The Role of Software Patches in Cyber-Risk Mitigation

Jim DeLoach

Jim DeLoach

Equifax is not just another organization that was breached. The company was named one of Forbes’ “World’s 100 Most Innovative Companies” for three years straight, from 2015 to 2017. The recent breach of the company’s U.S. online dispute portal web application has raised serious questions about whether boards of directors and senior management are asking the right questions about actions their organizations are taking to protect themselves from cyberthreats. Are boards probing to discover what they don’t know?

In September, Equifax announced a massive breach exposing the personal information of over 40 percent of the U.S. population. The company’s stock declined almost 14 percent after the announcement, and heads rolled over the ensuing three weeks—first the chief information officer (CIO) and chief information security officer (CISO), and then the CEO. The pervasive headline effect of this incident has been as persistent as any in memory.

There are many important aspects of cybersecurity that the board is expected to tend to, including understanding what the organization’s “crown jewels” are, business outcomes management seeks to avoid, understanding the ever-changing threat landscape, and having in place an effective incident response program, to name a few.

But this discussion is more specifically about the systems vulnerabilities we know about. That’s the elephant in the room.

The sage advice—if your flank is exposed, fortify it before you get overrun—seems to apply here. Even noncombatants understand the value of protecting exposed flanks in desperate battle. A known vulnerability is most certainly an exposed flank, particularly when sensitive data is involved.

Enter the role of software patches.

A patch is a software update installed into an existing program to fix new security vulnerabilities and bugs, address software stability issues, or add a new feature to improve usability or performance. Often a temporary fix, a patch is essentially a quick repair. While it’s not necessarily the best solution to address the problem, it gets the job done until product developers design a better solution for a subsequent product release.

The Equifax incident raises the question as to why the company didn’t implement the appropriate patch to its systems when the vulnerability was first identified. To be fair, other companies have suffered a cybersecurity event because they failed to implement a patch in a timely manner, and we have no insights into the unique circumstances at Equifax. Admittedly, patching software at a large organization with multiple, complex systems takes a considerable amount of time. But, for boards and executive teams everywhere, the Equifax episode serves as a stark reminder of the importance of understanding the company’s cybersecurity strategy and tactics to pinpoint whether they know what they need to know.

Often, in our security and privacy consulting business at Protiviti, we see companies implementing patches within 60 to 90 days of discovering a systems vulnerability. We have seen some high-risk patches not applied at all for fear of breaking legacy applications; in effect, the organization simply accepts the risk of not applying these patches and, as an alternative, works to mitigate it. Based on our experience, 30 days from release to deployment is typically the “gold standard” for the time it takes apply a patch.

Is the gold standard enough? Companies are essentially leaving themselves exposed for 30 days. Meanwhile, they may lack the advanced detection and response capabilities to detect unauthorized activity occurring during that time. Organizations with a well-designed vulnerability management program quickly patch known vulnerabilities for critical public-facing services. For example, we see companies setting service level agreement targets of 72 hours, with some striving for 24 hours or less to limit the damage of an attack.

Simply stated, boards need to inquire as to the target duration from release to deployment to shore up cybersecurity vulnerabilities and, if it’s 30 days (or more), question whether that is timely enough, especially when public-facing systems are involved and sensitive personal information is exposed. Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image cry out for this oversight.

It is vitally important to scan public-facing systems immediately upon notification of critical vulnerabilities; “same day” should be the target. In addition, patch deployment should be tracked and verified as part of a comprehensive information technology (IT) governance process. It’s not enough to merely push out a patch. A comprehensive IT governance process should confirm that the risk truly has been mitigated on a timely basis.

Directors and executives should also be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Given the increasing sophistication of perpetrators, simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and security teams can respond timely.

We know that an organization’s preparedness to reduce an incident’s impact and proliferation after it begins is an issue (i.e., the lapsed time between the inauguration of an attack and its detection is too long). Often, it takes over 100 days until suspicious activity is discovered; about 50 percent of the time, organizations learn of breaches through a third party.

In nearly every penetration test Protiviti conducts, the client authorizing the test fails to detect our test activity. Many organizations seem to think that if they outsource to a managed security service provider (MSSP), the problem will be solved —as if a box has been checked. However, we see time and again that this is not the case. Often, there are breakdowns in the processes and coordination between the company and the MSSP that result in attack activity occurring unnoticed. Not many organizations are focusing enough on this failure of detective controls to identify breach activity in a timely manner.

