Career Partners International Helps Managers Break Down Barriers to Employee Participation in Learning and Development Opportunities

Over the past few years, a trend has surfaced with power shifting from employers to employees in the talent market.  Unemployment is down, and companies struggle to fill open positions.  The most talented employees are more sought after than ever causing HR leaders to focus on retaining their stars.  Learning and development opportunities have become a major focus with many organizations creating and expanding their offerings in hopes of improving employees’ skills and increasing retention.

According to a recent study conducted by LinkedIn, 94% of employees would stay at an organization longer if it invested in their careers.  So why are employees still leaving if so many organizations offer workplace learning?  A major contributor to this phenomenon centers on the lack of accessibility to these programs.  Even the best designed programs will not yield results if employees are not accessing them.

What are the common barriers to entry for learning and development offerings?  One common problem is the format is not conducive to the employees learning style.  Sometimes employees do not have the time to participate in growth opportunities.  Many organizations have a communication problem; their programs may be an unintentionally well-kept secret.  Tearing down these and other barriers gives development programs the chance to make real change and improve organizations.

With over 30 years of experience, Career Partners International (CPI) has seen all these common barriers and many more.  CPI works with managers to remove these obstacles and encourage their teams to participate in learning opportunities.  According to that same LinkedIn survey, one of the biggest drivers of participation in development programs is encouragement from management, be it a verbal suggestion or freeing up time for participation.  Employees want to learn and grow, organizations want their talent to stay, grow, and remain engaged.  By turning managers into career coaching leaders CPI helps managers align the goals of employers and employees to promote lasting and mutually beneficial relationships.

The post Career Partners International Helps Managers Break Down Barriers to Employee Participation in Learning and Development Opportunities appeared first on CPIWorld.

With Proxy Season Around the Corner, Are You Ready?

As investor demands regarding the quality of board governance steadily rise, effective disclosure of board practices in the proxy statement—including board composition and executive-compensation design—has become a critical communication vehicle ahead of the annual vote. To facilitate investor understanding, proxy filers should craft engaging narratives and offer clear visibility into their organization’s board governance approach and emerging investor priorities—from human-capital management and boardroom diversity to environmental, social, and governance (ESG) issues.

A recent snapshot drawn from NACD’s upcoming 2018–2019 NACD Public Company Governance Survey indicates that companies are proactively enhancing the value of their proxy statements by including more information and making the format more engaging.

To help boards and their companies develop more transparent and easier-to-digest 2019 proxy statements and to help them anticipate likely shareholder challenges to current practices, NACD has created a curated list of practical new resources that directors, general counsel, and investor-relations staff can readily put to work.

NACD Resources

Additional Resources on Leading Proxy Practices

Review of Proxy Season 2018 Trends

NACD members can also visit our Resource Center on Preparing for Proxy Season to access more resources.

Under the Mask and Into the Head

Halloween costumes have become much more elaborate since I last personally went trick-or-treating for candy. The thin, molded-plastic Luke Skywalker mask and matching plastic bib that my mother tied in the back has been replaced by Black Panther chest plates and sturdy tiaras hardly different from an actual crown. However, what has not changed with the costumes are the judgments children place on the candy—good or bad, generous or stingy, a rich treat or a “healthy” treat.

Not all neighbors may care what trick-or-treaters think about their offerings, but for those who do, there are only two choices: (1) offer a portfolio of choices and hope one appeals, or (2) ask for feedback and let the visitor know early on what you intend to offer. The upshot is that it is often difficult to understand how others view and receive your intentions. This is an inherent challenge in every two-way interaction. And the interactions between the board’s audit committee and the chief audit executive (CAE) are no exception.

Last year the Institute of Internal Auditors (IIA) surveyed 636 CAEs to learn more about how internal audit views their interactions with the board’s audit committee. At most organizations, reporting on the state of internal controls is at the center of internal audit’s board reporting. Yet, just over half—56 percent of CAEs reporting to fully independent audit committees—strongly agree that, as a result of their discussions, the audit committee has a clear understanding of the strengths and weaknesses of the organization’s internal control and risk-management systems. And at 45 percent, CAEs with some nonindependent audit committee members are a bit worse.

One potential explanation—at least from the CAE perspective—is that audit committees could make their expectations of internal audit clearer. Just 41 percent of CAEs with independent audit committees strongly agree that the audit committee regularly communicates with the CAE about the current performance of the internal audit function and about areas where the committee would like to see improvement in the organization’s internal audit activity as a whole. That figure rises to 50 percent when CAEs are asked if the audit committee sets clear expectations for internal and external audit. Both of the numbers are slightly lower when the board has some nonindependent members.

