Speaking at NACD was a highlight of my year, as the audience was forward-thinking, eager to learn, and willing to grapple with tough questions in order to reach good answers. The discussions after my talk were almost as much fun as the talk itself, and there was significant appetite for a reference sheet to some of the bigger ideas I’d outlined. I hope that the summary pulled together here will prove helpful, and I welcome remarks, insights, or questions about any of it!
Disruptive trends in technology, culture, and business are converging. That convergence is an opportunity for businesses that recognize how to proceed.
Code: Technology is cheaper, faster, and better than ever before.
From software toolkits to education outlets, cloud computing to open-source big-data structures, there have never been so many ways for a motivated player to exert so much leverage so rapidly. Competitive advantages and resources that once belonged exclusively to large companies are increasingly not just accessible but freely available. In many cases, these platforms even invert such advantages—meaning that individuals who are part of porous, open groups are able to deploy better solutions faster than corporate counterparts by leveraging their communities. And all at low to no cost.
President Obama’s first campaign for the White House is a prime example of this phenomenon: he hired data specialists who used a simple method to computationally test different versions of his website in order to see which ones were generating more donations. Using this approach, he exceeded his projections by an additional 4 million e-mail addresses, a click-through rate of 140 percent, and $75 million more than was expected.
Culture: Transparency, meritocracy, and a willingness to disrupt anything characterize the new technology (and business) marketplace.
The age of playing by the rules—any rules—has largely gone by the wayside. When it’s possible to conduct corporate inversion online in under 20 minutes using a digital toolkit provided by a foreign nation state, it’s clear the playing field has changed. This is exactly what Estonia’s new “E-Estonia” initiative—which grants corporations a type of citizenship supported by cryptographically backed authentication—has been accused of enabling.
The people developing new solutions and creating new technologies take for granted an entirely different set of social (and moral) norms, which have no respect for the way your business is currently structured.
Competition: An exploding black market and a global tipping point that will occur when the remaining two-thirds of the planet come online over the next five years herald an incipient tidal wave of strange new competitors.
If you think the Internet has been disruptive during the past 20 years, you haven’t seen anything yet. The motivations and expectations of people completely new to technology differ from those of people who have already internalized it. Much like the toddler who doesn’t know what to do with a computer mouse and thinks a computer screen is broken when he can’t swipe it, new users of innovative technologies will have different expectations for what your company should provide. When you mix in a booming black market and a surging cascade of disruptive technologies—everything from drones to 3-D printing to dial-your-own genomics—you have a strange new world indeed…and one coming at you very, very quickly.
ACTION ITEMS: There’s good news in all this. You can compete just as well—if not better—by recognizing that the game has changed and adapting to the new rules.
1) Experiment, experiment, experiment.
It’s faster, cheaper, and easier than ever before to invent, test, and iterate. It’s what your competitors (and they are legion) are doing—especially the outlier startups that you so fear will flip your market as Uber did the medallion cab industry’s. The good news? You can do exactly the same thing. Even better, once you do, you already have a supply chain, established market, and deep resources to drive these new industries ahead of smaller first-time players.
What to ask your senior management: How are you implementing more agile and iterative development methodologies, and why?
2) Systematize culture change.
Empower your employees to act on your behalf. Legitimize risk. Reward insight. While this strategy looks good on paper, it is nearly impossible to execute, especially in highly efficient, competitive, and well-established organizations. Do it anyway, and you will find yourself at the helm of one of the most powerful entities in today’s market: A company that effectively innovates as a matter of course and knows how to build businesses and deploy products accordingly.
What to ask your senior management: How are we empowering our employees, at every level, to change the way our company operates? What evidence are we measuring that indicates this strategy is working?
3) Risk everything.
All business is about risk. But many companies have lost sight of the fact that this means not just mitigating risk but also embracing it. The emergence of new technology is confronting every industry with massive shifts that entail plenty of risk in the most negative sense. But the opposite is equally true, and it’s only by seizing the opportunities this time of change represents that you’ll emerge victorious. And who knows…you might even make the world a better place while you’re doing it.
What to ask your senior management: If you had to increase revenue by 25 percent this quarter, what would you try? Why aren’t we trying that?
I live every day in the future, metabolizing the new technologies that are slipping over our event horizon and into daily life. It’s a scary place to be, but it’s also one that offers boundless hope. Times of change are enormous opportunities for advancement. Those of us who experiment voraciously, learn quickly, and adapt effectively will chart the course for how human commerce unfolds over the next two decades. Our way will become the “new normal” and possibly set standards that will shape lives for generations to come. It’s not a time without risk, but it’s also a chance to change the world. What more could you want?
Josh Klein advises, writes, and hacks systems. He wants to know what you think.
“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Few companies have disrupted so-called business-as-usual as much as the Wikimedia Foundation. The nonprofit foundation is behind the website Wikipedia, an online, crowd-sourced encyclopedia that has become the fifth most visited website in the world.
At the 2014 NACD Board Leadership Conference, Sue Gardner, the former executive director and current special advisor for Wikimedia, shared her insights on the open nature of Wikipedia and the risks involved in that business model. Her thoughts resonate not only for the technology or publishing companies, but also for corporate boardrooms across a variety of other sectors.
Wikimedia aims to encourage the growth, development, and distribution of free educational content available in multiple languages.
Nobody, however, oversees the contributors.
“I will never read all the articles on Wikipedia, right? Unlike most organizations, there’s no central point of control. It’s very much about trusting the process.”
“For the most part, Wikipedia works great,” Gardner said. The articles contributed to the website are generally cited and thoroughly researched. Contributors to the site actually are very knowledgeable about intellectual property law and copyright law, Gardner said.
“We aspire to contain the sum total of human knowledge.” “But,” Gardner said, “the Achilles’ heel of Wikipedia is that the number of people contributing to the site is small and limited in its diversity.”
“It’s a systemic bias,” she said. “In order to edit Wikipedia, you tend to be living in a wealthy country with a good Internet connection. You have to have the leisure time to edit Wikipedia. What that adds up to is that the typical content contributor is a 25-year-old male grad student in Germany. People from poor parts of the world and women are underrepresented.”
Gardner said she believes that the contributions of women are missing. Several different studies conducted by researchers have found that somewhere between 12 percent and 15 percent of content contributors are women, she said. This dynamic might be a result of what can be a process that is not very collaborative, but more of a rough, confrontational back-and-forth between content generators.
Gardner also discussed the lack of diversity among the technology industry, specifically in Silicon Valley. When she moved to the San Francisco Bay area, she began a three-month tour to seek funding for Wikimedia. In that period, the only women she met were those who held positions such as administrative assistants. None were company leaders or business investors.
“I think the lack of gender equality of the Silicon Valley area is a symptom of an immature industry,” Gardner said.
In addition to a lack of diversity, Gardner said she has another concern: data privacy. While many people are concerned about government surveillance, she is weary of vast amounts of data being collected by for-profit companies.
“I worry not just about what the advertisers know and how the information is traded, I also worry increasingly about companies that are going to be bought and sold for parts,” Gardner said. “The whole game in Silicon Valley is that a lot of companies are just going to go under. What is going to happen to the information that they have? I don’t think we’re worried enough about that.”