Ask Your Security Team These Questions in 2018

Corey E. Thomas

As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.

To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.

1. Does the security team have a full, well-informed view of the organization’s security posture?

One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.

You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.

It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.

Here are some additional questions you can ask:

  • Which threats are most relevant to the company, and which assets are most vulnerable, and which are most likely to be targets? Ask the security team to explain their answers.
  • Does the security team share threat information with security teams at other organizations of a similar profile?
  • Does the security team have full visibility and control of our entire technology environment, including assets we lease rather than own? Does the team have a detailed inventory of key assets, who is using them and how, and what known risks relate to them?
  • Is the security team part of the procurement process for all technology products and services? Do they vet technology vendors on the security of their products or services? Do they investigate the vendor’s practices for reporting and patching vulnerabilities?
  • Does the security team know who has access to what applications and services? Have they locked access down as far as possible, so people only have the privileges needed to perform their day-to-day role?

2. Is our organization resilient to attack?

Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.

Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.

  • Is all company and customer data encrypted at rest and in transit? If not, which data is being encrypted and when?
  • Has the security team segmented the company’s networks to reduce an attacker’s ability to move through the network and reach valuable assets?
  • Does your organization regularly back everything up to reduce susceptibility to ransomware attacks? Do you run regular backup and restore drills?
  • Do you know how susceptible our employees are to phishing? Are you investing in education programs to raise security awareness?
  • Do you have multi-factor authentication in place on all of our technical services and applications?
  • Does the organization have cyber insurance to help it recoup any costs of a security incident? Which scenarios or factors are not covered by the insurance?

3. Is the security team confident it can detect and respond quickly to security incidents?

According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.

A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.

Some relevant questions include:

  • Does the security team map normal behavior (both for human users and machine entities) on the network? Are they able to detect anomalous behavior?
  • Is the security team able to investigate and verify alerts quickly? Do they have sufficient resources committed to monitoring systems that alert suspicious activity?
  • How quickly could the security team investigate a potential breach or determine which technology assets and users may have been compromised? Does the security team have sufficient visibility across all technical assets to investigate fully? Does the security team log any information that would be needed to investigate a security incident?

Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?

4. How do you measure the effectiveness of our cybersecurity program and initiatives?

Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.

Some questions to ask your security team include:

  • Is the security team proud of the company’s patching program? Do they feel adequately supported by the IT team in their efforts?
  • Who is responsible in the organization for initiating testing of organization-wide breach readiness?
  • How frequently does the security team test the company’s defenses for effectiveness? Do they hire external security consultants to try to penetrate the network and facilities?
  • Is the security team able to track progress over time?
  • Does the security team have a view of the maturity of its program? Is there a clear roadmap for future progress?
  • What measures has the security team taken in the past six months to improve security posture? What results have they seen? How will they adjust the program moving forward?

5. Do political or financial considerations impact your ability to protect the organization effectively?

It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.

The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.

Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.

  • Are there any budgetary or political roadblocks to implementing foundational security controls?
  • Does the security team have adequate headcount and resources? How is the answer to this question determined? If not, in which areas are we below critical mass?
  • Does the head of security have the opportunity to be heard among the most senior executives in the organization?
  • Do the business leaders across the company truly understand the potential costs and implications of the business of being breached? Do they discuss risk tolerance and prioritization payoffs in an open, strategic way? Do they build resilience plans based on these discussions?
  • Is security considered an audit function, or does the organization strive to build security into its products, services, and operations by design?

Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.

Corey Thomas is CEO, president, and a member of the board of Rapid7. 

CES Tour Reveals Trends and Innovations That Will Reshape Business

Shelly Palmer guides directors through the show floor.

At the conclusion of day two of NACD and Grant Thornton’s board-focused experience of the 2018 Consumer Electronics Show (CES), my feet are throbbing, my head is spinning, and I have a clearer picture of what the future holds thanks to a much sought-after spot at Shelly Palmer’s breakfast lecture on innovation and future trends, which was followed by an exclusive, small-group tour of this colossal show—some 3,900 exhibitors in all.

According to Palmer, the next-generation automobiles displayed by Mitsubishi, Nissan, Ford, and so many other companies raises the following question: How will we move—or want to be moved—from point A to point B?

“What does it mean to get from here to there? Uber is already self-driving. I push a few buttons and the car shows up,” Palmer said as he took us through the North Hall of the Las Vegas Convention Center—home to what has been dubbed the world’s largest auto show.

Among the flashier electric vehicles on display was the Mercedes-AMG Project ONE Showcar, an electric hybrid Formula 1 race car. While only 275 of these cars will be made, the technology applied in its engineering eventually could end up in your self-driving car.

Palmer also highlighted the following provocative insights to the directors in our tour group:

  • Smart speakers are among the fastest-adopted technologies, having achieved 50-percent penetration in U.S. homes in just three years.
  • Any device powered by electricity will be voice-controlled.
  • While Amazon is not exhibiting at this year’s show, its presence was abundantly visible through some 30,000 examples of apps compatible with its Alexia device.
  • Companies that may be considered old-line—Blackberry, Honeywell, ADP—have reinvented themselves through their understanding and embrace of technology that makes us more secure. “Security,” Palmer said, “is the gateway drug to home systems.”
  • At Honda’s booth, spectators were charmed by an adorable three-foot robot. The Japanese automaker discovered after the devastating tsunami in 2011 that children responded to the robot, which is capable of expressing empathy. “Americans have no interest in this,” Palmer said, adding this nugget: “Robotics are way ahead of anthropology and sociology.”
  • Chinese companies are the world’s leader in artificial intelligence. Google and Facebook lead in America. The presence of Chinese companies exhibiting at CES was a quantum leap over last year.
  • Some 15 million American homes have cut the cable cord and instead have roof antennas for TV service. So how can Comcast expect to flourish? The broadband giant will provide its customers the ability to connect various Internet of Things technologies that can be controlled through its voice remote.

