“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Without a doubt, directorship has changed. In the last 10 years, the effects of legislation and regulatory activity such as Sarbanes-Oxley and Dodd-Frank have significantly expanded the role of the director. Taking into account the current trends of increased shareholder activism, heightened media scrutiny, emerging technologies, and disruptive innovations, it is expected that this role will continue to morph. As these shifts in the economy increase in amplitude and frequency, it is necessary for those in the boardroom to understand and prepare for the future structure of directorship—today.
With this in mind, NACD has launched NACD Directorship 2020 to help directors define and prepare for the emerging challenges and opportunities expected to impact boardrooms in five to seven years. More than an initiative, NACD Directorship 2020 extends from educational programs and roundtable exchanges to published research. Using topics informed by an advisory council composed of boardroom luminaries, academics, and governance experts, feedback from educational programs will shape ensuing research on leading practices for the future. In the coming months, several symposiums will be held across the nation, and the conversation will be continued at our annual Board Leadership Conference in October.
This week, NACD held the first of such symposiums at the Harvard Club in New York City. More than 100 directors attended the afternoon session to discuss two areas: the future state of the risk agenda, and how to select performance metrics that will engender sustainable organizational profit. The symposium was led by NACD President and CEO Ken Daly; Akamai Technologies Lead Director and Audit Committee Chairman Martin Coyne; and former Bell and Howell CEO, current NACD Director, and Northwestern University Professor Bill White. During the highly interactive sessions, questions were posed to attendees who were then able to discuss and provide thoughts among their peers. Takeaways from the event include:
Composition and resourcing is essential to navigating the current and future risks to the boardroom. With the right resources and information and the right people around the table, the boardroom can effectively engage in the critical issues.
Inherent in their role as part-time overseers, directors will always run the risk of information asymmetry: management has the full suite of information about the company’s operations that is then selected and parsed out to the board. The challenge for the board is to communicate its expectations on the type and amount of information it needs for effective oversight.
It is essential that directors trust, but verify. In the boardroom, the culture should be fostered so the executive staff feels they are able to report on the high-risk items and things that keep them up at night. To verify the information presented, directors should go beyond the C-suite, even outside the company. This can include meeting with the heads of business units, or gleaning outside sources of data.
In risk oversight, the board can informally meet with senior management and the internal audit team to develop a list of the top organizational risks. After these risks are identified, the board can have an executive session with an outside expert to gain more knowledge of the areas.
Industry experts on the board may not anticipate the disruptive technologies that have the potential to pose either a huge risk or opportunity to the company. While extremely valuable at the table, industry experts may not always be able to see beyond their acumen. Boards can recruit experts from other industries—who bring the perspective and knowledge of different risks and market forces—to serve as directors.
Total shareholder return (TSR) and financial and operational metrics reflect hindsight. These data can be bolstered with a healthy balance of “early warning” metrics derived from the company’s strategy, such as customer and employee satisfaction, dollar investment per employee, or retention.
Metrics are the operationalization of strategy. If the strategy’s underlying assumptions are flawed, however, the metrics have less significance. Is the board looking at metrics that question the strategy itself? This could include a measurement of the organization’s adaptability changes in the marketplace.
Reputational and stakeholder risk is an area that should receive boardroom attention. Directors should encourage metrics that foster stakeholder engagement as a strategy for risk mitigation.
The long-term health of most companies is determined by its success in being innovative. The company should establish early warning metrics that monitor how its innovation systems generate sustainable cash flows.
The next NACD Directorship 2020 events will be held July 16 in Chicago and Sept. 10 in Los Angeles. Between events, NACD’s blog will feature viewpoints and research from our NACD Directorship 2020 partners—Broadridge, KPMG, Marsh & McLennan Companies, and PwC—that will take a deeper look into the emerging issues and trends that will redefine directorship.