Marketing and AI: What Boards Need to Know

Artificial
Intelligence (AI) is about to exit the hype cycle, and innovative boards should
be empowering and positioning their companies to take on the advantages and
challenges that come with it. Chief marketing officers (CMO) in particular are
either using AI for competitive advantage already, or they are chafing at the
bit to do so. The directors of companies need to be ready to oversee the work
they are doing with the technology.

Whether used by
marketing departments for customer data analytics, targeting, recommendations,
or chatbot support within a company, there are implications to AI
implementation for a company’s leadership, strategy, risk, ethics, and
corporate social responsibility. The good news is that board members do not
need to understand the working of every feature, part, and possibility of AI to
be able to govern its use. This is like driving and even enjoying a Tesla—business
principles apply to and drive governance. Understanding exactly what is under
the hood can come a bit later.

Four broad areas exist
for company directors to consider:

Understanding and
staying abreast of developments in AI;Implementing AI within
marketing;Governing AI
initiatives after implementation; andContinuing with AI in
the future.

Understanding:
Institute an AI Council Within the Board

One of the most significant challenges involved in governing the use of AI is the frenetic pace at which the technology is advancing. Boards should be aware that AI can be applied to a variety of traditional marketing functions: dynamic pricing, demand forecasting, increasing conversion, customer support, and even for customer retention. A recent McKinsey study found that AI will make an impact on various retail sector business functions to the tune of  $600 billion, with other sectors facing significant disruption, too.

Meanwhile, boards should also understand the race across the world that is happening to understand, apply, and reap the benefits of AI. Eighty-five percent of Chinese companies are actively working in AI and China is dominating AI research and implementations. The European Commission chartered with ensuring trust about the use of AI published seven essential guidelines on ethics for AI including human agency, transparency, bias, social and environmental wellbeing and privacy.

While these are not yet governance laws, boards should expect to see laws sometime in the near future. For instance, the General Data Protection Regulation (GDPR)  already requires transparency about any algorithms used. Algorithms need auditing for bias from both technical and social perspectives. A similar law could emerge for use of AI, or GDPR could be more broadly applied to AI, for instance.

For these reasons, it
is useful to constitute an AI council within your company that is specifically
charged with educating the board on the technology and related regulations,
monitoring strategic AI initiatives and competition, reporting on risk and
ethics, and bringing the board up to speed on other related AI oversight
matters. An AI council with a diverse set of experts is best suited to create a
detailed and feasible transformation plan to ensure longevity and staying ahead
of the competition. With the help of an AI council, the rest of the board can
understand the landscape quickly in the business context and be ready to take
on strategic and governance challenges.

Implementing: AI As a
Platform, Not A Point Solution

AI presents a unique
opportunity to market across the customer lifecycle. Companies currently struggle
to consolidate customer data from channel silos and rely either on human skill
or chance to drive conversion. AI presents the real possibility of running one-to-one
marketing and sales to increase conversion based on individual customer
insight.

By consolidating customer data across traditional marketing channels along with transactional, customer support, and loyalty programs into a customer 360 database, AI can provide the following: highly targeted messaging, individualized promotions and pricing, and automated customer engagement and support, all in order to increase repeat and first time conversion.

Siloed marketing departments
with inadequate IT support find expensive and ineffective external point solutions
to make this type of marketing happen. A comprehensive data and customer
lifecycle platform that uses machine learning and AI is able to model the data
as required for differentiation and success at greater speed. 

To realize this potential, boards must drive transformation and sustained long term strategy. Technology implementation should start with clarity on business goals and continued transformation. Here are pitfalls to consider during implementation of such transformations that boards can help companies avoid.