Further, many CAEs do not see robust continuous improvement activity in the audit committee itself. Thirty-six percent of those reporting to independent audit committees strongly agree that those committees assess the effectiveness of its own role in the oversight of risk management, with an eye to clarifying the scope of its oversight activities.

Taken together, many CAEs perceive that audit committees

  • do not have a clear understanding of the information presented to them,
  • do not communicate their expectations as well as expected, and
  • do not reflect on their own effectiveness.

Now, it could be that CAEs have a limited perspective. It could be that audit committees are doing these things outside of the gaze of internal audit, leaving the CAE with a mistaken impression. However, that is the best-case scenario. At worst, audit committees are lax in their engagement with internal audit, creating a wrong impression.

Like assessing trick-or-treaters’ judgment of your candy options on Halloween, some audit committee members may not be interested in the opinions of internal audit. However, there is no doubt that many are making judgments.

Those audit committees that are interested in improving their relationship with internal audit might consider taking the following steps:

  1. Review formal and informal communications with heads of the internal audit function. The audit committee may consider its communication style, methods, and modes with CAEs and others during committee evaluations. They might also solicit feedback from the CAE to help understand how communication with the board and relevant executives can be improved.
  2. Create a feedback loop. The audit committee could identify some ways to get feedback from the CAE to ensure that the committee’s message is understood as intended. This could entail more focused conversations with the CAE between board meetings or changing the nature of conversations currently in place.
  3. Consider risk and control oversight broadly. Internal controls may go well beyond the internal audit function to include information technology and cybersecurity, compliance, legal, and other departments. Audit committees, in coordination with the full board, may consider a comprehensive approach to risk and control oversight and review lines of responsibility and communication between the boards and these corporate functions.

Although Halloween costumes have become more sophisticated, it’s still hard to tell whether the trick-or-treater would have preferred a full-size Zagnut candy bar to the four Jolly Ranchers you just dropped in their bag. Similarly, it may be difficult for the audit committee to understand whether or not the messages they give to internal audit are received as intended. Simply put, when directors engage with internal audit, they should work to ensure that their messages are properly understood. Nobody intends to give bad candy, but sometimes the neighborhood kids misinterpret your intention.

Leading Minds Discuss the Complexities of Executive Pay

Last week, we ran highlights from NACD’s most recent Leading Minds of Governance program, where a panel of highly experienced governance experts and directors spoke on the board’s role in overseeing corporate culture—and crises that arise from failures in corporate culture. In our continuing coverage of that event, Cathy Halligan, a director of FLIR Systems and Ultra Beauty, and Tara Tays, managing director at Deloitte, discuss the issues of say on pay—and the ways in which executive compensation can attract top talent while also attracting unwanted attention from proxy advisory firms.

Cathy Halligan (r.) addresses the panel, including Christopher Cernich (l.)

The issues of say on pay and talent retention are top concerns for many boards. How can a compensation committee strike the right balance between garnering shareholder support for the compensation package and incenting and retaining a high-performing CEO?

Halligan: I advise compensation committees and boards to start with the philosophy that a consistently performing CEO is not always easy to have, and a high performing CEO is rarer and can be difficult to retain because she or he is in great demand. In an environment where one has a consistently performing or high-performing CEO, keep that in mind first and foremost when considering compensation. In terms of the balance between a compelling retentive CEO pay package, relative to the scope and complexity of one’s business, and any potential governance agency issues, my advice is to err on the side of delivering a compelling compensation package to a performing CEO. Leave the ISS [Institutional Shareholder Services] and Glass Lewis narrative to the side while thinking through compensation. Then, explain to investors the rationale behind the CEO compensation, drawing linkages to performance.

Aligning compensation with shareholder value creation is most important. In my view, nothing aligns more purely with the shareholder than including stock options as a long-term retentive vehicle in long-term incentive or special retention grants. That being said, ISS and Glass Lewis do not view stock options as performance-based compensation, which is a real head-scratcher for me. In a Glass Lewis or ISS report on CEO pay, the entire value of a stock option grant is priced in the compensation table on the day in which it’s granted. Even if the vesting schedule is out six years, and doesn’t even start vesting for two years. There’s a disconnect between demonstrated retentive compensation and recording the positions by ISS and Glass Lewis.