More insights from CES and directors’ impressions of the governance implications raised by some of what they experienced will be covered in the January/February 2018 issue of NACD Directorship magazine.

The Future Is Now at CES

The 2018 Consumer Electronics Show (CES) opened to the public yesterday in Las Vegas. With over 3,900 exhibitors from 29 countries, there is a lot to absorb.

For a group of some 40 directors, a sneak peek of CES given courtesy of the National Association of Corporate Directors (NACD) and Grant Thornton LLP provided a focused beginning to a three-day exploration of new technology—from robots to self-driving cars and augmented reality to smarter cities—and the implications for corporate governance.

For Grant Thornton, supporting NACD’s first CES Experience underscores the accounting firm’s position “as a challenger brand in the marketplace,” said Michael Desmond, a partner and National Audit Industry & Growth Leader at Grant Thornton. “Being here at CES with a group of directors allows us to support our partnership with NACD and continue our reach into the marketplace at the C-suite and board levels. At the same time, this is where forward thinking and innovation are on display and all of these elements converge.”

Accompanying Desmond was David Wedding, a Grant Thornton partner who also chairs the firm’s board. “I’m here as a director myself and we, of course, are facing disruption in our industry from the impact of technology just like our customers. It will be interesting to see what’s trending and how other directors assess the ramifications of what we see.”

Maureen Conners, a director of Fashion Incubator in San Francisco and NACD’s Northern California Chapter, and former director of Deckers Brands, has been attending CES for at least 15 years. “The best advice I would give to any one coming to CES is not to be afraid to ask the dumb questions,” she said. Conners worked in product development at Gillette, Levi Strauss, and Mattel and started attending CES when as a consultant she helped Polaroid launch its first digital camera. She spoke of how seeing a driverless car maneuver onto a stage during an Intel presentation on Monday night stirred questions for her about how they will ultimately be used.

“I must admit it’s different seeing it in person,” she said.

Liane Pelletier, a director who was on the tour, serves on the boards of ATN International, Expeditors International, and NACD’s Northwest Chapter, echoed that sentiment: “It’s one thing to read about discrete enabling technologies that can disrupt our companies, and it’s entirely different to see and envision all of the use cases.”

Some of the other new products that stand to have industry-altering impacts included: a concept bed from Reverie that adjusts itself based on brain-wave activity; a self-driving Lyft vehicle; and a plush Aflac duck robot with three patents pending that uses a mixed-reality app to help comfort kids coping with cancer.

Come back tomorrow for additional coverage of NACD and Grant Thornton’s board-focused CES Experience.

A Walk-Up to CES: What to Expect from the Annual Tech Extravaganza

Driverless vehicles; virtual and augmented reality; wearables that monitor health, sleep, and stress; smarter features for the home and cities; and bigger, thinner televisions. Innovation has always been central to what used to be called the Consumer Electronics Show, which this year marks its 51st anniversary. These are just some of the product categories being touted in advance of the opening next week of CES in Las Vegas.

For the first time, NACD and Grant Thornton LLP will host CES Experience, which will include a tour for a small group of directors that is curated by Shelly Palmer. This annual hub of technology innovation now spans nearly a mile in and around the Las Vegas convention center. It is a colossal undertaking both for attendees and the organizer, the Consumer Electronics Association, which this year brings together 3,900 exhibitors, 67,321 exhibit personnel, more than 109,000 attendees, and some 7,400 members of the media.

There are 600 startups in just one wing of the show.

When NACD’s Chief Programming Officer Erin Essenmacher attended CES last year, she was nearly overwhelmed by the sheer number of exhibitors introducing potentially game-changing products. To both maximize her time and see those exhibitors most likely to be showing a next-generation gadget, Essenmacher recognized that a director-centric guided tour of this mecca of innovation could benefit NACD members.

An autonomous vehicle from Ford that was on display at CES 2017 delivers Dominoes Pizza.

CES 2018 opens Tuesday, Jan. 9, with a keynote address by Ford Motor Co. president and CEO James Hackett, the first “non-car guy” to helm the 114-year old automaker. Hackett has proclaimed the new Ford to be a mobility technology company, with vehicle safety to be driven by innovations in artificial intelligence (AI) rather than new material or safety features. Since he took the reins in May, Hackett, formerly president and CEO of Steelcase, has invested in self-driving and electric-powered autos and car-to-car communications. Ford was the first automaker to exhibit at CES at least 11 years ago and over the years almost every major automaker has become a regular. Innovations in the automotive industry have become so ubiquitous at CES that the North Hall of the convention center has been dubbed the “Las Vegas auto show.” At least 12 of the more than 200 information sessions at CES will be devoted to automotive-related topics such as cybersecurity and who insures the driverless car.