Governing: Oversight
Framework

Since AI adds new challenges
and opportunities to marketing, directors need to be able to understand the
motivations, results, and risks for any marketing processes that use it. At the
outset of the board’s work to oversee AI practices within the company, the
board should request from the CEO and CMO a summary of the following:

opportunities being
pursued via AI;functions and features
in use;types of data and how they
are being used;privacy, bias, and ethics
considerations paired with measures or audit trails to track them;any findings by AI
such as new customer micro-segments or product and service features needed; any external sources
of data being used;any data partners who
might share data and how they might do that; and  any explanations or
assurances provided to stockholders, particularly around any rulings around
data, ethics, and corporate social responsibility.

Thereafter, a report every
six months on changes or progress within these areas is a good way to keep the
board informed about AI’s use and role within the company.

In regular reports, the CMO typically presents metrics such as “ad to sales” ratio and “contribution to sales.” Most marketing departments still struggle with attribution of marketing spend to conversion and cannot readily cite customer acquisition cost (CAC). The use of AI along with customer 360 data enables clarity on customer acquisition, conversion, satisfaction and retention or customer lifetime value (CLV). CMOs in concert with business unit owners should then present KPIs such as CAC, CLV, and sales growth, as improved by AI every half year.

Audit also plays an
important role in the board’s ability to oversee AI marketing efforts. Audit
reports on privacy and bias provided by the audit measures and independent
auditors must be presented yearly. The strategic plan should have half yearly
and yearly benchmarks for the use of AI. The board should gauge the need for
adjustments in strategy or actual progress based on the goals in the plan.

Continuing: Future-Proofing
and Longevity

Faced with ever-faster disruption, companies must future-proof themselves and their technology with continual transformation. Even the government is doing it. Boards must support a culture of measured risk-taking and agile culture and process. Preventing regime change from restarting and reinvesting is a key board responsibility. The AI council should work in concert with the board to list anticipated market changes and product or service features that drive deep differentiation. Whether by internal efforts or by acquisition, strategic planning and preparedness will ensure companies survive.

Tuning Up the High Frequency Enterprise

In my role looking after enterprise strategy for Amazon Web Services (AWS), I employ a team of former chief information officers to help large enterprise customers with their cloud adoption strategies. There are a number reasons why so many enterprises are moving to the cloud, including cost savings and improved performance and reliability, but more often the reasons motivating a move to the cloud include the business’s need for greater speed and agility to help accelerate their digital transformation efforts.

Many enterprises are stuck in what we call a “low-frequency” mode of operating—or an environment where any change involves risk, introduces instability, and requires a lot of effort, ultimately leading the enterprise to move at a slower pace. This is opposed to “high-frequency” enterprises that have achieved a rapid pace of change and reduced risk, where the focus is on frequent value delivery rather than ensuring change does not disrupt operations. In my team’s new eBook, Tuning Up the High Frequency Enterprise, we discuss what the C-suite and board should know about the idea of moving from an organization operating at low-frequency to one of high-frequency.

Understanding
the Low-Frequency Model

Why are so many enterprises stuck in low-frequency mode? Boards should understand that low-frequency digital operations are typically due to a mountain of technical debt within the company’s information technology practices. The debt could have been piled on or caused by years of accrued workarounds and shortcuts for issues in existing systems and applications that were never addressed. This debt is compounded by outdated models of security, risk, and compliance that fail to build in processes meant to discover performance issues or vulnerabilities early in the development process when they are less costly to resolve.

Another reason why low-frequency operation
models persist is that when the digital leaders of an enterprise develop a new
vision and objectives, that vision and grand roadmap too often are expected to
be matched with what we like to call “big execution” in information technology.
Before any team writes a single line of code, months are spent by executives,
managers, and project managers in intricate planning, trying to map out every
step of development and product delivery along the way in advance. The problem
is that in this mode projects tend to grow larger and more unwieldy, with the
scope expanding as more and more requirements are added in by a broader set of
stakeholders.

Taking this approach means months or years can go by before anything is put in the hands of the customer. It can also mean that the project is completed without any periodic validation that it actually achieves the original objectives of the grand vision or strategy. As a result, boards will likely have a more difficult time gaining visibility into the actual progress of these large, low-frequency investments, and assessing whether or not they pose a risk to the future growth and health of the enterprise.