One last point I would make is that Glass Lewis and ISS do not like special grants given to CEOs in addition to long-term incentives as part of an executive compensation program. Their rationale is that if the executive compensation program in and of itself isn’t correct, and there’s a need for an additional grant, the board should take a harder look at the executive compensation program. While that might be true in some situations, it is not accurate across the board. Consider Ulta Beauty. CEO Mary Dillon drove incredible performance, and the stock has outperformed the market by a wide margin since July 2013 when she became CEO. While the executive compensation program had achieved all of the criteria that the compensation committee had set out, given the exceptionally good performance of our CEO and our interest to protect the shareholders and retain her, we did issue a special stock option grant that had pure retentive hooks. It was a six-year vesting schedule that started vesting in year two, so clearly long-term. ISS and Glass Lewis both issued quite unfavorable reports, but it was the right thing to do for Ulta shareholders to retain a very high-performing CEO with an instrument that was completely aligned with the shareholder. In summary, do right by a high performing CEO, and then talk to your investors.

Tara Tays

ISS and Glass Lewis always seem to garner a moan from directors when they’re brought up. It’s important to understand their guidelines, but are the proxy advisory firms’ preferred compensation policies sound, and are they truly in shareholders’ best interests?

Tays: The proxy advisory firms’ executive compensation guidelines are meant to help shareholders think about how to vote on a say-on-pay’ proposal, and while the methodology used by these firms over the past seven years has been refined and now lead to many tests that guide shareholders on whether to vote “for” or “against” this type of proposal, the guidelines don’t always provide shareholders a holistic picture on all criteria that should be considered when determining how to vote on say on pay.

Generally, there is one reason why proxy advisory firms will vote against a company’s say-on-pay proposal, there is significant misalignment between CEO pay and company performance. One proxy advisory firm will also consider NEO [non-executive officer] pay and company performance. Other factors that will be taken into account by the proxy advisory firms include whether the company has problematic pay practices, e.g., egregious one-time payments, single trigger change-in-control provision, excise tax gross ups, etc.; and whether the board displays poor levels of communication to shareholders.

While the proxy advisory firms’ tests measure the size of a CEO’s pay package in comparison to total shareholder return and financial performance, they don’t measure a CEO’s realizable pay—the same is true for NEOs. And one might question whether a pay for performance model built on grant date long-term incentive value really provides an informed picture on the relationship between pay and performance. Now, total compensation granted to a CEO in one year is important, however, it is just as important to understand what the CEO earned in base salary, bonus and the value of equity actually earned over a period of time.

Why is this important? At the end of the day, if the company’s stock is not performing, the value originally granted to the CEO is simply the equity value at grant date and maintaining that equity value is heavily dependent on the future financial or operational success of the company.

Also, more and more CEOs are granted long-term performance-based awards and the actual equity earned (or settled) is usually determined two, three or four years later. Therefore, a CEO’s realizable pay over a period of time is just as important as the pay level delivered in a year and combining the two analyses together paints a clearer picture for shareholders on whether there is alignment between pay and performance.

It is also important for proxy advisory firms to build in an understanding of a company’s needs for one-time compensation payments or contract provisions. For example, there was a S&P 600 specialty chemical company that received “low concern” levels on all of its pay-for-performance tests from one proxy advisory firm; however, since the company entered into a new employment agreement with one of its NEOs that automatically allowed for continued participation in a stand-alone legacy change-in-control severance agreement that included an excise tax gross-up provision, the company received an “against” vote from the proxy advisory firm. Despite the fact that the agreement was put in place to retain the executive, the company was penalized. Interestingly, a similar agreement was put in place for the same company the previous year and the company received a “for” vote on say-on-pay by the same proxy advisory firm. While excise tax gross-ups are not the market norm, penalizing a company for the continued participation in an existing change-in-control provision seems harsh, especially if it is needed to retain the executive.

On the other hand, there are some proxy advisory executive compensation guidelines that are healthy, like scrutinizing companies when excessive perquisites or multi-year guaranteed bonuses (i.e., non-performance based) are provided or utilizing the same performance metric in both the annual incentive and long-term incentive plans.

