Four Lessons on the Cybersecurity Landscape from Summit Experts

During NACD Summit 2021 earlier this month, I had the pleasure of participating in a cybersecurity expert panel discussion. Given the ongoing headlines about cyberbreaches, elevated ransomware, and new regulations, it should be no surprise that this discussion sparked a lot of engagement.

In case you missed the panel—which comprised Robin Bienfait, CEO of Emnovate and founder of Atlanta Tech Park; Robert Kress, managing director at Accenture Security; and Jerry Perullo, chief information security officer (CISO) at Intercontinental Exchange—or are just looking to learn more about the current cybersecurity landscape, below is a recap of some of the key points we discussed.

While information technology (IT) security budgets are increasing, confidence in security seems to be decreasing. PwC recently reported that 69 percent of organizations are expecting to increase cybersecurity budgets in 2022, with about one-quarter expecting an increase of 10 percent or more. Meanwhile, according to research by EY,  just 9 percent of boards are extremely confident in their organizations’ security and mitigation programs, while 77 percent of respondents to the survey have seen an increase in attacks over the last 12 months.

With the increase in spending and decrease in confidence, one of the most common questions I’m asked by executives and risk practitioners is how organizations can best measure the performance of their cybersecurity programs. From a practical perspective, cyber-risk quantification—quantifying the financial impact of cyber threats—can help with that. But it is also worth understanding cybersecurity landscape trends because the performance of your cybersecurity program relies on them.

On that note, several factors are compounding the challenges that security professionals face in an already asymmetric cyber landscape. For instance, organizations are becoming increasingly digitalized to support their business goals, and this is increasing the attack surface for threat actors. In addition, threat actors are taking advantage of the growing landscape and are constantly scanning organizations for unknown vulnerabilities. These threat actors are also working as an ecosystem and sharing information among themselves. Blind and adversarial testing with red teams can provide valuable insights into how attackers view your organization, but your security team will need resources to execute this in an ongoing manner. 

The key point here is that while some executives may question the increased budgets and dwindling confidence, it’s important to recognize that the cybersecurity landscape is in a constant state of flux and that it is largely impacted by how businesses evolve. For example, as noted above, digital transformation and working from home evolved the threat landscape by adding new vulnerabilities to the mix. Recognizing the interconnected relationship between your business and security strategies is a critical step to engaging in more productive security discussions and providing security teams with the support they need. 

Since digitalization isn’t going away, there are some things you can do to reduce your exposure. For instance, before you make the transition to the cloud, evaluate the drivers behind making this transition and whether you have a plan around what gets moved and to mitigate risk. As a board member, asking and understanding whether your organization’s security will be as effective as the defense you had in place before moving to the cloud (in other words, asking whether moving to the cloud will create more or new risks and whether you are prepared to mitigate them) is a good way to evaluate whether the transition is worth the risk.

In addition, make sure your IT and security departments know who your cloud providers are. They can vary, from hosting providers such as Microsoft Azure and Amazon Web Services to software-as-a-service (SaaS) providers such as Salesforce. All of these environments need to be monitored, and your security team should be appropriately involved in onboarding and tracking. Finally, having a cloud-agnostic environment, in which you have multiple cloud providers in place in case one goes down, can increase your resilience to attacks. 

New regulations and disclosure policies present opportunities for boards to learn and engage. Take the executive order President Joseph R. Biden Jr. issued in May. It illustrates that the government expects organizations to be more proactive in disclosing and sharing cybersecurity information and to implement more rigorous measures to increase supply chain security. These requirements not only will have ripple effects across organizations and industries but also reflect many of the ongoing challenges the private sector has been facing.

So, increased requirements on disclosure could be a good thing. For instance, supply chain risk and third-party risk continue to concern the majority of organizations. In fact, only 35 percent of CISOs believe their third parties would disclose a breach in an adequate period of time. If disclosure requirements can be normalized for the private sector, the result will be better data on risk and response scenarios.

Ultimately, as panelist Jerry Perullo pointed out, many of the new regulatory requirements are around disclosure and recovery, so try not to get bogged down by metrics when talking to your CISO. Instead, reach alignment on your business objectives, primary threat and vulnerability concerns, detection and remediation capabilities, and recovery plans.

While these are just a few points discussed during the Summit session, they illustrate the variety of factors at play in the cybersecurity landscape and how many of these are inherently linked to how business is done today. While it is true that many of the digital practices businesses adopt create new risks, they also enable businesses to achieve more. 