Getting
to High-Frequency Success

On the other hand, becoming a high-frequency enterprise means that the company’s leaders are guiding it towards being an organization where technology is a true enabler of continuous improvement and business value generation. Operating in high-frequency mode means your company’s digital leaders and teams can make changes to products, systems, and applications at the quick pace your business’s strategy requires and at the speed that your customers demand.

How does our team know this works? We have worked with thousands of the largest enterprises globally, and our team is comprised of experts that have led our own digital transformation efforts at companies like Coca-Cola Co., Capital One Financial Corp., and the Department of Homeland Security. Through this work our team has identified seven of the most common strategic shifts needed to get out of this low-frequency mode. Enterprises must identify the rigid and slow-moving anti-patterns holding them back and work to develop new behaviors. The board and the innovation and technology committee can play an active role in this process by working with its technology leadership at the C-suite level to drive an assessment of their current state relative to these patterns, and can suggest that the company prioritize these strategic shifts towards becoming better, high-frequency practitioners of digital transformation.

As board members, your role is of course to look beyond the technology. It’s important to recognize that a mindset shift is usually required to move the business into high-frequency mode. Leaders need to set the agenda, and role model the new patterns for their teams. Change is a fluid journey that requires building a continuous learning culture, constantly refactoring your systems, and always working to reduce your time to delivery. I hope the guidance provided here and in our eBook can help your board understand the enterprise patterns that will speed your digital transformation strategy to success.

Philip Potloff is head of enterprise strategy at Amazon Web Services (AWS).

Stavridis Challenges Boards to Evolve on Cybersecurity

A recent
Accenture report finds that as the challenges of cybersecurity continue to
rapidly change, increasing in impact and complexity, the cost of resolving cyberattacks
is also on the rise. In fact, in 2018, the average cost of cybercrimes on
affected companies increased by 12 percent from the year before, reaching $13
million per company. As these mutating threats grow in volume, sophistication,
and scope, companies and their boards will be forced to play catch-up with
threat actors constantly adapting their cybersecurity defenses.

Admiral James Stavridis, former Allied Commander of NATO, has been consistently beating the drum for enhanced cyberprotection for years, and remains concerned about the varied risks originating from cyberbreaches. Stavridis recently joined NACD to share his insights into board governance of this ever growing threat. He’s currently operating executive of the Carlyle Group, chair of the board of counselors of McLarty Global Associates, and chair of the board of the US Naval Institute. He is also a monthly columnist for TIME magazine, and chief international security analyst for NBC News. Admiral Stavridis will be a featured speaker at the NACD 2019 Global Board Leaders Summit.

Cyber Risks Present a
Unique Challenge for Our Times

Boards largely recognize the growing significance of cyber risks. The 2018–2019 NACD Public Company Governance Survey finds that roughly 77 percent of directors have reviewed their company’s current approach to securing its most critical data assets against cyberattacks. That said, boards remain concerned about governance of this risk area; according to the same survey, 97 percent of respondents report oversight of cybersecurity as an important area of improvement. And they are right to be concerned, as just half (50%) express confidence that their companies are properly secured against a cyberattack.

Directors’ anxieties over cybersecurity are well-founded, as
this security issue cuts across nearly all dimensions of modern life. From
national security threats to the devices we carry with us, or those found in
our homes, the proliferation of digital connectivity has increased our
vulnerability to these threats. For Admiral Stavridis, it’s important to
disaggregate the types of risk, as each will require unique treatments and strategies
to effectively address. He breaks these cyber risks down into the following:

Criminal
activity. This comprises “for profit activity, which by some estimates may
amount up to one trillion dollars a year; and can include activity such as
stealing an individual’s most private and intimate details from the cloud. This
particular risk presents a massive challenge for most companies today.” Terrorism.
“This is the work of groups whose activities are ideologically-driven and
question the value of specific societal structures. These groups include the
Islamic State, Boko Haram, WikiLeaks, right wing nationalist organizations, [and]
international anarchist organizations.” State-on-state
cyber risk. “There are a lot of shadow national activities, which used to
take the form of espionage, but are quickly turning into shadow wars. Hackers
are infiltrating networks, planting devices, manipulating data, and producing
very real kinetic effects. In this arena, the US and China are the largest
rivals, but certainly not the only relevant ones—other important players
include Russia, North Korea, Iran, Israel, and France.”

