine to want to be kept informed, but take care not to distract or further stress out the core team.
7. Capture learnings and avoid blame. When responding to a crisis, it’s important to enable people to be honest about what happened, what could have or should have been done differently, and what lessons and next steps can be taken away. If everyone is worried they will be fired or publicly blamed, they will be less likely to be honest about what happened. As such, it’s essential during the crisis response that you avoid recriminations and blame.
After the incident has been resolved, ask the crisis response leaders to present key learnings to the board, including what action will be taken to ensure the scenario is unlikely to occur again. At this time, it may be appropriate to discuss accountability; this should be handled privately and with sensitivity.
As board members, you typically will not be on the front line of a crisis response. However, you can still influence its outcomes by encouraging preparation, ensuring alignment, and supporting an open, calm, and blame-free approach. This will enable your organization to put their best foot forward, and hopefully weather crises in the best possible way.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.
To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.
1. Does the security team have a full, well-informed view of the organization’s security posture?
One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.
You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.
It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.
Here are some additional questions you can ask:
Which threats are most relevant to the company, and which assets are most vulnerable, and which are most likely to be targets? Ask the security team to explain their answers.
Does the security team share threat information with security teams at other organizations of a similar profile?
Does the security team have full visibility and control of our entire technology environment, including assets we lease rather than own? Does the team have a detailed inventory of key assets, who is using them and how, and what known risks relate to them?
Is the security team part of the procurement process for all technology products and services? Do they vet technology vendors on the security of their products or services? Do they investigate the vendor’s practices for reporting and patching vulnerabilities?
Does the security team know who has access to what applications and services? Have they locked access down as far as possible, so people only have the privileges needed to perform their day-to-day role?
2. Is our organization resilient to attack?
Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.
Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.
Is all company and customer data encrypted at rest and in transit? If not, which data is being encrypted and when?
Has the security team segmented the company’s networks to reduce an attacker’s ability to move through the network and reach valuable assets?
Does your organization regularly back everything up to reduce susceptibility to ransomware attacks? Do you run regular backup and restore drills?
Do you know how susceptible our employees are to phishing? Are you investing in education programs to raise security awareness?
Do you have multi-factor authentication in place on all of our technical services and applications?
Does the organization have cyber insurance to help it recoup any costs of a security incident? Which scenarios or factors arenot covered by the insurance?
3. Is the security team confident it can detect and respond quickly to security incidents?
According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.
A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.
Some relevant questions include:
Does the security team map normal behavior (both for human users and machine entities) on the network? Are they able to detect anomalous behavior?
Is the security team able to investigate and verify alerts quickly? Do they have sufficient resources committed to monitoring systems that alert suspicious activity?
How quickly could the security team investigate a potential breach or determine which technology assets and users may have been compromised? Does the security team have sufficient visibility across all technical assets to investigate fully? Does the security team log any information that would be needed to investigate a security incident?
Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?
4. How do you measure the effectiveness of our cybersecurity program and initiatives?
Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.
Some questions to ask your security team include:
Is the security team proud of the company’s patching program? Do they feel adequately supported by the IT team in their efforts?
Who is responsible in the organization for initiating testing of organization-wide breach readiness?
How frequently does the security team test the company’s defenses for effectiveness? Do they hire external security consultants to try to penetrate the network and facilities?
Is the security team able to track progress over time?
Does the security team have a view of the maturity of its program? Is there a clear roadmap for future progress?
What measures has the security team taken in the past six months to improve security posture? What results have they seen? How will they adjust the program moving forward?
5. Do political or financial considerations impact your ability to protect the organization effectively?
It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.
The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.
Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.
Are there any budgetary or political roadblocks to implementing foundational security controls?
Does the security team have adequate headcount and resources? How is the answer to this question determined? If not, in which areas are we below critical mass?
Does the head of security have the opportunity to be heard among the most senior executives in the organization?
Do the business leaders across the company truly understand the potential costs and implications of the business of being breached? Do they discuss risk tolerance and prioritization payoffs in an open, strategic way? Do they build resilience plans based on these discussions?
Is security considered an audit function, or does the organization strive to build security into its products, services, and operations by design?
Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.
Corey Thomas is CEO, president, and a member of the board of Rapid7.