Part of NACD’s curated tour will be spent exploring person-to-machine interfaces and machine-learning sensors that can detect humans’ moods. Directors will also see advancements in haptic (from the Greek haptesthai, “to touch”)technology, which has evolved beyond vibration to synthesize feedback from even simple hand gestures made on a tactile screen.

At the end of each day, directors will have an opportunity to be debriefed by Palmer and compare notes over dinner.

I will be blogging for NACD from CES and colleagues will be posting on social media.

Judy Warner is editor in chief of NACD Directorship magazine. 

Spring Proxy Season 2018: Early Projections

What proxy-season forces will shape companies' plans for 2018? What trends will heat up the next proxy season and beyond? That’s a burning question for the 80 percent of public companies that hold annual meetings during the first half of the year according to statistics from Broadridge, as well as for those that will wrap up the year later in the fall mini-season. Prognosticating what’s to come this season is no easy task, since proxy season is a complex process.

Sometimes the trends we predict are no more than wishful thinking. To make plausible predictions, we must find empirical clues from shareholder resolutions (hundreds each year), director elections (at thousands of companies each year), and then consider the activity that happens behind the scenes in private dialogue.

Bearing in mind our evidence, we can ask a number of questions:

  • What new rules will be effective? New requirements will raise expectations during this proxy season.
  • What proposals were most successful in 2017? Success (getting more than a 50 percent vote) emboldens proponents, so these issues are unlikely to go away.
  • What proposals were most frequent in 2017? Even if vote tallies are low, proponents may try again.
  • What proposals or other actions are being planned right now for the 2018 spring season—based on survey data and other sources?

After seeking answers, we will conclude with what we think will be hot in the 2018 proxy season.

Clue 1: What new rules or policies will be effective?

Proxy seasons can be shaped by new rules put in place by the Securities and Exchange Commission (SEC), as well as by new voting policies from proxy advisors such as Institutional Shareholder Services (ISS). This spring, a few major developments are notable. First, this is the first year that the pay ratio rule will require disclosure of the ratio between the total pay of a company’s median employee and its CEO (or, alternatively, the median total pay of all the company’s employees, minus the CEO). Despite new SEC guidance on calculation, the results, when disclosed prior to the annual meeting, are likely to spark some shareholder outcry at annual meetings.

A few additional issues stand out based on 2018 ISS Americas Proxy Voting Guidelines Updates. ISS has said that it will support shareholder proposals asking for more disclosure on environmental risk, and its updates point to recent policy changes from the Task Force on Climate-Related Financial Disclosures (TCFD). “The updates to ISS’ climate change risk policy better aligns it with the TCFD’s recommendations, which explicitly seek transparency around the board and management’s role in assessing and managing climate-related risks and opportunities,” the report says. Other proxy season trends may include more support for resolutions opposing excessive director pay and resolutions supporting gender pay equity, as predicted in this recent report from Gibson Dunn.

Clue 2: What proposals were successful last year?

Let’s look at the most successful proposals at the 250 largest companies by revenue throughout 2017 according to full-year data from Proxy Monitor. This source is representative of broader trends because, as noted in Proxy Monitor’s early 2017 overview, shareholder proposals are more common at the largest companies. Moreover, “the companies in the Proxy Monitor database encompass the majority of holdings for most diversified investors in the equity markets, making this analysis appropriate for the average shareholder.”

According to the report, governance proposals seem to take the prize. Fifteen of the 294 proposals at the top 250 public companies in 2017, or about 5 percent of the 294 proposals from investors, received a majority vote. Most of these winners can be called “corporate governance” proposals, rather than social issues. Three were for environmental impact reports (at Occidental Petroleum Corp., Exxon Mobil Corp., and PPL Corp.), but all the rest had to do with governance.

Five proposals were victories for proxy access (National Oilwell Varco, Humana, IBM, and Kinder Morgan, Inc.), five for simple majority voting (Cognizant Technology Solutions Corp., Marathon Petroleum Corp., L Brands, Paccar, and First Energy Corp.) and two were specific governance proposals. Shareholders at CVS Health Corp. voted to reduce required ownership to call a special meeting, and shareholders at ADP voted to repeal a bylaw provision that had been adopted without shareholder approval. That vote happened in November, in the so-called “mini-season” (the one experienced by the 20 percent of companies that hold their annual meeting in the second half of the year).

Clue 3: What proposals were most frequent last year?

Now let’s look at the resolutions proposed most frequently last year. Looking again at the 294 resolutions studied in the Proxy Monitor data, the trends are clear. Classifying the proposals generally into the three categories, we see that social policy, with 164 resolutions, was the most popular proposal category, followed by corporate governance issues at 107. Executive compensation did not draw shareholder ire; only 23 resolutions focused on it, down from higher levels in the past.