At the end of the day, there some key guiding principles that companies should adhere to in designing and administering the executive compensation program. First, companies should maintain appropriate pay-for-performance alignment, and understand whether alignment exists on a one-year and multi-year basis. Second, the board and management should understand competitive market landscape and stay away from arrangements that “pay for failure,” such as guaranteed compensation and excessive severance packages with no strict performance conditions. Third, companies should provide shareholders with clear, comprehensive proxy disclosures, which help shareholders and proxy advisory firms evaluate whether executive pay practices are reasonable.

The Cyber Blind Spot

Throughout history, one of government’s primary duties has been to provide for the common defense of citizens. Our armed forces have protected our geographic boundaries exceptionally well for over 200 years. In stark contrast, the cyber domain introduces a new reality in the human experience.

Thieves and adversaries can reach beyond our traditional geographic boundaries to steal or harm, making geographic delineations irrelevant. Because cyber risk transcends the four traditional domains of conflict, the old rules simply don’t apply to this new domain. Civilian leaders—like corporate directors—must lead the way to define new rules for defending civilian assets given the reality of a cyber blind spot: the gap between government and civilian defenses.

“The cavalry ain’t coming.”

So said General Michael Hayden, former director of the National Security Agency (NSA) and the Central Intelligence Agency (CIA), about cybersecurity at a conference in 2017. Not only is there no governmental “cavalry” coming to the defense of civilian cyber assets, it is not even clear that such defenses exist in any cohesive form. This isn’t intended as a criticism. Rather, it’s simply a reflection of reality resulting from limits in constitutional authority, capability, capacity, and ambiguous charters.

Constitutional Limits

Government defense of assets in the physical domain is routinely accomplished within the bounds of the Constitution. But defense of cyber assets—information contained within computers—is fundamentally different. By definition, the defense of information requires in-depth access to and an understanding of the information and computers on which it resides. If, for instance, a company had voluntarily chosen to allow such government surveillance, and data is revealed that laws are being violated, could the government use this information against the firm or the people trusting that firm with its privacy?

With the current murkiness around privacy protections in this non-physical space, would this be a violation of fourth or fifth amendment protections for the corporation and its customers? Would it matter if the discovered violation were willful or inadvertent? The requirements of defending companies and their customers from cyber risks may not fit the realities of constitutional law.

Capability Limits

The government at-large is tasked with widely varying roles in defending against cyberattacks. Capabilities range from ultra-sophisticated cyber actors in the CIA and NSA, to traditional law enforcement agencies with little technical expertise. Meanwhile, sophisticated cyber capabilities are as rare in government as they are in the private sector, and those limited assets are consumed with defense of the government itself or with providing intelligence. There is very limited capacity to help business or non-critical government capabilities.

Like the private sector, there are plenty of federal government examples of failing in the fight: the loss of sensitive data on 22 million individuals by the Office of Personnel Management, the hacking of the Chief of Staff to the President, and the loss of highly sensitive cyber defense tools by the NSA are but a handful of examples. Bottom Line? If the government struggles to defend itself, it can’t be expected to defend businesses.

Charter Limits

It’s not yet entirely clear which agency should be doing what tasks to secure cyberspace, despite frequent coordination attempts and exercises. The Department of Homeland Security is responsible for defending the homeland, but the Department of Defense is responsible for defending the nation. Who defends cyberspace? Both? Neither? After a cybercrime has occurred, the Federal Bureau of Investigation is responsible for the investigation, but if the criminal is outside the U.S., do they have jurisdiction? If so, do they have credible recourse?

It isn’t clear who should help and what the nature of the help could be—even according Keith B. Alexander, founding commander of United States Cyber Command. “The truth is that today, our government agencies appear to be confused by the different terms of protection, incident response, and national defense,” Alexander said in an address to the US House Committee on Homeland Security in 2017. “More needs to be done in defining these roles within the key departments, and we must practice how the government is going to collectively execute their responsibilities.”

Furthermore, what are the rules of engagement? The government deserves credit for providing expertise and guidance to the civilian sector such as the NIST Cybersecurity Framework, threat sharing networks, and so on. But there is no mandatory compliance required except in narrowly-defined areas of critical infrastructure.

Dangerous Assumptions

Without realizing it, most business and civilian leaders assume that a faceless “they” are defending us in cyberspace like “they” are defending us in the traditional geographic sense. While not an unreasonable assumption, we all know what happens when we assume.

The Assumed Cocoon

We exist within a relatively secure geographic and physical “cocoon” consisting of layers of defense provided by governments against catastrophic attack by foreign powers. This cocoon allows business to focus attention and investments on innovation, shareholder value, and employee satisfaction. Businesses therefore expend only the most basic effort in physical defense, burying security into generic administrative organizations and outsourcing staff to minimize cost.

