Listen to Episode 30 on Apple Podcasts
Guest: Larry Clinton, President of the Internet Security Alliance
Hosts: Dottie Schindlinger, Executive Director of the Diligent Institute, and
Meghan Day, Senior Director of Board Member Experience for Diligent Corporation
In this episode:
- Reflecting on how companies are responding to racial injustice.
- Digital transformation elevates cyber to an enterprise-wide economic concern. Boards should now consider cybersecurity in all major decisions, according to Clinton.
- The shift to remote work has accelerated cyber risk. In the new world of work, companies will need new management structures as well as technological frameworks.
- Today’s environment demands a more systemic approach. Companies and boards must think beyond the departmental siloes of the Industrial Age.
Reflecting on Recent Events:
This week’s show begins with co-hosts Dottie and Meghan reflecting on the corporate response to the killings of George Floyd, Breonna Taylor, Ahmaud Arbery and others by police.
The #BlackLivesMatter protests joined by thousands in cities around the world have received messages of support from many corporate leaders, yet some expressions of solidarity are being called out by employees and other stakeholders for problems that exist within those companies.
Executives and companies are being called to account for the lack of African American/black people in corporate leadership, pay inequality, and other expressions of racism. To that end, three recently published articles are particularly helpful for corporate leaders:
- U.S. Businesses Must Take Meaningful Action Against Racism, by Laura Morgan Roberts and Ella F. Washington in the Harvard Business Review
- The 10 Commitments Companies Must Make to Advance Racial Justice, by Mark R. Kramer in the Harvard Business Review
- ‘Corporate America Has Failed Black America’ OpEd by David Gelles in the New York Times.
Interview Summary:
This week’s show features Meghan’s earlier interview with passionate advocate for improving cybersecurity, Larry Clinton, President of the Internet Security Alliance.
Cyber attacks have become increasingly cheap and profitable to execute. In fact, according to Larry, if cyber crime around the world had its own economy, it would be big enough to qualify for inclusion among the G-10 nations. As technologies evolve and cyber criminals continue to enjoy their “first-mover advantage” over corporations, the attack surface is expanding and becoming more porous.
“We on the defender side are losing this fight, and we are losing it big time,” Clinton says.
What does it all mean for boards, and what do board members need to ask and expect from management in this new environment?
Clinton has authored numerous articles, spoken to policymakers and media worldwide about cyber issues, and National Association of Corporate Directors’ (NACD) handbook on cyber risk oversight.
He joins co-hosts Dottie Schindlinger and Meghan Day to talk about fundamental shifts in the cyber landscape, from digital transformation to COVID-19’s new world of work.
Digital transformation elevates cyber risk to an enterprise-wide — and economic — concern.
Technologies like mobile, cloud computing, the Internet of Things, VoIP, and more have become essential to competing in a digital world. At the same time, these undermine security — and elevate cyber to an economic as well as technical discussion.
Clinton is seeing boards adjust to this shift. “Boards are no longer thinking of cyber security as kind of an appendage issue that is tacked on to 15 minutes at the end of the board meeting,” he says. “Instead they’re beginning to understand cyber security as an inherent part of the business process.”
Such thinking needs to continue. Cybersecurity needs to be woven into a company’s business model, Clinton says. Mergers, acquisitions, innovation, new product development, and strategic partnerships—any issue a board considers—all have a cybersecurity component. “It’s an enterprise-wide risk management issue, not a separate IT issue.”
Throughout, board members should work with management to consider cyber risk analysis and remediation on an economic basis. “Make it part of the business,” he says.
“There’s not a single business decision that the board considers without talking to the financial people and not talking to the legal people. In the 21st-century, they also need to be considering cybersecurity.”
– Larry Clinton, President, Internet Security Alliance
The shift to remote work has accelerated cyber risk.
With the rapid shift to remote work, how has Clinton seen the risk profile change? Day asks. What tactics does he recommend for boards and companies?
Clinton asserts that COVID-19 has brought about the largest change in how work is done in human history — within weeks, the work-from-home percentage jumped from 20% to above 80%. Technologies like Zoom weren’t built for the challenge, and neither were corporate organizational structures.
“Most people think of cybersecurity in terms of a technical framework,” he says, citing the Federal Information Security Management Act and the International Standards Organization. “But what’s more important is that we’re going to need to evolve a different type of management structure.”
For instance, with an unprecedented number of employees taking their laptops home, management will need to respond with policies and codes of conduct, enforcement, and additional risk management analytics to fend off cyber attacks. Boards will need to evolve in their oversight of employee practices, risk assessment, the management of software services, and incident response.
“It’s not just about software and patch management and network configuration.”
– Larry Clinton, President, Internet Security Alliance
Today’s environment demands a more systemic approach to cyber risk.
New methodologies are emerging that enable boards to look at the economic aspects of cybersecurity and determine what risks to mitigate, transfer, and avoid completely, Clinton explains. Yet most organizations today use an industrial-age model that keeps departments, like financial, legal, and others, separate.
Because the digital world connects them all, effective cybersecurity management today requires a collaborative structure that is “much more team-oriented than department-oriented,” Clinton says. He illustrates with a timely analogy:
“The flu is much more like a targeted entity attack. We can identify who is being attacked, we have mechanisms in palace, vaccines, etc.,” he says. “The coronavirus is completely different. It’s attacking everybody simultaneously and putting a stress on all sorts of surfaces: medical, technical, personnel, human resources.”
“First, we need to have an enterprise-wide basis for cybersecurity. Secondly, is this reflective of the economics of our industry? And the third thing is do we have an incident response mechanism in place?”
– Larry Clinton, President, Internet Security Alliance
Also in this episode…
Clinton shares cybersecurity practices from the NACD handbook that can be applied now and when post-COVID-19 mobility resumes — like backing up data and using temporary cell phones and laptops when traveling. “Senior managers who have really good security in the home office go out on the road they plug the laptop into any old hotel and have no idea what kind of security is there,” he says.
He also talks about his other activities during the COVID-19 shutdown — reading “The Creator’s Code” by Amy Wilkinson and working with his son to develop services for adults with autism.
Resources in this episode
- NACD Director’s Handbook on Cyber-Risk Oversight
- “How to Measure Anything,” by Douglas Hubbard
- “The Creator’s Code,” by Amy Wilkinson
Listen to Episode 30 on Apple Podcasts