  • Within social policy, the double-digit issues raised across at least 10 companies were environmental (48 issues were proposed—or 52 if you count four “sustainability metrics” proposals), lobbying (38), political spending (13), employment rights (17), gender equality (12), and human rights (12).
    Diversity proposals are also notable. Although they were relatively rare compared to other 2017 issues, they showed show signs of growth. There were only three such proposals at major companies the previous year, while there were five in 2017. Furthermore, although they did not propose board diversity resolutions, State Street Corp., a major institutional investor, voted against directors serving on nominating committees for boards without women, and BlackRock also voted no at some boards over the diversity issue.
  • Within corporate governance, the double-digit issues were chair independence (28 resolutions), proxy access (22), and special meetings (15). Remaining corporate governance issues were introduced at 9 or fewer companies. Although ISS flagged director overboarding as an issue for 2017 and revised its guidelines accordingly, there were no proposals about this last year.
  • Finally, within executive pay, no particular issue dominated. Various new requirements in pay approval and pay disclosure (say on pay, pay ratio, etc.) have largely resolved this issue.

Clue 4:  What proposals or other actions are being planned for 2018?

As of early January 2018, we have little data on shareholder resolutions to be included in 2018 proxy statements. While some companies have already released their 2018 proxies, none of these contain shareholder resolutions. However, we do know what ISS is recommending with respect to shareholder resolutions in the newest revisions to its proxy voting guidelines for 2018.

As reported in the Wall Street Journal on December 22, companies preparing their 2018 proxy statements can expect “continuing pressure from investors to enhance disclosures regarding board composition, climate change risk, and cybersecurity.” The prediction is based on a survey conducted by executive search firm Russell Reynolds. Secondary trends included the usual mix of corporate governance, board composition, and executive compensation.

Of course, shareholder proposals are not the only way to change a company. Instead of submitting a shareholder resolution on an issue, a shareholder can wage a so-called proxy fight by sending investors a separate proxy voting card with an alternative slate of directors, or, in the case of companies with proxy access, by including a dissident slate in the company’s proxy. (There is still no such thing as a universal proxy card that allows investors to mix and match candidates from the nominating committee and dissidents, despite an SEC proposal in that regard.) According to FactSet, 2017 saw 75 proxy fights for board seats.  While this is fewer than in 2016—which at 101 proxy fights was a banner year—the battles were waged upon household names: ADP, General Motors Co., and Procter & Gamble Co., among others.

What’s Hot and Why

Here is our short-list of five proxy issues that are likely to appear in 2018.

  1. Pay Ratio. Shareholders will be reading these disclosures for the first time.
  2. Environmental proposals. They have been both frequent and successful in recent times, and because ISS is drawing attention to them again this year.
  3. Governance mechanics. Why? Because they matter. They are rarely discussed by bloggers due to their dry and technical nature, but governance issues continue to be popular proxy issues, with more than 100 last year, and with the highest rate of success (12 wins last year—a strong result since majority votes on resolutions remain extremely rare).
  4. Activism. As Douglas Chia, head of corporate governance at the Conference Board, stated in a recent Equilar report, “public company boards will have their work cut out for them in 2018 with activism continuing to dominate the governance landscape.”
  5. Behind the scenes changes. A number of new NACD publications—notably the 2018 Governance Outlook and the 2017–2018 NACD Public Company Survey—shed more light on the upcoming season from behind the scenes.

The next blog predicting proxy season scenarios will highlight NACD research—and more clues to inform your board’s proxy season planning.

Looking Forward to 2018: The Top Risks

Jim DeLoach

Jim DeLoach

The top risks for 2018 provide interesting insight into changing risk profiles across the globe. Protiviti and North Carolina State University’s Enterprise Risk Management Initiative have completed the latest survey of 728 directors and C-level executives regarding the macroeconomic, strategic, and operational risks their organizations face.

We ranked the top risk themes in order of priority, providing a context for understanding the most critical uncertainties companies are facing as they move forward into 2018.

1. The rapid speed of disruptive innovations and new technologies within the industry may outpace the organization’s ability to compete or manage risk appropriately. With advancements in digital technologies and rapidly changing business models, are organizations agile enough to respond to developments that alter customer expectations and require change to their core business models? Disruption of business models by digital innovations is a given in this environment. Even when executives are aware of emerging technologies that obviously have disruptive potential, it is often difficult for them to have the vision to anticipate the nature and extent of change and the decisiveness to act on that vision. In this environment, emotional attachment to the business model can be dangerous because significant adjustments to it are inevitable.

2. Resistance to change could restrict the organization from making necessary adjustments to the business model and core operations. This risk and the risk of disruptive change present a dilemma to companies. On the one hand, there is concern about inevitable disruptive change and, on the other hand, a fear the enterprise will not be agile and resilient enough to adapt to that inevitability. This resistance could lead to failure to innovate and force reactionary responses when it’s far too late.

3. The organization may not be sufficiently prepared to manage cyber threats that could significantly disrupt core operations and damage its brand. To no one’s surprise, this risk is listed among the top five risks in each of the four size categories of organizations we examined. Both directors and CEOs rated this risk as their second highest risk concern. Technological advancement is constantly outpacing the security protections companies have in place.

4. Regulatory changes and scrutiny may heighten, noticeably affecting the manner in which organizations’ products or services will be produced or delivered. Regulatory risk, which has been one of the top two risk concerns in all prior years that we have conducted this survey, has dropped some in 2018. However, it is still a major concern for executives and directors. Sixty-six percent of our respondents rated it as a “Significant Impact” risk.

5. The organization’s culture may not sufficiently encourage timely identification and escalation of significant risk issues that could notably affect core operations and achievement of strategic objectives. This issue, coupled with concerns over resistance to change, can be lethal if it leads to the organization’s leadership losing touch with business realities. If there are emerging risks and the organization’s leaders are not aware of them, the entity has a problem.