These two fronts—how long it takes to implement a patch, as well as detect a breach—inform the board’s cyber-risk oversight. Every organization should take a fresh look at the impact specific cybersecurity events can have and whether management’s response plan is properly oriented and sufficiently supported. For starters, directors should ensure they are satisfied with the elapsed time:

  • For patching identified system vulnerabilities;
  • Between the initiation of an attack and its ultimate discovery;
  • Between the discovery of a security breach and the initiation of the response plan to reduce its proliferation and impact; and
  • Between the discovery of a significant breach and the undertaking of the required disclosures to the public, regulators, and law enforcement in accordance with applicable laws and regulations.

Today’s optics regarding egregious security breaches, corporate stewardship expectations, and the related impact on reputation and brand image beg for careful oversight.

Career Partners International Barcelona Hosts Conference with Top Global HR Thought Leaders

Career Partners International, (CPI) one of the largest career management firms in the world, Barcelona office held its annual HR Conference on October 6th. CPI’S Barcelona firm, Advantage Consultores, has held this conference since 2014 and more than 200 HR Professionals from over 30 countries attended the conference to discuss thought leadership in HR.

The speakers represented a diverse group of HR Professionals from around the world and across different industries. They spoke on a wide range of subjects, from: the future of work, selection, digitalization, new talent, talent management, and other HR topics. Some of the featured speakers were Donna Venable, Executive Vice President of Human Resources at Ricoh USA, Yolanda Menal, HR Director at Unilever, and Franz Deitering, Vice President & COO at Global Future of Work Foundation.

“Change is the new normality, speed is everything, people are at the centre,” said Sylvia Taudien, the Event Organizer and founder of Advantage Consultores. “And the new working models will be disruptive and more collaborative.”

The 5th International HR Conference Barcelona will be on October 5th, 2018. For more information on the conference, visit their website.

Career Partners International’s global network of offices and experts guarantees excellent, personalized services with cutting-edge technology whether in a local market or cross-continent business to improve engagement of your employees that yields impressive business results and reduces unwanted attrition.  To learn more about Career Partners International’s wide range of business-evolving offerings, visit CPI World.

About Career Partners International
Founded in 1987, Career Partners International is a leading provider of Outplacement, Career Management, Executive Coaching and Leadership Development services from more than 300 offices in over 45 countries.  Employers around the world trust Career Partners International’s local market experts to provide the best possible outcomes for employees across Canada, the United States, Latin America, Europe, Middle East and Africa, and Asia Pacific regions.

The post Career Partners International Barcelona Hosts Conference with Top Global HR Thought Leaders appeared first on CPIWorld.

Boards Can Do More to Align on Cybersecurity

Organizational cybersecurity is one of the biggest challenges facing companies today. The most recent in a string of headline-grabbing data breaches involved U.S. credit-reporting company Equifax, an event that exposed the private information of some 143 million customers. Grilled on Capitol Hill about the episode, Equifax’s chair and CEO said that “mistakes were made” in the company’s response to the attack, which has prompted dozens of private lawsuits and precipitated a drop in the company’s share price.

As corporate directors are ultimately responsible for their companies’ future, the urgency to address cyber risk is accelerating. There is general agreement across the C-suite that cyber risk is a top priority, according to a recent Marsh global survey regarding corporate cyber risk perception. But survey results also revealed that there is less alignment inside companies regarding how cyber risk is reported to corporate directors and about what is most important.

The Information Disconnect Between Board and C-Suite

When survey respondents were asked what type of reporting on cyber risk the board of directors received, something surprising surfaced. For every type of report we asked about, respondents who indicated they were corporate directors said they received far less information than respondents from the C-suite said they were supplying to directors.

Click to enlarge in a new window.

For example, 18 percent of surveyed directors said they received information about investment initiatives for cybersecurity initiatives. Yet 47 percent of chief risk officers, 38 percent of chief technology or information officers, and 53 percent of chief information security officers said they were already providing reports to board members on investment initiatives.