Cyber-Risk Expertise
in the Boardroom

In response to these threats, observers are debating the
effectiveness of adding cyber-risk expertise to boards. Congress is getting
involved, with the proposal of a bill that would push publicly traded companies
to include cybersecurity experts on their boards. A separate congressional bill
has also been introduced, which if passed into law, would require public
companies to disclose whether directors are cybersecurity experts. Proponents
of these legislative initiatives believe these would elevate oversight of this
risk in the boardroom. Opponents question how expertise will be determined and
by whom, as well as the effectiveness of a single-purpose director.

Admiral Stavridis falls squarely in the camp advocating for inclusion of this knowledge base in the boardroom, noting, “I do think it’s mandatory that every single firm has at least one cyber expert as a board member. So often, boards are simply not up to speed. [To mitigate against this reality,] some boards bring in a chief information officer, technology officer, or another member from the management team. But there is no substitute for having a peer in the boardroom, who broadly understands cyber, as well as the company’s approach to incorporating this risk calculation into its operations.” 

He also believes in the next couple years, the United States
Securities and Exchange Commission is likely to start mandating this type of
expertise for public company boards. According to the Admiral, “it will
resemble audit, in the sense that this will be a defined skillset, and will
require a committee that focuses on its oversight.” He uses one of his boards,
which established a committee on safety, technology, environment, and
operations, as an example. The board decided to incorporate safety and
operations into the committee’s responsibilities, as that is where much of the
firm’s cybersecurity concerns are concentrated. “It’s an interesting grouping,
but [to meet our company’s specific needs], that’s where we delegate governance
of cyber risk, as well as the technology function,” he explained.

Leading Practices for
Cyber-Risk Oversight

The Admiral believes the future of board oversight of risk
is likely to skew towards cyber risk. His decades of experience, in the public
and private sectors, have given him a unique perspective into these threats, boosting
the legitimacy of his warnings.

This issue is not going away anytime soon. Its impact is
likely to be more acutely felt in the coming years, especially as a growing
number of companies leverage customer data to transform business models and
create value. Effectively addressing this challenge will require an approach
that incorporates not only strategy and risk management, but also legal and
technological expertise. There is no panacea. There are, however, practices and
processes that directors can adopt to mitigate exposure to cyber risks.

The NACD Director’s Handbook on Cyber-Risk Oversight provides practical guidance for boards across company sizes and types. Its five key principles are highlighted below:

Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an information technology issue.Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

Hear Admiral James Stavridis, former Allied Commander of NATO, speak at NACD’s 2019 Global Board Leaders’ Summit, September 21-24, 2019, in Washington, DC. Register by August 31 to save $500!

D&O Liability: Three Emerging Areas to Watch

The risks for businesses are constantly evolving, and
the pressures on company boards and officers are continually growing. Gone are
the days when directors’ and officers’ main concerns were related to company
mismanagement and misrepresentation claims. Chief among the potential risks
boards must now deal with are emerging technologies, cyber-risk issues, and ever-expanding
litigation against companies and their boards. Given the emergence of these
three threats, it is imperative that you and your fellow board members review your
directors
and officers liability (D&O) insurance for any
lapses in coverage.

Emerging Technologies

Technology is advancing like never before, and
businesses are using innovative technological tools to revamp everything from
back-office processes to the products and services they deliver to customers.
But with the excitement of new and arguably better solutions come a lot of
unknowns.