Without realizing it, many organizations have tacitly adopted a nearly identical model for cybersecurity. Examples include burying cybersecurity responsibility under the chief information officer, outsourcing security operations to save money, and generally treating security as a necessary evil. Meanwhile, organizations are both physically and existentially vulnerable to security risks, enjoying the softness of the assumed cocoon.

Going to a Gunfight With a Golf Club

Most corporate executives and directors are skilled in increasing shareholder value. But the essence of cyber defense is human-to-human conflict. Whether we think of this as war fighting or crime fighting, we argue that it is indeed fighting. We posit that success here requires thinking in terms of battle: weaknesses, attacks, defenses, and contingencies. The fluidity and chaos of human conflict requires a specific set of skills and experiences that most of those groomed in the civilian sector simply don’t have, or have let lay long dormant, because they never needed it in business practice—until now.

You are the first generation of executives and corporate directors to deal with the business reality of self-defense, and that’s daunting. It would be easy to adopt an ostrich strategy to avoid it altogether. Or, nearly as bad, to diminish the urgency of decisive action by resting on the comfort of conventional wisdom.

If you find yourself saying any of these things to provide a sense of self-assurance, you’re likely whistling past the graveyard—not giving the problem the serious intellectual engagement it deserves.

  • We’re using the NIST Framework.
  • We spend a lot more than we used to on our defenses.
  • We just bought this new fill-in-the-blank.
  • One of our folks used to work for the FBI.
  • We haven’t had any trouble so far.
  • Our audits are ok.

Leading in the Age of the Cyber Blind Spot

We aim to illuminate a reality that deserves additional examination and thought, not to criticize the actions of government or civilian leaders. Government can’t sufficiently defend civilian assets in the cyber domain and civilian capabilities aren’t well-suited for human-to-human conflict. Taken together, this cyber blind spot introduces significant challenges to corporate directors and officers.

Some key questions for board members to ask include:

  • How does the cybersecurity team inculcate strategic and tactical military mindset and experiences into its cyber-defense strategy?
  • In what ways does the company’s cybersecurity strategy and investment mirror its physical counterpart?
  • What are the key assumptions in the cyber strategy, and what are the risks associated with those assumptions?
  • How frequently and how aggressively are our cyber defenses “red teamed” or probed by external “hired guns”?
  • How powerful and relevant are the measures of cyber defense provided to the board by cybersecurity executives? What other questions should be asked to explore the gaps in our cyber defense?

Businesses are exposed to dramatic new risks in the cyber domain and “the cavalry ain’t coming.” We must lead accordingly.

 

Editor’s Note: Manner and Walker will provide more in-depth advice for leading in the age of the cyber blind spot in an upcoming issue of NACD Directorship magazine. All thoughts expressed here are their own.

CPI Webinar: “Workplace Civility on a Continuum”

Wilcox Miller & Nelson would like to invite you to join us in the upcoming CPI Webinar, “Workplace Civility on a Continuum” featuring Gary Cormier of Harvard University. As part of our firm’s participation in Career Partners International we periodically host webinars to share HR industry experts’ viewpoints on trending topics. This webinar will address the #MeToo movement and the inherent power imbalances in the workplace.

While most employees feel that the #MeToo movement is healthy, of those surveyed only 1/3 have seen significant changes in their organizations.

Gary Cormier joins us from Harvard University as a Senior Human Resources and Organizational Development Consultant. This foundational session will explore the business case for workplace civility as well as the implications of incivility. It will also help identify uncivil, inappropriate, negative, or bullying behaviors in the workplace and what can be done to mitigate them. Finally, it will conclude with ways to make civility part of your organization’s overall culture.

Join us on December 11th at 8:00 A.M. PST for a 30-minute presentation and 15 minutes of Q&A. Register HERE.

Tap into the Hidden Talent Pool with CPI EmployerConnect

As the talent market becomes increasingly competitive it’s getting harder and harder to recruit top level employees.  Career Partners International (CPI) is pleased to announce the launch of our new service, CPI EmployerConnectTM.  CPI now grants employers and recruiters direct access to our pool of national and international talent.  In a labor market facing a talent shortage, this program will align thousands of highly qualified, motivated candidates with employers seeking to fill positions.