Whether it’s optimizing risk finance though insurance or other resiliency measures, such investment initiatives are critical to preparing for an attack as well as to managing an incident. Organizations need to ensure that board members are receiving—and carefully reviewing—this vital information.

Tellingly, corporate directors say the type of cyber risk reporting they most often receive consists of briefings on “issues and events experienced.” It’s clearly important for any corporate director to learn about cybersecurity incidents that the company has faced, but it is an after-the-fact activity. There are a number of reasons for boards to be most cognizant of the material they receive regarding an event that has already happened.

Click to enlarge in a new window.

The survey’s C-suite respondents listed “cyber program investment initiatives” as the type of reporting their boards were most likely to be receiving. But with fewer than one-in-five corporate directors saying they received such reports, there is an issue that needs to be addressed, especially given that understanding—and directing—corporate investment in cybersecurity is a key to building effective resiliency measures.

No Incident Can Be Completely Avoided

Many boards seem to focus their oversight on security activities over resiliency best practices. For example, a high number of corporate directors in our survey said their organization did not have a cybersecurity incident response plan. Why? The top reason cited was that “cybersecurity/firewalls are adequate for preventing cyber breaches.” C-suite respondents did not share the same view.

Click to enlarge in a new window.

As firm after firm of all sizes and across geographies have fallen prey to attacks, the belief that one can have enough defenses in place to completely avoid a cybersecurity incident has been widely debunked by real-world events. Thus, the mantra among the organizations with the most sophisticated cyber-risk management programs is: “It’s not a matter of if you will be breached, but when.”

Cyber threats are constantly evolving and the potential threat actors are multiplying. No organization is impenetrable, no matter how strong their security posture may be.

Strong Companies Are Already Preparing for GDPR

One of our key findings regarding corporate readiness involves the lead-up to the EU’s General Data Protection Regulation (GDPR), which is scheduled to take effect in May 2018.

We found that companies that are already preparing for GDPR are doing more to address cyber risk overall than those that have yet to start planning. Survey respondents who said their organizations were actively working toward GDPR compliance—or felt that they were already compliant—were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cybersecurity resiliency measures than those that had not started planning for GDPR. This is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management strength.

The most forward-looking corporate boards recognize the GDPR compliance process as an opportunity to strengthen their organizations’ overall cyber risk management posture on a much broader level, effectively transforming regulations that might previously have been viewed as a constraint as a new competitive advantage.

The lesson here—even for directors of organizations not subject to the GDPR—is that good cyber-risk oversight requires engaging on a number of fronts, both defensive and responsive. Whether it’s playing an active role in attracting highly-skilled talent, seeking cross-functional enterprise alignment on priorities, or viewing regulatory compliance as part of a holistic plan, an engaged board can make the critical difference in how a company assesses, reports on, and addresses the impact of cyber risk on the company.

To receive a copy of Marsh’s report, GDPR Preparedness: An Indicator of Cyber Risk Management, click here.

The Auditor’s Report: Reading Between New Lines

Alexandra R. Lajoux

Now that the U.S. Securities and Exchange Commission (SEC) has released an order approving the Public Company Accounting Oversight Board’s (PCAOB) new rules on the auditor’s report, what items should the audit committee and shareholders look for there?

The Auditor’s Report on an Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion and Related Amendments to PCAOB Standards, released by the PCAOB June 1 and approved by the SEC October 23, contains five main changes, including one that requires careful reading between the lines.

As NACD summarized in a recent brief to its members, the new PCAOB standard will require auditors to:

  • Standardize the format of the auditor’s report, placing the auditor’s opinion in the first section of the auditor’s report, followed by the basis for the opinion. This change makes the auditor’s opinion easier to find in the auditor’s report.
  • Disclose the auditor’s tenure, stating when the audit firm began its current service to the company. This new requirement comes in lieu of limiting audit firm tenure through mandatory audit firm rotation, a concept NACD and others have rejected in the past.
  • State that the auditor is required to be “independent.” This requirement is intended to strengthen shareholder confidence in the auditor’s report, possibly as an offset to the tenure disclosure, if it reveals that the auditor has been serving the client for more than a quarter century, for example.
  • State that the financial statements are free from material misstatements “whether due to error or fraud.” This change aligns with other recent or pending regulations on error vs. fraud, such as the proposed executive pay clawbacks rule still pending under Dodd-Frank, which mandated disgorgement of performance-based pay after financial restatements even if restatements were due to error rather than to fraud.