6. Succession challenges and the ability to attract and retain top talent may limit the ability to achieve operational targets. Likely triggered by a tightening labor market, this risk is especially prevalent for entities in the consumer products and services, healthcare and life sciences, and energy and utilities industries. To thrive in the digital age, organizations need to think and act digital, requiring a different set of capabilities and strengths. This risk indicates that directors and executives believe their organizations must up their game in acquiring, developing, and retaining the right talent.

7. Privacy, identity management, and information security risks may not be addressed with sufficient resources. Given the high-profile reports of hacking and other forms of cybersecurity intrusion reported in 2017, this risk is somewhat expected. As the digital world evolves and enables individuals to connect and share information, fresh exposures to sensitive customer and personal information and identity theft also spring up.

8. Economic conditions in markets the organization currently serves may significantly restrict growth opportunities. However, the drop in this risk’s ranking from prior years suggests that respondents seem more positive about macroeconomic issues going into 2018.

9. Inability to utilize data analytics to achieve market intelligence and increase productivity and efficiency may significantly affect core operations and strategic plans. Respondent concerns are growing regarding their company’s ability to harness the power of data and advanced analytics to achieve competitive advantage, manage operations, and respond to changing customer preferences. In the digital age, knowledge wins. Advanced analytics are the key to unlocking insights that can differentiate companies in the marketplace.

10. Companies that were not “born digital” face significant operational challenges. Companies that are not steeped in digital operational culture may not be able to meet performance expectations related to quality, time to market, cost, and innovation. Competitors with superior operations—and those digital companies with low operations costs—present notable risk that is only heightened in the digital economy. Hyperscalability of digital business models and lack of entry barriers enable new competitors to emerge and scale redefined customer experiences very quickly, making it difficult for incumbents to see change coming, much less react in a timely manner to preserve customer loyalty.

The overall message of this year’s study is that the rapid pace of change in the global marketplace creates a risky operating environment for entities of all types. The board of directors may want to evaluate its risk oversight focus for the coming year in the context of the nature of the entity’s risks inherent in its operations. If their companies have not identified these issues as risks, directors should consider their relevance and ask why not.

Jim DeLoach is managing director of Protiviti. 

Cyber-Risk Management for Directors Should Start at Home

Frederick Scholl

There are many posts on the NACD Board Leaders’ Blog discussing cybersecurity, but all of them deal with directors’ responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office.

Directors obviously will have access to sensitive insider information that many unauthorized parties would like get access to. Many directors will also be targets as high net worth individuals. Cyber criminals always target the weakest link, and as corporate information security improves, they increasingly will target the home networks of key executives and directors.

Breaches such as the one that occurred in the summer of 2017 at Equifax have put so much personal information into the hands of criminals that individuals increasingly will become targets. Directors represent a perfect demographic cross section to be attacked. Attack vectors may include phishing, ransomware, and social media.

Earlier this year, an employee of the National Security Agency was in the news as the hacker apparently stole government secrets from the comfort of his own home network. Directors with access to confidential strategic or financial information should make sure their home networks are protected above and beyond the usual consumer grade defenses.  Another attack path may be through tools and services used by directors. In 2010 attacks were reported against a prominent meeting portal for corporate boards. It is not clear if any sensitive information was stolen at that time.

What more should directors do?

First, make sure your home network is built to corporate standards. You need a commercial firewall, not just a consumer router. Most critically, any devices—especially firewalls and routers—should be set to auto-update their security firmware. Auto-update is now included in the Windows 10 operating system, in most smart phones, and in many home network devices, but not in devices more than a few years old. Anything you put on your network will be found to have vulnerabilities, so this software and firmware update feature is critical to keep hackers out.

Password strength and protection represent a second critical area. Many breaches result from theft of user credentials such as username and password. You should use two-factor authentication to log in to sites with your financial or personal information. Two-factor verification utilizes a second security barrier to verify with the application or website that the person logging in is, in fact, you. For instance, applications for your smart phone such as Google Authenticator and Duo Security generate one-time tokens that serve as a second factor. More familiar is the text messaging that many sites still use to send one time codes to users. This process has been deprecated by the Federal government because of potential eavesdropping attacks, so use the dedicated security apps, if possible. Still other financial sites do not yet have any two-factor authentication available. For these, make sure to use strong passwords that contain at least 12 characters, and that preferably can be pronounced. Such complex passwords should be managed using password vaults like LastPass or KeyPass.

The last factor to consider is encryption. Never store any sensitive data online without encrypting it and protecting it using a password known only to you. It is true that collaboration sites like Dropbox do encrypt the data saved there, but the companies still have the encryption keys and can view the data. These keys can be hacked or stolen by a disgruntled employee. That level of encryption is fine for 99 percent of the information you store online. But for the other, essential 1 percent of information—especially personal or corporate sensitive material—only you should have the encryption key. Applications like Boxcryptor integrate with Dropbox and enable you to further protect your information.

These three security precautions will help you keep your personal and professional information secure. Since threats and vulnerabilities are constantly changing, you should keep up to date using the NACD Cyber-Risk Resource Center and other sources of information on this topic. Also consider attending the NACD Global Cyber Forum in Geneva, Switzerland, April 17–18, 2018. You’ll hear from leading international directors, executives, and security professionals on how to protect sensitive corporate information.