CPI EmployerConnectTM allows employers to post open positions, improving visibility to this desirable talent pool.  Many job boards are cluttered with outdated and irrelevant postings, reducing the odds of reaching desired applicants.  By limiting access to trusted CPI clients and partners distracting posts are eliminated.  Candidates can easily apply to posted jobs through links to legacy external systems, reducing duplicated employer effort.

Employers now can search for candidates in CPI’s pool of talent based on title, education, employment history, and other pertinent information.  With the ability to search for and save prospective job seekers, employers will no longer need to hope that great applicants will find them on crowded job boards or pursue passive candidates.  Search criteria can be saved on an individual employer dashboard allowing for quicker identification of new prospects.

For over 30 years CPI has offered world-class outplacement services, helping thousands of participants land new opportunities. CPI specializes in landing participants quickly, twice as fast as the national average, and in high quality roles.  With CPI EmployerConnectTM, employers can partner with CPI to quickly find talent and fill open positions.  Contact your local partner to access CPI EmployerConnectTM.

The post Tap into the Hidden Talent Pool with CPI EmployerConnect appeared first on CPIWorld.

Get the Cybersecurity Answers You Need

How well do you understand the cybersecurity risks of the company you govern? Liability questions loom large for corporate executives and directors alike, especially when reports of a new high-profile vulnerability or breach start popping up in the media. Yet, many corporate directors struggle with understanding how the technical aspects of cybersecurity translate to business outcomes.

Spend time with a company’s chief information security officer (CISO) or chief information office (CIO) and you’ll probably get a laundry list of technical factors with specific metrics like the number of vulnerabilities present in the organization, how many unpatched systems exist, and how these numbers compare in different regions where the company operates.

While this information is useful, unless you understand the technology it will raise more questions than answers for you as a director. And, this kind of accounting doesn’t really answer the number one question every corporate director needs to ask about cybersecurity: Where are we exposed?

Why is this question so important? Because only by understanding the full scope of a company’s attack surface can you possibly help guide the business decisions that need to be made in the wake of an incident. So, how can you get the right answer to this question without having to wade through technical jargon?

The Answers You Don’t Need

Let’s look at two typical responses you may receive when you ask about where the company is exposed, and why these responses aren’t helpful to you in your role:

  1. We have spotted 600 vulnerabilities on our 2,500 mobile devices. Whether this sentence is completed with technical details about your mobile devices, on-premises data center, cloud services, legacy systems, or new systems like IoT and edge computing, it is probably only part of your information technology (IT) infrastructure story.

    In order to know your total vulnerability picture, you need more than a snapshot of one or two parts of your overall IT infrastructure. Today’s IT organization is complex and layered. Even if your CISO is able to provide you with the exact number and type of vulnerabilities in each layer, you would struggle to understand what that means in terms of risk to the business.

  2. Our cloud provider says that their cloud is secured. Cloud providers are not responsible by law for your company’s security or compliance with the same regulations to which your company is beholden. Ultimately the liability lands squarely on your company.

    Cloud providers typically are responsible for the security of their cloud, but not the applications and virtual machines you might place on their systems. So, while it is comforting to hear the steps cloud providers take to keep your data secure and in compliance, your company is not legally absolved from responsibility by those actions. A holistic view of your total exposure—including cloud apps and services—is needed so the cybersecurity team can add the necessary layers of protection. And, you need a holistic view in order to understand which of the organization’s business-critical IT services might be affected.

The Answer You Need

Security teams must truly look everywhere to ferret out all the vulnerabilities that exist. To accomplish this, they’ll need new tools specifically designed to sniff out new vulnerabilities as they appear in real time. This requires a strategic shift from deploying piecemeal security systems to embracing a holistic approach to discovery, reporting, and risk mitigation. By coming to terms with where your exposures are—or are likely to be—you reveal the larger picture of where the organization is most at risk, and what work needs to be done.

Only when a holistic cybersecurity strategy is in place can the organization’s security team give you the answer you need:“We have the ability to see our entire attack surface, including containers, web applications, servers and our industrial control systems. We are exposed to this vulnerability on 12% of our infrastructure. Our average time to address an issue of this magnitude is 18 days.”

The only way your security team can answer with this level of accuracy is to close the gaps in your security coverage and increase visibility. Every hidden corner of the company’s IT infrastructure must be illuminated and secured against threats. Only then can your security team produce reports which itemize specific vulnerabilities in cloud services and cloud environments, on-premises data centers, private and cloud environments, containers, industrial control systems, points of sale, HVAC, devices connected to the Internet from aquariums to smart TVs in break rooms, and anything else not typically handled by the IT and security operations teams.