Report on critical audit matters (CAMs), defined as “matters communicated or required to be communicated to the audit committee and that: (1) relate to accounts or disclosures that are material to the financial statements; and (2) involved especially challenging, subjective, or complex auditor judgment.” A number of commenters said that the CAMs mandate is “redundant” with existing reports, which already reveal the required information. See for example NACD’s comment to the PCAOB or State Street’s comment.

The key letter in CAM is M, for material. For those who may wonder what may be “material” to the financial statements, join the club. The SEC has still never defined this term, leaving this job to the courts as they interpret federal securities laws.

The going definition of “material” is more than 40 years old. The SEC release cites TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976), in which the U.S. Supreme Court states that a fact is material if there is “a substantial likelihood that the . . . fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.” In that same case, the Supreme Court said that determining materiality requires “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him . . .”

Such wisdom is not lost on the PCAOB and SEC. In its June 1 release, the PCAOB cites as CAMs the auditor’s evaluation of the company’s “goodwill impairment assessment” and, more broadly, the auditor’s assessment of the company’s “ability to continue as a going concern.” These two examples are material to financial statements. By contrast, the following two examples are not material to the financial statement: a loss contingency already discussed with the audit committee and “determined to be remote;” and a “potential illegal act.”

Audit committees need to ensure that their auditors are in a position to recognize critical audit matters, and to learn from those matters.  But this does not mean looking for problems where there are none.

Significantly, SEC Chair Jay Clayton had this to say about the new standard:

“I would be disappointed if the new audit reporting standard, which has the potential to provide investors with meaningful incremental information, instead resulted in frivolous litigation costs, defensive, lawyer-driven auditor communications, or antagonistic auditor-audit committee relationships — with Main Street investors ending up in a worse position than they were before.

I therefore urge all involved in the implementation of the revised auditing standards, including the Commission and the PCAOB, to pay close attention to these issues going forward, including carefully reading the guidance provided in the approval order and the PCAOB’s adopting release.”

To Chairman Clayton’s point, the SEC makes this point in its approval order:

“As the [PCAOB] notes, in order to succeed, any claim based on these new statements would have to establish all of the elements of the relevant cause of action (e.g., when applicable, scienter, loss causation, and reliance). Moreover, as discussed above, CAMs could be used to defend as well as initiate litigation. …However, because of these risks and other concerns expressed by commenters, we expect the Board to monitor the Proposed Rules after implementation for any unintended consequences.“  (SEC approval order , pp. 32–33)

Shareholders and others should read between the lines of auditor’s report (appreciating the regulations behind it), but they should not expect auditors to “look under rocks” to find problems. That is the job of management, internal control, and the audit committee. The auditor’s job is to focus on the audit of the financial statements to ensure that they conform to generally accepted accounting principles (GAAP). Given the complexity of GAAP, that is a big enough job as it is.

The CAM standard can’t be mastered overnight and won’t be required any time soon. Auditors of large accelerated filers will not be required to adopt CAM changes until audits of fiscal years ending on or after June 30, 2019—with audits of all remaining filers to adopt CAM changes for fiscal years ending on or after December 15, 2020.

By contrast, all the other changes will apply to audits of fiscal years ending on or after December 15, 2017.  That mean, essentially that auditors must work on this immediately, since most companies they are working with right now have fiscal years ending December 31, 2017. (According to Audit Analytics, 71 percent of public companies have a fiscal year ending December 31.)

So now is the time to prepare for the changes! In its above-cited report on the new rule, NACD prepared questions for directors to ask, along with related resources.

Questions for Boards

  • For which fiscal year will our auditor first be required to report on CAMs?
  • What areas during the audit do we anticipate our auditor will find challenging, subjective, or complex—and how can we preemptively address those concerns?
  • How will the auditor’s insights in the newly expanded report affect our ongoing work as we prepare the audit committee report for the proxy and review risk disclosures in the annual report on Form 10-K?
  • How will it shape our meeting with auditors, who themselves have extensive standards for their communications with audit committees?
  • How might our company need to adjust our year-end reporting calendar in order to file the 10-K on time?