Therefore, when you think about cybersecurity return on investment, think beyond prevention and consider how well your security practices enable your business to achieve its objectives while cost-effectively managing the corresponding cyber risks to an acceptable level.

Derek Vadala is senior vice president, head of risk at BitSight.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Three Questions Directors Should Ask About the Transition to Net Zero

Public and large private companies are increasingly under pressure to publicly disclose their plans to transition to net-zero carbon emissions. US Securities and Exchange Commission (SEC) chair Gary Gensler has asked agency staff to submit a proposal for mandatory climate-risk disclosures for SEC consideration by the end of this year.

Business as usual is no longer tenable. Global greenhouse gas emissions must be halved by 2030 to meet the Paris Agreement and Biden administration goal of reaching net-zero emissions by 2050—yet carbon emissions are still rising.

Corporate momentum on net-zero initiatives is building. More than one-fifth of the world’s largest corporations have pledged to reach net-zero carbon emissions by 2050. Organizations such as the Glasgow Financial Alliance for Net Zero, made up of more than 300 financial institutions responsible for approximately $90 trillion in assets, are setting science-based targets for 2025 and 2030 to mobilize finance at scale.

Companies that are among the first to figure out how to transition to a low-carbon economy will not only benefit from lower capital costs. They will also build competitive advantages that are hard to challenge: capturing new value as sectors reshape, progressing along steep experience curves, deepening customer relationships as they partner to solve for the whole value chain, and innovating their business systems.

By contrast, those organizations caught unprepared will not only risk contributing to a climate disaster—they will also risk falling behind better-equipped rivals through more expensive financing, lagging know-how, declining demand for non-decarbonized products, exclusion from new value systems, and damaged reputations.

So, as boards take stock of increasingly apparent climate risks, every director should raise questions that probe if their management teams are preparing for both the risks and opportunities on the way to a net-zero world. Based on our recent research, here are three questions that can help:

1. Is the company climate-resilient? Risk to the company should not be the only perspective, though it is essential to provide continuity of service and to understand where innovating processes and products can lead to new opportunities and lower risk.

On the physical side, while companies may already have insurance against extreme weather events, they may not be protected against future cost increases of that insurance as weather risks increase: operationally committed to their properties, companies may find themselves protected against weather risk but not climate risk.

On the transition side, directors need to ask management to present their plans for transitioning to a net-zero economy and the risks those plans entail.

What Directors Should Do: Confirm the company has people with the right skills to determine if the business is climate-resilient in both physical and transition risk. Probe if the team is making adequate climate-related disclosures to stakeholders. Verify that the management team is examining a wide range of transition scenarios. Consider: beyond the business itself, whom is the company relying on, and how well are they prepared for a low-carbon economy?

2. Is the business designed for maximum impact in a net-zero economy? To get to a net-zero world, companies need to engineer emissions out of their entire business systems, including their supply chains and customers’ use of their products. Reaching this goal may involve embracing opportunities for new scope in adjacent spaces and new ways of establishing strategic control of the value chain. Opportunities for profitability—and value—are shifting as businesses that are currently low margin become strategically valuable once revamped for a low-carbon future. Pressure to repurpose scrap material for another life, for example, could transform the waste and scrap industry while increasing costs for the businesses depending on it.

What Directors Should Do: Ask management if they are analyzing where value will migrate in their industry within a net-zero world—and if the company is prioritizing the right space. Is the team examining its entire value chain for new opportunities? Is it looking just at its own transition—or at the business opportunities of helping its customers with theirs?

3. Does the company have the support required for its plans? To reach net zero by 2050, every company will require investors, banks, suppliers, customers, employees, and policymakers to support its transition to a less carbon-emitting business. To persuade a wide range of stakeholders to back their plans, management teams need to select and track trusted emissions metrics aligned with the progress they are targeting in order to tell their stories. Metrics that recognize the dynamics of transition, such as those measuring carbon intensity or implied temperature rise, may prove more useful than focusing only on absolute emissions.

What Directors Should Do: Make sure management chooses metrics that support the path they have chosen, from the set of metrics recommended by the Task Force on Climate-related Financial Disclosures (TCFD). Multiple bodies and standard-setters, from the G20 Finance Ministers and Central Bank Governors to the International Financial Reporting Standards Foundation, have made statements in support of the TCFD framework as a shared international framework.

