We recently convened a group of directors from across industries to discuss how companies — and, more specifically, their boards — are adapting to the myriad ways technology is transforming business models and disrupting current practices. Pamela Craig, board member at Akamai, Merck & Co. and Wal-Mart Stores; Alan Masarek, CEO of Vonage; and Michelle Peluso, a technology industry CEO and Nike board member, shared their firsthand experiences responding to the rise of digital and the opportunities and potential threats that it creates. These leaders also discussed how to foster deeper board-level discussions about critical technology topics.
1. Does your board know enough about technology?
Technology impacts almost every aspect of the business, from operations and customer engagement to competition and risk. While nearly 10 percent of S&P 500 companies have established a technology committee, most boards are ill-prepared for the pace of technology developments, according to Masarek. “Boards don’t know what they cannot see,” he said. “We can’t see and prepare for the three guys in a garage inventing things. Not so long ago, you could fill out the ERM [enterprise risk management] study and know what the threats to your business were. Companies no longer have the runway to see threats coming.” He also noted that boards today are at a disadvantage because many members are not technology experts and, thus, their understanding of technology implications can lag reality. The entire board — not just members of dedicated technology committees — must engage in more robust discussions about technology trends and the resulting risks and opportunities they present for the organization.
2. Should you have a technology or digital expert in the boardroom?
Many companies are seeking digital directors with the hope that if they recruit a director from Google or Facebook, they have checked the technology box and the rest of the board can focus on other issues. That’s not enough, directors say. One of the greatest advantages of a technology or digital expert is that he or she can help educate the rest of the board. However, functional expertise alone may not help boards reap the full benefits — leadership skills and business knowledge are integral in helping other directors understand the connection between technology and the business.
3. Who should own cyber risk?
Neither the government nor listing agencies have established specific guidelines for cyber risk oversight. In a recent survey of S&P 500 companies, we found that 69 percent assigned cybersecurity oversight to a specific board committee. Of those, 76 percent said the audit committee oversees cybersecurity risk, and 14 percent said the risk committee is responsible. In cases where cybersecurity is not assigned to a specific committee and there is no risk committee, Craig believes the audit committee should take ownership, given its members are well-suited to thinking about different dimensions of risk.
The panelists agreed that cybersecurity is too complicated and too company-specific to be mandated by one-size-fits-all compliance reform. Such regulations could even potentially lead to a false sense of security — compliance does not necessarily mean secure.
When assessing preparedness for cyber risk, boards should ask:
- Does the executive leadership have a clear and consistent understanding of cybersecurity relative to the business?
- Does management understand its responsibility for cybersecurity and have an adequate system of controls in place?
- Is the cybersecurity budget appropriately funded?
- Is the organization’s ERM program appropriately staffed and resourced given the types of risk assessed?
- Are there clear policies and procedures in place in the event of a breach?
- Is the company’s disclosure response in line with SEC guidelines and shareholders expectations?
4. Are you prepared for a cyber attack?
Some boards are tapping the knowledge of unconventional experts to help assess their cyber vulnerabilities: a “red team” of former cyber criminals whose role is to deliberately attack systems to reveal weaknesses. An audience member commented on the trend, noting that one oil and gas corporation has a $250 million budget to hack into their own systems.
The board’s role is to drive the conversation, and, ultimately, raise and uncover what is being done and, more importantly, what isn’t being done. “I like to ask senior management, ‘If budget wasn’t a constraint, what more would we be doing?’” said Peluso. “The senior managers and the CISO [chief information security officer] know what the company isn’t doing, and this gives them a voice at the table. It is important to tease this out of them. It is much better to know what we aren’t doing than what we are doing.”
To have these candid “What if?” conversations, boards may need to forgo their conventional approaches to meetings. Board meetings can tend to be data intensive, with management focusing the conversation on reports and numbers. Providing pre-read materials allows directors to have less scripted and more spontaneous dialogue about what could be done about cybersecurity.
As part of these discussions, boards should undertake an analysis of the company’s most valuable assets and determine the risk that each might present in the event of a cyber breach or loss. Directors should also weigh which risks to prioritize, avoid and mitigate against what the brand is worth.
5. What is the board’s role in driving innovation?
Boards aren’t expected to be the idea factory for the company — and, in fact, they shouldn’t — but they should help create an environment that encourages innovation. “The board creates a culture that permits things to organically bubble up from the bottom,” said Masarek.
Boards that engage in “big picture” thinking can help enable innovation from within the organization. “What’s been really valuable in my experience is creating an environment for looking at the long term — conversations outside the boardroom, where the demands of board business don’t dominate the agenda,” said Peluso. “In one instance, the chairman organized an informal gathering around wine to talk about the global economy, investing in innovation and what more we could be doing. Technology budgets are really small and often, the deliberation of what else should we be thinking about doesn’t come out in a board presentation.” Craig noted that technology investments should regularly be focused on and viewed through a long term lens, a lens that is not subject to the pressures of meeting short term quarterly numbers.