NACD Resources: See NACD’s commentary on this topic to the PCAOB in the Corporate Governance Standards Resource Center, and visit NACD’s Audit Committee Resource Center for a repository of content related to leading practices for the audit committee. Register for the KPMG webinar “What You Need to Know About the New Auditor Reporting Model” on Thursday, November 9, and review the Center for Audit Quality’s recent alert “The Auditor’s Report—New Requirements for 2017.”

Why You Should Care About Climate-Competent Boards

Vanguard Group CEO William F. McNabb III just tipped the list. The world’s top three asset managers—Blackrock, Vanguard, and State Street Corp.—are now calling the companies that they invest in to adopt climate risk disclosure.

Veena Ramani

In a recent open letter to corporate directors across the globe, McNabb explained that Vanguard, the $4.5 trillion mutual-fund management firm, expects businesses to embrace materiality-driven disclosures to shine more light on sustainability risks.

Summing up the challenge of climate risk, McNabb wrote that it’s the kind of risk that tests the strength of a board’s oversight and risk governance. That’s the crux of the challenge for directors. As investors ratchet up the pressure on companies to analyze their exposure to the impacts of a warming planet, they’re calling on boards to be knowledgeable about material climate risk and capable of preparing for its impacts and capitalizing on its opportunities.

As we heard in Karen Horn’s opening keynote of NACD’s 2017 Global Board Leaders’ Summit, directors can no longer ignore the inherent impact of these issues on the long-term value creation of the corporate world —ranging from climate risk, natural resource capital, and implications of the Paris Climate Agreement.

This growing scrutiny has directors’ attention—especially after a high-profile vote in May by nearly two-thirds of Exxon Mobil Corp.’s shareholders demanding an analysis of climate risks. The number of directors who think that disclosure of sustainability risk is important to understanding a company’s business jumped to 54 percent  in 2017 from 24 percent last year, according to a survey of 130 board members by the accounting firm BDO USA.

Board-level competence around climate change and other sustainability risks is the way forward. Through an understanding of what climate change means, why it matters to their business, and what their organizations are capable of changing, directors can successfully make climate risk part of their governance systems.

In a new report by Ceres called Lead from the Top, we outline ways that companies and boards can build up that competence.

But rather than settling with bringing on a director who is competent in sustainability, our report explains why companies must work to build an entire board that is competent to oversee these risks. By engaging thoughtfully on material sustainability risks as one cohesive body, this kind of board is able to ask the right questions of its management, support or challenge senior management as needed, and ultimately make informed and thoughtful decisions affecting corporate strategy and risk.

We identified three key principles that companies and boards can use as they work to build a sustainability-competent board:

1. Sustainability needs to be integrated into the director nomination process. Finding directors who can apply their knowledge about climate and other sustainability risk to relevant board deliberations is a good first step. Companies can get the right people on board by approaching this systematically as a part of the board nominations process, specifically identifying experience in material environmental, social, and governance (ESG) risks in the board skills matrix and by casting a wide net to consider candidates with diverse backgrounds and skills.

2. The whole board needs to be educated on sustainability issues that impact their company. For sustainability to become part of the fabric of board oversight and integrated into decision-making on strategy, risk, and compensation, all directors on the corporate board need to be well informed on material sustainability issues so they can lead thoughtful deliberations and make strategic decisions. Companies can do this through focused, ongoing training programs that bring in experts from outside the company and by educating the board on the connections between climate change and material impacts and the connections to risk and strategy. Embedding ESG into the existing board materials so it does not become one additional issue topic to vie for directors’ attention is essential. Sustainability managers embedded within companies can play a key role in driving this integration.

3. Boards should directly engage a diverse array of stakeholders, including investors, on sustainability issues impacting their company. With more investors paying attention to climate change and other sustainability issues, shareholders increasingly expect boards to engage directly with them on critical issues. One of the goals of McNabb’s letter was to nudge directors to engage directly with shareholders. Given this growing focus, material environmental and social factors should be made a part of any dialogue between directors and investors.

It all comes down to the bottom line. Risk and opportunity define business. Corporate boards will have a difficult time performing their fiduciary duty to the companies they lead and the shareholders that they represent without understanding the risks and opportunities created by climate change. Our report lays out practical steps directors can take as they consider how to make their board competent in addressing climate change and other environmental, social, and governance issues.