It is natural, and necessary, for the board to approach climate change with a risk mindset. But also applying an impact mindset can help ensure that the business can embrace the opportunities of the transition and establish a strong and defensible position on the path to net zero, in terms of both climate and financial impact.

John Colas and Simon Glynn are partners and co-leads of climate and sustainability at Oliver Wyman.

##

How Gender Diversity May Impact These Four Boardroom Discussions

Perspective matters. And when it comes to some of the most important issues directors face—such as the climate crisis, compensation and diversity goals, and how best to operate in a more virtual world—we continue to see key differences in the perspectives of men and women. 

Released this month, PwC’s 2021 Annual Corporate Directors Survey features responses from more than 850 US-based directors. A look at the data by gender reveals several areas in which the responses noticeably differ:

1. Environmental, social, and governance (ESG) issues. Almost two-thirds of directors (64 percent) say their company ties strategy to ESG issues—a 15-point jump from 2020. But as more companies and boards dig into ESG, men’s and women’s perspectives on certain ESG matters vary greatly. 

For example, while 87 percent of women say they are very much or somewhat concerned about the climate crisis, only 67 percent of men say the same. Furthermore, while most directors support the current voluntary system of ESG disclosure, women are twice as likely as men to support mandatory ESG disclosures (29 percent versus 14 percent).  

2. Board diversity. This is hardly a new topic. But when we asked directors why boards haven’t become more diverse, more quickly, men and women pointed to different factors.

Fifty-nine percent of women cite an overreliance on director networks to source qualified candidates as an impediment to board diversity efforts, compared to only 31 percent of men. Men are much more likely to point to a lack of qualified diverse candidates as an impediment—54 percent, compared to only 21 percent of women.

Overall, most directors agree that diversity won’t happen on its own. The percentage of directors who believe boards do not need to act on board diversity dropped by more than half from the prior year, to just 33 percent. But a much larger percentage of men (40%) still say it will happen naturally, compared to 15 percent of women. 

3. Tying compensation to diversity goals. As the ESG conversation takes hold in boardrooms, more companies are considering whether (and how) their diversity, equity, and inclusion (DE&I) goals should be tied to executive compensation.

There is clearly a shift in how boards are thinking about DE&I efforts and executive accountability. From 2020 to 2021, overall director support for tying diversity measures to incentive plan goals grew substantially, from 39 percent to 52 percent. But a much larger percentage of women support these measures: 74 percent in 2021, compared to 44 percent of men. 

4. Conducting business virtually. In 2020, board meetings largely shifted from in-person to virtual. While directors indicate some reversal of the trend this year, many plan to continue meeting virtually at least some of the time. Although meeting efficiency topped a list of positive impacts directors see from virtual board meetings, directors agree that effectiveness has suffered—with men indicating a more negative toll.

Forty-seven percent of men say virtual meetings negatively impact director engagement, compared to 33 percent of women. Further, 42 percent of men say meeting effectiveness has suffered, compared to 32 percent of women. Board members will have to work together to find effective ways to stay engaged virtually and hold one another accountable. 

Strong boards recognize the importance of diversity in driving richer discussions, spurring important dialogue in the boardroom, and helping boards think differently about complex issues. One place in which nearly all directors are aligned? They agree that board diversity (gender and otherwise) brings unique perspectives to the boardroom (93%) and improves relationships with investors (90%).

Diverging views bring about debate, discussion, and the opportunity to arrive at well-considered decisions. A fuller perspective is where today’s boards and organizations can find tomorrow’s competitive advantage. 

Maria Castañón Moats is the leader of the Governance Insights Center at PwC US.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Directors Advised to ‘Lean In’ and Other Nuggets from NACD Summit 2021 Speakers

In the second Virtual NACD Summit from October 1 through October 8, NACD riveted screens across the country with appearances from organizational psychologist Adam Grant, US Securities and Exchange Commission commissioner Elad L. Roisman, Southwest Airlines chair and CEO Gary Kelly, and more. Kicking things off on October 1 with a day of exclusive programming just for NACD Directorship Certified® directors, NACD Fellows, and NACD Accelerate members, Summit continued the following week with daily general session programming powered by AIG in addition to smaller-group forums and shorter panels on specific topics such as executive compensation and the ethical oversight of digital transformation.

