It’s generally accepted that the development of technology
is rapidly accelerating. So too has the speed of integration of new
technologies into our day-to-day lives. Consider this: since mobile phones were
first introduced, it took 12 years before 50 million people had one. In
contrast, it took Facebook only 2 years since its debut to reach that same
milestone, and the mobile phone game Pokemon Go only needed two days.

At such a pace of proliferation, it’s difficult to fully
synthesize the full ramifications of a new technology before the next wave of
change comes rolling in. And if you’re a company that is under pressure to
digitize its operations, being too aggressive about staying on the cutting edge
of digital transformation can lead to potentially catastrophic risk exposures.
It’s an area where board insight and oversight is especially needed—but knowing
exactly how to approach the issue might not seem equally crystal clear.

This was the subject of a recent roundtable hosted by NACD
in partnership with Accenture. According to Robert Kress, managing director at
Accenture, there’s no single panacea.

“You need to tailor your thinking to the environment you’re
working in,” he said. “So, what do you do about it? Think about leadership in
governance across three key dimensions: within your organization, within your
ecosystem, and within and across industries. Looking within your organization,
ask: What is the scope of your CISO’s responsibility? Looking within your
ecosystem, realize that every organization is more dependent on other players
within your ecosystem. Many of the breaches that occur come through that
channel. Look across industries because the Internet is fragile. Think about
when it was created and what it was created for—and it was not designed to
defend against cyberattacks. There is a lot of work needed to reinvent the
Internet—and that is only going to happen if organizations are working together
and working with the government.”

“I would say that it’s not as complex a picture as you have
painted,” Vikram Desai, global managing director at Accenture said in
counterpoint. “I do think that while each company has a unique fingerprint,
there’s a value chain associated with how businesses operate and there are
simple pain points along the way. And there are some very basic things you need
to get right to make it more difficult for an attacker to target you. Within
industries, exchange information on best practices, work with service providers
to understand the real-time status of attacks. It’s incumbent on every board
member to make sure that there are techniques and exercises consistently
executed [throughout the organization] to make sure the people are sensitized
to these issues.”

Desai went on to underscore the importance of the chief
information security officer (CISO). To begin with, selecting the right person
for that role is difficult because most CISOs are technologists who lack
business savvy and the ability to communicate what they know to a lay
audience—so ensuring that the person who steps into that role receives the
requisite training to effectively communicate to senior leaders and the board
is critical for his or her success. Boards should also ensure that there is a
CISO succession plan in place. Generally speaking, a CISO stays with a company
for about 24 months. With such a high turnover, ensuring that there is a
pipeline of talent within the organization that can capably fulfill the duties
of that role is critical.

“Understand the role of the CISO and what you expect from
that person,” Desai said. “Does the CISO have direct exposure to the board, or
are they blocked by a tech person? Does the CISO understand the top business
objectives for your company and how security can enable those objectives? The
CISO needs to show how things can be done and what the associated risk and
rewards are. If there’s alignment, you’ve got a great running start.”

Visit NACD BoardTalk later in the week for additional
coverage from this event as director attendees grapple with cyber-risk
oversight best practices.