 

Veena Ramani is the program director of Capital Market Systems at Ceres. Ceres is a sustainability nonprofit organization working with the most influential investors and companies to build leadership and drive solutions throughout the economy.

NACD Staff Gives Back

This past Friday, October 20, National Association of Corporate Directors (NACD) staff packed up and readied itself for a big move. After five years on Pennsylvania Ave., NACD’s national office relocated across the Potomac River to Arlington, Virginia. NACD staff turned what could have been a stressful moving day into an opportunity to give back to the community that it works in through its first Day of Service.

Packaging food for delivery

Serving hot meals on a mobile food kitchen

President and CEO Peter Gleason championed NACD’s Day of Service as a way to involve staff in volunteer activity and to demonstrate to that the organization is dedicated to supporting and improving the lives of others. NACD spent time with several worthy local nonprofit organizations, including:

  • Martha’s Table, an organization that seeks to provide healthy meal and food programs for children and their families. For over 37 years, Martha’s Table has worked to support children, families, and neighbors by making healthy food and quality learning more accessible.
  • DC Central Kitchen, whose mission is to use food as a tool to strengthen bodies, empower minds, and build communities. This organization provides culinary training for jobless adults and then hires them to prepare 3 million meals annually for homeless shelters, schools, and nonprofits.
  • Capital Area Food Bank, an organization working to solver hunger, chronic malnourishment, heart disease, and obesity. It provides 540,000 people in and around the nation’s Capital access to healthy food annually.
  • Arlington Food Assistance Center, which obtains and distributes groceries directly and free of charge to those in Arlington who cannot afford groceries them.
  • Food & Friends, whose vision is to provide meal delivery to people with HIV/AIDS, cancer, and other serious illnesses who have limited ability to provide nourishment for themselves. Their simple premise is that anyone can get sick and everyone can help.

Organizing food for a “market day” at an elementary school

One group of NACD volunteers reported back from Martha’s Table with this experience:

“Our crew of four baked about 230 muffins in one afternoon for our Day of Service assignment. Martha’s Table is a charity that has various aims, including introducing healthy eating to those who might not have access to traditional resources, such as the homeless. Their mobile soup kitchen, McKenna’s Wagon, provides meals daily to the homeless at various locations. The muffins we baked and packaged were destined to go on the truck Friday night as dessert for those that McKenna’s Wagon served. We had a lot of fun baking at Martha’s Table. We had a recipe for apple spice muffins and an aggressive timeline to meet! Everyone pitched in, bonded, and encouraged each other. It was a rewarding experience.”

Baking for a mobile soup kitchen

Do you know a deserving organization in the metropolitan Washington, DC area that could use volunteers in the future? Make your suggestion by leaving us a comment.

What’s Keeping Your Employees From Being Engaged?

The engagement level of an organization’s employees directly impacts important business outcomes such as profit and retention. Results from CCI Consulting’s Global Employee Engagement surveys revealed three areas that are keeping employees from going the extra mile at work: recognition, growth, and management. Employees across multiple industries, functions, and job levels consistently showed frustrations with these three areas.

Many employees do not feel they receive the appropriate recognition for their good performance. They are not effectively rewarded in a way that motivates them to continue to perform well. Working towards a clear career growth plan is desirable to many employees. However, most felt that they did not have a clear plan for advancement because of lack of support from management when they expressed an interest in promotional opportunities. This lack of support ties into the fact that most employees feel that the management team is not fully “in touch” with employees, causing a disconnect that leaves employees with a lack of trust in management.

Lack of Recognition
Employees do not feel that good performance is recognized and effectively rewarded to motivate employees.
Limited Growth
Having a clear path for career advancement is important to employees but many feel that they do not have the potential for growth.
Poor Leadership
Many employees do not believe the Management Team is “in touch” with or connected to employees.

 

Source: Aggregate results from CCI Consulting’s 2015-2017 Global Employee Engagement Surveys

 

This article was provided by Sharon Imperiale of CCI Consulting; CPI Philadelphia

The post What’s Keeping Your Employees From Being Engaged? appeared first on CPIWorld.