Although artificial intelligence (AI), blockchain technology, digital assets, and quantum computing are all emerging technologies with something to offer businesses, each also presents potential exposures that must be understood and addressed. Whether it’s the lack of regulation, the evolution of existing regulations to keep up with new technology, a company’s inability to keep up with the times, or a board’s failure to properly disclose associated risks or costs, these new innovations can give rise to exposures that are now only being discovered by courts of law and insurance companies alike. For example, the failure to adequately disclose the potential risks associated with the implementation of AI, or misrepresentations about those risks, could lead to a potential directors and officers (D&O) insurance claim.

Cybersecurity
and Privacy-Related Issues

In the relatively short history of cybersecurity exposure, boards have generally considered cyber-related loss to be a top risk for companies. The threats these incidents can pose to organizations, directors, and officers are becoming more apparent. Those threats include an increase in:

Securities class-action filings as stock drops
associated with data breaches continue.Derivative lawsuit filings against directors
and officers for alleged mismanagement or false or misleading statements related
to cyber incidents.

Over the past year, we’ve seen greater regulatory scrutiny and
activity in the cyber exposure space, and it is not limited to civil litigation.
The Securities and Exchange Commission (SEC), for example, has settled
enforcement proceedings arising out of matters such as a company’s purported
material misstatements and omissions regarding a large data breach and alleged
failures in cybersecurity policies and procedures surrounding such a breach
that compromised the personal information of thousands of customers. We expect
that the SEC and other regulators will continue to focus on cybersecurity
threats and breaches going forward.

In addition to breaches, privacy regulations—such as the General Data Protection Regulation in Europe—are a priority for all boards and a major area of focus for regulators. For example, the Federal Trade Commission’s recent acknowledgment that it has the ability to penalize individuals for their companies’ privacy law violations is a reminder that individuals are not immune to these types of exposures.

In addition to liability concerns, cyber- and privacy-related issues can cause reputational harm. A rating agency recently downgraded its outlook on a company in large part because of breach-related issues. The impact of cyber- and privacy-related exposures on companies and their directors and officers are only beginning to play out.

Litigious
Environment

One need not look far to find significant litigation risks for businesses and their boards of directors. According to an analysis by NERA Economic Consulting, 83 percent of completed company mergers are met with litigation, and one in 12 publicly traded companies are expected to be sued in a securities class action suit this year. What’s more, following the March 2018 US Supreme Court decision in Cyan, Inc. v. Beaver County Employees Retirement Fund, companies going through initial or secondary public offerings are now more likely to be met with litigation in both state and federal court than before.

The world of corporate governance has changed. Business decisions
are now closely scrutinized by the public. The use of email among company
individuals forever preserves a record of discussions that once might have
remained private. And actions taken in the public eye—including those through
social media—can expose a company and its officers and directors to some form
of liability.

Plaintiffs’ attorneys, meanwhile, become more resourceful every
day; even those firms that were previously not feared have turned filing
lawsuits into a factory business. And smaller to midsize companies that once
barely caught the eye of the plaintiffs’ bar are now squarely in their
crosshairs.

According to NERA, 441 new securities class actions were filed in 2018, the most in any year since the aftermath of the 2000 dot-com crash. 2018 was also the fourth consecutive year of growth in the number of filings, exceeding the 434 filings in 2017. In the first quarter of 2019, 118 securities class actions were filed; that puts us on track for 472 class actions this year, and a fifth consecutive year of growth.

The heightened pace and total of securities class action filings that
has continued into 2019 is, in part, attributable to the growing number of
follow-on, event-driven securities litigation filings, as opposed to cases
involving accounting misrepresentations and financial restatements that have
historically made up the bulk of securities litigation. Event-driven litigation
occurs when some adverse event at a company triggers a securities claim—based either
on a stock drop following the announcement of such an event or in the form of a
derivative action thanks to an alleged breach of fiduciary duty. In addition to
cyber-,  privacy-, and sexual harassment-related,
event-driven litigation, an array of other incidents have led to securities
claims, including mass torts, product defects, product recalls, food safety
issues, anti-corruption scandals, and the California wildfires. These types of
risks are difficult to predict.