“The last year and a half have had exceptional ups and downs. We have seen human tragedy, racism exposed, and a divided nation. But we have also seen the triumph of the human spirit—to do better and be better, and in the case of directors, to lean in during a tumultuous time in order to fully support management,” NACD president and CEO Peter R. Gleason said to the virtual audience in his opening speech on Monday, October 4. “If there is one takeaway from the past 18 months and this pandemic, it is that the time is now to make ourselves, and our boards, future ready.”

In a session titled “Leading Through Economic Transformation: Trial by Fire” moderated by Anna Catalano (director at Frontdoor, HollyFrontier Corp., Kraton Corp., Willis Towers Watson, Appvion, and the NACD Corporate Directors Institute, an independent sister organization to NACD that owns the NACD Directorship Certification® program) panelists shared their firsthand experiences of managing the unexpected and prevailing against the upheaval of the last year and a half. Speakers included Orlando Ashford, executive chair at Azamara and a director at ITT, Perrigo Co., Array Technologies, State Farm, and Hershey Entertainment and Resorts Co.; David Marriott, a director at Marriott International; and Carol B. Tomé, CEO of United Parcel Service.

“The role of health and health protocols is going to be here to stay,” Ashford said, as a consequence of how the pandemic has permanently altered the future of business. “We’ve doubled down on health experts to advise us. Not just my company but the industry, and really all of our industries, we’re trying to share information… because at the end of the day we want people to be able to enjoy our product, enjoy our offering, and do it in as safe a way as possible.”

On Wednesday, October 6, Paul Polman, CEO of Unilever from 2009 to 2019 and current vice chair of the United Nations Global Compact, and Marian Heard, president and CEO at Oxen Hill Partners and founding president and CEO at the Points of Light Foundation, took the stage to discuss how directors can make a difference in society. Speaking about sustainability generally, Polman told Heard and the audience that most companies don’t play to win—they play “not to lose.” To nurture viable businesses into the future, this mindset will have to change. “The business community broadly knows what needs to be done… yet collectively, we’re not achieving what we need to do…. We actually have to be regenerative, restorative, reparative,” Polman said.

The week of programming closed with a conversation between Leo E. Strine Jr., the former chief justice of the Delaware Supreme Court who is now of counsel to Wachtell, Lipton, Rosen & Katz, and Kim Rucker, a director at Lennox International, Celanese Corp., and Marathon Petroleum Corp. After covering topics ranging from stakeholder engagement to diversity, equity, and inclusion and then to board composition, Rucker ended the session by asking, “What do directors do after they attend this wonderful weeklong Summit? You’re inspired, you’re all charged up. From my perspective, it’s so important to prioritize, to partner back with your companies, and to pace yourself.”

“Think about the idea that we’re going to try to make money the right way. You don’t have to have a fancy purpose,” Strine concluded. “If your products are useful and safe… if your employees have quality wages and can provide for their families and have a better life and they enjoy being at work and being part of the team… you pay your taxes in the communities you’re in and you support the local institutions… if you do all those things and you organize yourself as a business and your board structures around that, you’re not going to miss key risks. You’re going to feel good about yourself. And, frankly, by focusing on that you’re not going to get into side issues; you’re going to focus on the main thing that is required to be a good corporate citizen.”

For more coverage of NACD Summit 2021, check out “Curbing Climate Chaos Will Require Innovation, Leadership from Boards,” “Economic Recovery, Labor Supply Weigh on Small Businesses,” and “SEC Commissioner Elad Roisman to Directors: ‘My Door Is Open’.”

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.

Get Out the Map: The Journey to Your First Board Seat

At NACD, we regularly hear from senior executives looking to expand their careers by serving on a corporate board. Their challenge? They do not know how to take the first step on that journey. The recruitment process often can seem opaque, and occasionally intimidating, for those who are just getting started—but it doesn’t have to be.

In early 2021, NACD Accelerate participants attended a virtual session that covered how to best position themselves for board service. If you are a senior executive interested in joining your first board, the following actionable tips revealed during that members-only session can guide you on the path to directorship.

1. Know It: Understand the Recruitment Landscape

It’s no secret: the path to your first board seat is not always a straight line. There are limited board seats available each year, and many board roles are won through personal and professional networking. According to the 2020 US Spencer Stuart Board Index, there were 413 new independent directors placed on S&P 500 boards during the 2020 proxy season, reflecting 8 percent of all S&P 500 directors.

Identifying your first board seat can be a challenge, but it is not impossible. The journey to your first board seat will require a committed effort and an open mind.

