August 20, 2019
Forbes – Good Governance: Do Boards Need Cyber Security Experts?
By Robin Ferracone
In today’s digital world, with near-instantaneous conveyance of information and data, cyber-events could (and routinely do) rapidly impact brand and shareholder value. While opinions differ on the need for cybersecurity experts on certain boards, there is a general consensus among management, boards, and investors alike that this need is growing.
Given this trend, I spent time with Bob Zukis. Bob is the founder and CEO of the Digital Directors Network, professor of Management and Organization at the USC Marshall School of Business, retired PwC Advisory Partner, and author and speaker on digital governance and the impact of disruptive technology on business strategy. We spoke about what companies can do to minimize cyber threats. Below is an excerpt from our conversation.
Robin Ferracone: Bob, thanks for joining me today. As an executive or a board member, nothing can ruin a day faster than a cybersecurity breach. What are some of the most challenging technology issues where you’ve seen boards having to get involved?
Bob Zukis: This issue has really evolved quickly in the last five years. I think the wakeup call came with Target Corporation’s 2013 Christmas data breach. Until then, many boards were blissfully ignorant on cyber issues. The Target breach exposed the ugly side of what can happen with a cyber issue of this scale combined with an unprepared board and a 24-hour news cycle. The Target breach compromised 40 million customer debit and credit card accounts, and the litigation around this is still ongoing.
Every subsequent breach from Yahoo to Facebook to Equifax has reinforced the fact that cybersecurity risk is something that has to be reckoned with in the boardroom. The other side of the coin though, still gets much less respect in the boardroom. This is what I like to call “opportunity risk,” or the “digital transformation oversight” (for everything from marketing to supply chain, to credit card transactions). Board oversight of opportunity risk is often seriously deficient.
Ferracone: What types of fallout can companies expect from a cyber-breach?
Zukis: To paraphrase Warren Buffett, “we are in uncharted territory, and it’s going to get worse, not better.” By not having the right technology skillsets in every boardroom, companies and their boards have set themselves up for failure, so it’s almost guaranteed to get worse before it gets better. Hackers come from all over the world with different motivations, including corporate espionage, and financial and health data theft. They are incredibly diligent in figuring out creative ways to attack corporate networks, and while these anonymous hackers advance their tactics, it is critical for companies to anticipate what’s coming next and stay a step ahead of them.
Because of these ongoing threats, I think external stakeholders have tremendous influence on how boards approach cybersecurity, especially within the context of bringing on new board members with the right skills, and in many cases, adding a technology committee. For examples, we are starting to see shareholder proposals that directly link CEO pay to cybersecurity, such as at Disney and Verizon. Regulators in the U.S. are writing regulation that clearly signals their intent to hold companies and their executives accountable through civil and criminal penalties. And institutional investors also are starting to wake up to both the value creating and value preservation opportunities of their investments. Customers are growing impatient, and given the public interest on this issue, it’s only a matter of time before regulators step in. Congress is already looking at proposed legislation around digital privacy. If companies don’t address this quickly, they may have regulations imposed on them which historically have been labor-intensive and costly.
Ferracone: It is increasingly accepted that it is important to have a cybersecurity/technology expert on a given company’s board to ensure the board is aware of potential business risks. But at this juncture, only a small percentage of S&P 500 companies identify these experts in their proxies. Can you share with us the skillsets and complementary skills boards/search firms should be including in their searches if they want cybersecurity expertise?
Zukis: Bringing in technology/cybersecurity experts to the boardroom has been glacial. It’s starting to move, but boards can’t govern what they don’t understand. Boards need the right technology skills to oversee the upside and the downside of technology. I always relate this back to the Sarbanes-Oxley requirement for boards to have a qualified financial expert (QFE) on the board; that was only 17 years ago in 2002, when that legislation passed. We now need qualified technology experts (QTE), and while it’s not a regulatory requirement, at least not yet, there’s only an upside for boards to add these skills today.
If these skills and competencies were defined in the same framework as those used by the SEC to define a QFE, these new board members would be able to demonstrate the technology and cybersecurity risk skills and competencies through their collective experience and roles and/or education.
There’s a misperception among many board members that CIOs or technology executives lack business savvy and would not be contributors to the broader board agenda, when in fact, most CIOs have been very involved with defining and implementing the technology that drives the business and often report directly to the CEO.
Ferracone: As companies are thinking about the “work force of the future,” what should they look for in their C-Suite executives with regard to technology skills? How do you see this evolving?
Zukis: I see the CIO as future potential CEO. MIT’s 2019 research, Companies with a Digitally Savvy Board Perform Better, indicates that companies with digitally savvy boards drive significantly better business outcomes from 38% higher revenue growth to 17% higher profit margins, greater market capitalization and even better Return on Assets. Technology as a strategic and operational differentiator is table stakes, and the C-Suite executives of the future will need to understand this. Digital success really does start at the top.
Ferracone: In your experience, how are technology issues/challenges and responsibilities being shared with the board? Do you recommend report-outs from the CIO at each meeting? Should the board add a technology committee? Is there anything else boards should do?
Zukis: I’m a big believer in the value of a focused technology and cybersecurity committee for most public and many private companies. These committees help drive focus and effort, build skills and signal importance. Moreover, these issues are not part-time endeavors. Many public companies lump cybersecurity risk oversight in with the audit committee. That’s probably the worst place to put it as it doesn’t receive the attention it requires and the audit committee in most cases does not have the right skillset for overseeing technology, data and privacy issues. Technology and cybersecurity are part of the same ecosystem. For example, every technology decision a company makes attaches to a specific cybersecurity risk profile. They are symbiotic, not mutually exclusive. As MIT’s research has shown, there’s business value to having a critical mass of digitally diverse skills in the boardroom.
Ferracone: As we wrap up, what are the three areas investors, boards and executives should be focused on in the technology arena to prepare for the possibility of intrusions, attacks and breaches in their tech infrastructures?
Zukis: In my estimation, the top three are:
- Conduct a business continuity risk assessment from a cybersecurity risk perspective. It’s difficult to see the tip of the iceberg on third party risk let alone the ability to identify and understand systemic risk unless cybersecurity is taken seriously.
- Prepare now for what’s coming. If companies don’t do this, then boards are exposing their companies to technology disruptions and cyber breaches with the potential to cause major business disruptions and erode shareholder value.
- Consider establishing a technology and cybersecurity committee to organize digital oversight and make technology a full board issue.
Doing these three things will help businesses find new opportunities to create and preserve shareholder value, rather than erode it.
Ferracone: Bob, thank you for talking with me. Your insights will help many stakeholders anticipate the technology risks coming, and make the preemptive moves needed to identify new opportunities and avoid disasters.
This post originally appeared on Forbes.com.