Frederick Scholl is president of Monarch Information Networks, and is adjunct professor of computer science at Lipscomb University in Nashville, TN. All thoughts expressed here are his own.

Culture: The Board’s Expanding Frontier

Peter R. Gleason

With headlines trumpeting high-level firings for “inappropriate behavior” in a variety of domains, it’s become more obvious than ever that corporate culture matters, and that boards should oversee it. So what exactly is corporate culture, and how can it be overseen? These questions might sound new, but they are as old as the corporate governance movement that began some 40 years ago when NACD was founded. Indeed, for the past four decades, the role of the board in overseeing corporate culture has been growing in breadth and depth, and much can be learned from history.

  • The Foreign Corrupt Practices Act of 1977 made the board a vigilante against foreign bribes. The original law made it illegal to do business abroad “corruptly” and required “internal controls” through oversight of books and records.
  • In 1987, the Committee of Sponsoring Organizations of the Treadway Commission put the board on alert against misdeeds not just in faraway lands but down the hall: its Treadway report required independent audit committees to prevent fraud in general.
  • Another decade later, in 1996, the Delaware Chancery Court’s decision In re Caremark International Inc.said that directors have an affirmative duty to seek reasonable assurance that a corporation has a system for legal compliance. Soon thereafter, NACD published its first handbook on ethics and compliance, authored by NACD pioneer Ronald “Ronnie” Zall, an attorney and educator then active in the NACD Colorado Chapter, which later established the Ronald I. Zall Scholarship in his honor.
  • In late 2007, as global equity markets went into panic mode, NACD forged Key Agreed Principles of Corporate Governance for U.S. Public Companies, highlighting all areas of agreement among management (the BRT), directors (NACD), and shareholders. Our report, published in 2008, stated that boards must ensure corporate “Integrity, Ethics & Responsibility.NACD Southern California Chapter leader Dr. Larry Taylor began writing on “tone at the bottom,” publishing a series of articles and books on the topic over the next several years.
  • And now, in 2017, board oversight of culture has become more important than ever. Our NACD 2017 Blue Ribbon Commission Report on Culture as a Corporate Asset provides useful guidance.

NACD’s 2017 Commission made 10 recommendations, starting with this one:

The board, the CEO, and senior management need to establish clarity on the foundational elements of values and culture—where consistent behavior is expected across the entire organization regardless of geography or operating unit—and develop concrete incentives, policies, and controls to support the desired outcome. The Commission report explains that these foundational elements involve two sets of standards: first, the values and behaviors that help the company excel and that are to be encouraged, and second, the behaviors for which there is zero tolerance.

As I write this blog in December 2017, the business media are continuing to report firings or sabbaticals for executives—some 20 in the past eight weeks alone—over reportedly inappropriate conduct or speech. Many of these pertain to sexual harassment, but the corporate desire to clean house seems to be spreading like wildfire to other domains. One executive was recently fired for making a disparaging remark about regulators in private conversation to a former employee. Could a policy have prevented this? I think so.

Click to enlarge in a new window.

The NACD Commission urges a proactive approach backed by policies and training. The good news is that many companies are taking preventive action.  A Wall Street Journal article titled “Harassment Scandals Prompt Rapid Workplace Changes” cites numerous companies that are instituting training to avoid bad behavior in the workplace. Some like Vox Media and Uber Technologies are responding to scandals. Others like Dell, Facebook, Interpublic Group of Cos., and Rockwell Automation are acting more proactively.

Boards in these companies and others are starting to oversee culture in proactive ways, but they still have a long way to go. Our most recent 2017–2018 NACD Public Company Governance Survey found that oversight of culture is stronger at the top than at lower levels, but that boards are taking steps to correct the imbalance.

The best cultures don’t happen by accident. They are intentional. They happen when a company makes a concerted effort to foster a good culture.

Understanding Climate Resilience Is Requisite for Climate Competence

Underlying the growing pressures for climate-competent boards is this fundamental question: how resilient is the organization to the impacts of climate change?

Few organizations or boards are capable of answering this question with any degree of certainty. Yet, the question is being raised with greater frequency and urgency due to actions by investors, regulators, customers, supply-chain partners, and competitors.

Click to enlarge in a new window.

Across every industry the increased focus on climate change is accelerating other megatrends such as disruptive technologies, digitization, urbanization, and evolving demographics. Underpinning these megatrends are a combination of technological leaps and upheavals in global society and the environment that will reshape economies, businesses, and lifestyles. For example, over $1 trillion worth of new markets for manufacturers are expected to develop over the next decade as industries transform. This shifting landscape creates many uncertainties, risks, and opportunities for new products, services, supply-chain structures, and improvements in resource management, among many others.

Taken as a whole, these pressures are driving companies to better assess, define, and enact strategies to increase their climate resilience. In their strategic oversight role, boards need better insights on the direct impacts of climate change on the organization as well as the indirect risks and opportunities associated with transitioning to a lower-carbon economy.

Yet, recent NACD corporate governance survey data suggests that many boards need a rethink on this issue. A mere 6 percent of respondents indicated that climate change would have the greatest impact on their businesses over the next year. The previous year’s report found that over 90 percent of public company directors believe that climate change would have negligible impact over the next five years.