Candidates are best positioned for success when they understand what boards look for—and how to demonstrate their value effectively. When recruiting, boards primarily focus on four key areas of a candidate’s experience:

The industry in which the candidate has experienceThe revenue of the candidate’s day-job companyThe candidate’s functional role at their companyAny special skills the candidate may have, such as experience with human capital, analytics, or digital transformation

Below are tips on how to leverage these four areas of focus in your board search.

2. Learn It: Get Relevant Experience

Though senior executives are well on their way to understanding certain aspects of board work through their day-to-day roles, boards want to be sure that their candidates are prepared with the knowledge required to step into the boardroom and add value on day one.

At NACD, we recognize the need for a pipeline of strong, diverse, and highly qualified professionals to serve as tomorrow’s directors. That’s why we created NACD Accelerate: a unique two-year program that creates a pathway for executives with little to no experience in the boardroom to prepare for board service. Executives in the Accelerate program receive the tools, resources, and exposure that are key to launching a successful career as a director—including the opportunity to network with NACD’s elite director community and become NACD Directorship Certified®.

In addition to Accelerate and NACD Directorship Certification®, joining nonprofit boards is an effective way to enhance your résumé. To find open nonprofit board seats, you can look at postings on LinkedIn, VolunteerMatch, or your local chamber of commerce’s website.

Think about your skills and interests: What are you passionate about? How can your talents add value to a nonprofit board? The answers to these questions should guide your nonprofit board search and service. Nonprofit board roles can give you the small-group and committee experience that for-profit boards are looking for in their director candidates.

Private company boards also offer opportunities to broaden your directorship skill set. Private equity firms are continually looking to place directors on the boards of their portfolio companies. Knowing the value you can bring to the boardroom will help you stand out to boards looking for specific experience.  

3. Name It: Find Your Unique Value Proposition

So, you have relevant experience—what’s next? Develop and refine your unique value proposition, which is—at its core—an elevator pitch detailing the value you would bring to a board.

Your unique value proposition should be succinct and mention those four key areas that boards focus on when searching for a new director. Because of cross-industry recruitment, ensure that your value proposition is free of jargon and acronyms that may not be understood by someone in a different field. Incorporate leadership language—even if you don’t yet have board experience—thinking about your time leading organizations, departments, or teams. (The NACD Accelerate curriculum offers access to programming and resources that help aspiring directors present their experience and knowledge in compelling, effective ways.)

And don’t forget: defining your value proposition is never done. Review it regularly and update it as needed. Business and governance language changes over time—consider how infrequently you heard and saw the term “ESG” (environmental, social, and governance) five years ago compared to today. Ensuring that your language is up to date lets boards know that you are committed to continuing education and keeping up with boardroom trends.  

4. Build It: Create Your Board Résumé, LinkedIn Profile, and Board Profile

In today’s digital world, clearly conveying your value proposition through your board résumé, LinkedIn profile, and board profile is critical to your success.  

Board résumé. To grab readers’ attention, your résumé should start with a headline quickly summarizing who you are and that value proposition you’ve articulated. Because boards recruit using many different criteria, it’s important to include as much detailed information about your experience as you can, going back at least 10 years. Distill your value through a leadership lens. Board work, executive work, and education are all critical pieces of a board résumé, in addition to notable certifications, memberships, community involvement, awards, published work, and speaking engagements. The best board résumés humanize the candidate; consider including three to five pieces of personal information about you, such as your hobbies, foreign language proficiencies, family information, or volunteer activities.

LinkedIn profile. After updating your board résumé, you can copy your experience into the relevant fields of your LinkedIn profile. Be sure your value proposition is clearly articulated through your headline, “About” section, and experience.

Board profile. Similar to a speaker bio, this document should include a headshot and is used like a marketing tool to promote your candidacy. The board bio is generally a one-page overview of your experience in a narrative style, starting with an overview of who you are and what prospective boards should know about you as a candidate. Be sure to include any board service, honors, and speaking engagements.

Though finding your first board seat can be a daunting process, entering the market with a strong understanding of the recruitment landscape, board-specific education experiences, and well-crafted candidate materials can make all the difference.

If you are an executive with little to no experience in the boardroom and are ready to take the first step in your directorship career, consider NACD Accelerate. For questions, contact a member of our team at accelerate@nacdonline.org.

NACD: Tools and resources to help guide you in unpredictable times.

Become a member today.