Your CISO should use that list to provide you with a high-level overview of the systems and users which are most at risk, so you can urge management to plan the company’s next steps accordingly. Anything less will leave your security teams trying to mitigate risk in the dark. And that’s simply too big a risk for any company.

Want to learn more about key cybersecurity risk indicators, and what they mean to your business? Read our report, “Managing Cyber Risk: The New Mandate from the Corner Office.”

Economist Answers Questions on Freedom, Populism, Globalism

Editor’s note: Dambisa Moyo, author of The Edge of Chaos: Why Democracy Is Failing to Deliver Economic Growth—and How to Fix It (Basic Books, 2018), addressed the audience at the 2018 NACD Global Board Leaders’ Summit. She generously agreed to provide written answers to questions posed by the audience in that forum. Questions have been edited for clarity below. Return next week to read a second set of questions answered.

Is the desire for freedom waning, or is the power grab by illiberal politicians creating myopia and the feeling the system is rigged?

According to the think tank, Freedom House, freedom around the world has declined every year for the last ten years. Freedom House also notes, that although many countries of the world are democratic, the majority of those democracies (70%) are illiberal and indistinguishable from authoritarian states. Meanwhile, voter participation rates in the United States have declined, with only roughly 30 percent of low-income households turning out to vote. Finally, just 158 American families were responsible for 50 percent of the financial contributions made to the US presidential campaign in 2016. Taken together, these concerns leave many with the sense that democracy is not working effectively.

Can you speak about globalization and populism?

While it is true that globalization has come under challenge, in some respects the charges against the global system are unfair; not least because trade tariffs and subsidies (the European Union’s common agriculture policy and the multibillion-dollar US farm subsidy program), capital controls, and national limits on global immigration mean that globalization has never been implemented to the degree that economic text books would suggest could be beneficial for all. Moreover, as Alibaba’s Jack Ma notes, much of the billions of dollars earned by countries such as the United States and Europe from globalization was used to fight wars in Iraq and Afghanistan, rather than [to make] investments in education and infrastructure projects, thereby leaving many millions of people [not only] in the West but also in the rest of the world economically destitute and skeptical of globalization. Furthermore, this backdrop provided an impetus for populism that we’re seeing around the world. This is especially true at a time when income inequality within countries has worsened and people believe the prospect of improvement for future generations is declining.

Looking at American isolationist policies put in place during the Trump administration, do you have a view on their permanent impact?

Based on the Smoot-Hawley tariffs which were imposed after the 1929 financial crash and Great Depression, many economists and historians argue that trade protectionism can have lasting negative effects. In the case of the Smoot-Hawley tariffs (more than 3,500 tariffs were imposed on imports to the United States), many agree that US unemployment rose, economic growth fell, and America’s reemergence from the Great Depression was delayed. As such, trade protectionism is generally viewed as having a negative economic impact. That said, there is a compelling case to be made that all members of organizations (such as NATO) that have promised to make contributions should [make them] as promised, thereby insuring burden sharing. In other words, the United States should not be required to underwrite more than its fair share—particularly at a time when the country needs to urgently make significant investments in infrastructure and education at home.

You have mentioned many of the challenges facing the world’s economy. What are the strengths—the levers—that we have today that we can and should use to make sure we do not lose in the world’s economy ?

In my mind, [there are] two things: educating human capacity and technological innovation. On the first point, the International Labor Organization (ILO) estimates that there are over 75 million young people who are out of work and there are approximately 1 million NEETs—No Education, Employment, or Training—in the United Kingdom. This untapped human potential could be a strong impetus for economic growth if we invest in education—both traditional and apprenticeships. Meanwhile, technological innovation promises new pathways to solve many of the world’s seemingly intractable challenges, such as disease prevention and health-care infrastructure and education.

Do you still think slow and steady wins the day? With exponential change, how is that possible?

Many of the challenges the global economy faces today are long term, deep seated, and structural, and thus require long-term pragmatic solutions. There are no shortcuts for society to [take to] attain education and infrastructure, even in a world where technology rules the day. Put another way, it’s crucial that public policy making always considers the costs/benefits and trade-offs of today’s citizens versus future generations.

Please tell me something positive I can tell my children!

If we can put a man on the moon, we can solve many of the world’s greatest challenges by working together.