Companies that focus primarily on climate change’s projected physical impacts expected to play out over the coming decades will have “blind spots” to the indirect risks associated with the transition to a lower-carbon economy. Companies must to go on the offensive to build climate resilience in order to gain competitive advantage.

Climate resilience has the capacity to adapt and succeed in the face of direct and indirect impacts of climate change. In addition to addressing and managing risks, it encompasses the ability to capitalize on the strategic opportunities presented by the shift to a lower-carbon and resource-constrained economy.

To provide boards with a line of sight into its organization’s climate resiliency, management teams can undertake one or more of the following actions:

  • assess climate vulnerability of operations and facilities;
  • embed climate impacts into enterprise risk management programs; or
  • undertake scenario analysis to enhance decision making around risks and opportunities.

As a start, companies can model the risk of physical assets to identify location-level risk exposure and the vulnerability of properties and assets to evolving weather events and climate change. A geographic portfolio review can also help map demographic and infrastructure vulnerabilities to natural hazards to better understand how supply chains may be impacted by weather events.

Existing enterprise risk management (ERM) and risk assessment processes can be used to increase awareness of climate risks and better assess resilience across the organization. Leading organizations are using their ERM processes to identify how direct and indirect climate impacts—including regulatory and technology developments—serve to accelerate or otherwise change the velocity of other trends and risk events. Framing climate as a risk driver helps to align the timeframe of the risk and opportunity assessment to that of most corporate planning cycles.

Scenario analysis is recommended by the Financial Stability Board’s Task Force on Climate-related Financial Disclosures as a technique to assess climate impacts. Modeling different environmental scenarios (such as warming by a margin of 2 degrees Celsius and associated changes) gives form to the amorphous problem of climate change and provides mechanisms to discuss potential future states of operation. In selecting and devising scenarios, companies should consider the appropriate trade-offs in quantification, but also avoid excess complexity and optionality. When assessing for operational climate-risk resilience, it is critical to include a minimum of one favorable and unfavorable scenario respectively. This empowers organizations to make informed decisions regarding their longer-term strategies.

Overall, it is clear that the dialogue on climate change within boardrooms and among C-suites of companies across all sectors must evolve to a focus on how climate change will impact their businesses. The real measure of a climate-competent board is one that can address this critical question: how climate-resilient is the organization?

Lucy Nottingham is a director in Marsh & McLennan Companies’ Global Risk Center and leads research programs on governance and climate resilience.

Ten Simple Questions for an Effective Discussion of Information Security

Tom Killalea

Information security should be one of the most important risk areas of focus for boards. However, according to the 2017–2018 NACD Public Company Governance Survey, 88 percent of surveyed directors indicated that they had only some or little knowledge about how to navigate cyber risk. It’s clear that too few directors feel qualified to have this conversation in any degree of depth.

When I joined Amazon.com in 1998, Jeff Bezos, the company’s CEO and chair, viewed security as the most threatening, potentially company-ending risk that the company faced. Since then, many companies have elevated security risk to their technology, the infrastructure on which they depend, as the greatest existential threat to their enterprise. Yet boards struggle to quantify these risks, to determine their tolerance for security risks, and to assess the company’s security program.

In their discussions of security risk, security leaders and board members are constrained by time, frame of reference, shared vocabulary, experience, and understanding of the adversary. Board members could use some help.

I propose ten simple questions that could enable discussion, provide board members with a lens through which they can broadly view the company’s security program and posture, and prompt security leaders to build a shared understanding of the company’s risk profile, threat landscape, and most important security initiatives.

1. Who is in charge?

It is critical for the board to identify the most senior information security leader in the company. This should be a person explicitly designated to lead the program, with the requisite skills, resources, and authority to execute it. This person commonly goes by a title such as chief information security officer (CISO), chief security officer, or head of security, among other titles. Sometimes, companies will take a tiered approach to security. In such cases, the leader of the security team plays a pivotal role, and the board needs to be comfortable that their position and authority is consistent with the importance that the board places on security.

If you identify someone who has security as one responsibility among a portfolio of others, it’s necessary to determine who has single-threaded focus on information security. Once that person is identified, you can discuss whether they have the proper ownership and resources to go with the responsibility, their reporting chain, the support that they receive from the rest of the company, and their relationship with the board. Regardless of who they directly report to, this person should be accountable to the board.

2. How do we assess risk?

Security is about risk management. It’s critical for directors to understand the process of identifying and analyzing security risks, how their likelihood and impact are estimated, how the appropriate controls are prioritized and implemented, how their efficacy is tested, and how results are monitored. Some potential security events are low probability and extremely high impact, making it more difficult to compare them to other risks. Nevertheless, it’s critical to go through the exercise of determining risk appetite, assessing and qualifying risk, quantifying overall exposure, and placing it within the company’s overall risk management framework. Finally, it’s important to be candid about your confidence in the risk assessment.

3. Are we focused on attacks?

It’s important to focus on managing the most critical threats and on breaking the attack kill chain—the structure of an intrusion—rather than to engage in “security theater,” or activities that give the appearance of competence while lacking in substance. Budgets are limited and security talent is in very short supply, so resources should be focused on establishing an architecture that has sufficient defense in depth, resilience, and intelligence to survive modern attack types.

