We’ve launched Next Gen Board Leaders, a joint initiative with Spencer Stuart, which is designed to highlight the value that a younger generation can bring to emerging areas of board oversight. One such emerging area is cyber risk, which has been elevated in the news lately. Cyber risk can be especially challenging for today’s directors to oversee, since many have never faced cyber threats during the course of their careers.
During last week’s Mini-Summit, the Next Gen Board Leaders Advisory Council (i.e., ten public company directors in their 30s and 40s) delved into cyber risk oversight (among other topics) and swapped their own board experiences. From those closed-door discussions, we are able to share overarching themes and solutions so that boards can begin to think differently about cyber security and take steps in the right direction. Here are four mistakes your board might be making:
1. Skipping Cyber Risk 101
In many boardrooms today, cyber oversight is characterized by an annual (maybe quarterly) presentation from the CTO or IT department. Too often, however, boards skip the first step in educating their directors on the basic nature of cyber threats.
- What are the different forms a cyber threat may take?
- Who are the ‘attackers’? What are their motivations?
- What might a data breach look like? What are the potential implications?
The Mini-Summit discussions highlighted several interesting approaches to educating the whole board on the basic principles of cyber security. One company, for example, took its directors through a mock malware exercise to see how directors would respond. Having been the object of a cyber threat, board members were better able to grasp the basic nature of what they were protecting against.
Other boards assign required reading between meetings, where each director will read the same cyber security book or resource to allow meaningful discussion the next time the board reconvenes. Another board took a field trip to understand how company data was being encoded and stored.
In a recent episode of Inside America’s Boardrooms, Michael Kaiser (Executive Director of the National Cyber Security Alliance) cautioned board members against thinking that cyber security was beyond their reach—or that they could simply leave that responsibility to someone else.
[Boards shouldn’t] think that [cyber] is something so technical and brand new that they don’t have a handle on it. Boards have dealt with risks of all kinds within their organizations in the past—they have adopted new risks over time. If they’re skilled and feel confident doing that, then they should feel confident about cyber.
— Michael Kaiser, Executive Director, National Cyber Security Alliance
2. Failing to Prioritize the Company’s Most Valuable Assets
Too often, boards try to address all aspects of cyber risk at once rather than prioritizing around the company’s most valuable assets. As Kaiser reminded us, “Not all risks are created equal for all organizations.” Rather, a bank will have very different considerations than a manufacturing company.
“You have to look at your risk in the lens that you operate…,” said Kaiser. “It could be that your greatest risk is losing intellectual property or it could be that it’s losing customer data. You have to put your resources around protecting those most valuable things.”
At the Mini-Summit, one director pointed out another aspect that boards should be taking into consideration: “Are we collecting any information that’s creating an unnecessary liability?”
Oftentimes, companies will hold onto data or acquire extraneous customer information from a third-party partner, which can put the organization inadvertently at risk. “If you’re a B2B company, then you probably don’t need to hang onto social security numbers,” said one next-gen director.
3. Falling Victim Without a Crisis Plan
For today’s companies, it’s not about if a data breach will happen, but when. All boards should have a crisis plan in place for communicating in the wake of a cyber incident.
At the Mini-Summit, next-gen directors briefly discussed the elements of their cyber crisis plan: (a) Here’s how the company will communicate with the various stakeholders, and (b) Here’s how the company plans to recover from both an operational standpoint and reputation perspective. There is no longer an excuse for boards caught without a crisis plan.
Cyber threats will be like asbestos. People don’t think twice about it now, but in 10 years, people will realize how poisonous it can be.
— Quote from the Next Gen Board Leaders Mini-Summit
4. Overlooking Educational Resources
As cyber security rises in the ranks of board attention, directors now have access to an abundance of resources for assessing risks, creating a crisis plan, protecting against board liability, or merely furthering their cyber education.
On one of our earliest episodes, the FBI visited Inside America’s Boardrooms to film a three-part series about the FBI tools and programs available to boards. As part of its Business Alliance Initiative, the FBI will send counter-intelligence officers to your boardroom to educate directors on various types of cyber threats, to conduct vulnerability assessments, to educate employees, and so on. Wise boards are taking advantage of such resources.
The National Cyber Security Alliance (NCSA) supports a library of resources and events for boards and management. PwC’s Governance Insights Center and the Center for Audit Quality also host robust resource pages dedicated to cyber risk oversight. And, be sure not to miss Boardroom Resources’ Cyber Risk page, with Episode, Insights, and Events relating to this increasingly important topic.
On the Next Gen Board Leaders website, we’ll be delving deeper into some of the considerations and solutions presented here, as several of the Advisory Council members were recruited for their cyber and digital expertise.