Traditional approaches to defensive security that were dependent on protecting the perimeter of the enterprise continue to prove insufficient. Today, defenders must understand the adversary’s attack mechanisms, work backwards from the path of the attack, layer defensive measures throughout the enterprise, intervene before the attacker can extract sensitive data, and teach employees and customers to play their crucial part.

4. What’s our most important asset?

This question shouldn’t take long to answer. It should drive a discussion between the board and the security leader about how data and services are classified, the policies that are established for their defense, and the required and recommended controls for each class. When a new service is established, this classification framework in combination with the new service’s threat model should make it relatively easy to decide who is responsible for mitigating threats and what controls should be put in place.

When asked to rank their biggest cybersecurity fears, 41 percent of directors said they are most worried about brand damage. While customer trust is the key asset in many businesses, it’s important to identify the specifics of what would be the most devastating loss for the company. It’s only then that a thorough, qualitative assessment of the most critical components of the security program can occur.

5. How do we protect our most important asset?

Board members can calibrate the overall risk profile of a security program once they understand how the most precious asset is protected. The answer to this question should discuss the high-level threat model for that most important asset and, in the context of modern attack patterns, the mechanisms used to defend it. The answer should reflect that this is a journey on terrain that is shifting. There should be an iterative process of quantifying the risks of different threats, and of mitigating the most significant ones.

6. What’s our biggest threat?

This question forms the heartbeat of the conversation between the board and the security leader. It provides an opportunity to describe the company’s current security posture and its target state, and to refresh the board on the evolving threat landscape, the lessons to learn from emerging attacks, and the measures that the company is taking to mitigate the threats. For many companies, security risk is sufficiently important to warrant a discuss of this question at every board meeting, perhaps with a summary of the threat models for any major new products or services, and a review of the most significant risks at any recently acquired companies. When board members hear grandiose plans to address the biggest threat, but the deliverables are more than 18 months away, they may wish to ask for approaches to improve today’s posture without necessarily derailing the long-term solution. Don’t make the perfect the enemy of the good.

7. What do we control?

The board should assess the degree to which the company’s security policy and practices are explicit and prescriptive. Board members should be very suspicious of a security leader who claims to have complete control of the technology platform and the tools that employees use. Full control is usually a dangerous illusion, and any autocratic attempt to achieve it can lead to inflexibility and to employees working against or around the security program. Security should be viewed as a collective responsibility, rather than as a fixed constraint. Boards spend time assessing internal controls that for example provide confidence in custody over sensitive data and in the accuracy of financial reporting. Effective security leaders will distinguish between controls and control, and will strive towards “getting to ‘yes,’” rather than being the one who always says no. Getting to yes is easier if employees buy into a decision and if the path of least resistance is for them to do the right thing by default.

8. Are incident response and recovery plans tested?

This is one of those questions to which the answer can be “no” at most once. In the common case this question will lead to a review of responses and recovery from real incidents, in addition to a summary of simulated attack exercises, consideration of the fidelity of such exercises, and lessons learned. It provides the board with a view of the company’s capabilities in communication, response planning, incident analysis, risk mitigation under duress, and leadership.

9. Would we know if we’d been compromised?

Security technology vendors may tout breakthroughs that provide the ability to identify and prevent attempted compromises with perfect precision and recall. An effective conversation between a security leader and a board will take as a given that all attacks can’t be identified and prevented, and that compromises may already lurk undetected. This should lead to a discussion of actions to make prevention as strong as possible, to improve the probability of detecting lurking intruders, and to reduce the likelihood that they reach critical assets and extract them.

In a world where the edge of the company’s technology footprint is increasingly blurred, where the sophistication of attacks outpaces security awareness, and where advanced persistent threats are used by adversaries, it’s inevitable that the answer to this question will be nuanced.

10. Who would be told, and how do we expect them to respond?

Communication is a key part of a successful incident response plan. Each person, including the board, needs to know his or her role in communicating about incidents internally and externally. The question goes beyond incident handling to include recovery processes and the proactive management of any reputation impact that may arise from the incident.

As a board member, it’s worth thinking about two questions that I used back in 1998 to get Bezos thinking about his role in incident response:

  1. In the event of a high-severity security incident, do you think you’d be told?
  2. Would you like to be told?

Response and recovery go hand in hand. It’s tempting to avoid putting significant effort into planning for recovery from a major security incident, and while everyone would prefer to focus on prevention efforts with a goal of zero incidents, the reality is that there’s no such thing as perfect security. The recovery plan is part of responding to the incident, learning from it, managing communications, and getting the company back in business. A well-executed recovery plan has the potential to limit the reputation damage caused by the event, and to help management and other stakeholders to move beyond it.

Finally, a bonus credit question: Do you have the team and the budget that you need to be successful in managing the company’s security risk?

These 10 questions are a starting point for a longer conversation. Directors and the security leader should regularly employee a more thorough framework, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity, to begin building a deeper understanding of their company’s security posture. While the NIST framework goes to considerably more depth, these 10 questions are intended to get to the essence of what is most important for a board to periodically review.

Tom Killalea (@tomk_) is a director of Capital One Financial Corp., MongoDB, Carbon Black, and Orreco. From 1998–2014 he served in various leadership roles at Amazon.com, including vice president of technology and CISO. All opinions expressed here are his own.