The cost of litigating even a baseless case that is dismissed or
settled early on can be significant, which has not gone unnoticed by D&O insurers.
The more litigious environment coupled with years of falling premiums and expansions
in coverage have brought the D&O market to a crossroads. The market has seen
14 years of generally soft conditions, providing buyers with favorable premium
pricing and broad coverage enhancements. Over the last few quarters, however,
we’ve seen a dramatic switch. Premium increases are now commonplace and policy
negotiations have become more difficult as insurers face pressure on primary,
excess, and Side-A—or personal asset protection—differences in condition
pricing.

With the risks for directors and
officers constantly becoming more numerous and complex, insurance is more
important than ever. It’s vital to consult closely with your insurance and
legal advisors to ensure the companies you serve have robust D&O insurance
programs that protect both corporate and personal assets against these, and
other, potential threats.

Sarah Downey is the D&O product leader at Marsh.

Overseeing Cyber Risks in a Complex Regulatory Landscape

Organizations face increasing
cybersecurity risks and threats to their customers, financial information,
operations and other data, processes, and systems—and state and federal governments
are alert to the threats imposed on their constituents. To understand just how
widespread concerns about these risks are, look no further than the abundance
of cybersecurity legislation that is currently on the dockets of state
legislatures across the country.

For example, California, New Jersey, Washington, and Illinois are among the latest states to enact breach notification legislation that will significantly impact businesses operating in those jurisdictions by defining whether, when, how, and to whom notifications of a breach must occur. Some of these laws are going into effect just months after being signed and the cost of noncompliance can be severe (in California, fines are assessed per record breached).

As stewards of the strategy,
finances, reputation, and overall
direction of an organization, corporate directors have an important role to
play in ensuring adequate policies and protections are in place to answer the
demands of such regulations—and that their whole board is ready to meet the
oversight demands of new regulations.

Directors are in a position
to provide the leadership and strategic direction necessary to help their
organizations balance the need to safeguard information, minimize disruption in
case of an attack or breach, provide transparency, and manage a sustainable
cybersecurity program with competing strategic
priorities.

There are four key steps boards should take to ensure adequate cybersecurity program development and oversight in response to emerging regulations and threats:

1. Understand the threat landscape and how companies are expected to respond under the law. Corporate directors and leaders need a clear picture of the threats at play to assess and implement an appropriate response framework that both meets the business’s needs and is compliant with a complex web of laws.

Adversaries’ tactics will vary based on their motivations. Nation-states may be focused on cyber warfare while garden variety criminals (including internal threats) are likely to commit fraud or steal information. Each of these threat types will warrant their own response, and may also warrant involving different law enforcement and regulatory agencies.

It is also important to note that the nature
of threats will vary by industry. A real estate company is likely to face a
higher risk of wire fraud, while a manufacturer might be a target of theft of
information by foreign governments. Directors should spend time in their busy
schedules understanding the appropriate responses required per
industry-specific regulations.

In addition, the range of threats—from phishing and social engineering to attacks on the supply chain—is constantly shifting. Boards must be aware of emerging threats, ensure they have the right team in place as first responders, and ensure people and processes are in place to help mitigate and address regulatory and compliance consequences from cyber incidents.

2. Ask relevant executives, leaders, and legal counsel the right questions. The board is tasked with gathering information from leadership, but the value of the exercise is dependent on asking the right questions. This ability becomes much more acutely important in light of a cyber breach, but should be practiced early and often. While these types of questions have been suggested for review by many in the cybersecurity community, it is worth asking the following in light of increased regulatory action:

On risk: What are our risks and how are they being mitigated? Who is the owner of a particular risk?On capabilities: What are the people, tools, and processes we have in place to implement our cybersecurity framework? Do these comply with the demands of new and existing regulations?On controls: What controls are currently in place? What are the organization’s cybersecurity policies and procedures (e.g., incident response plan) and when were they last reviewed, tested, and updated? What training do employees receive regarding privacy and security?On trends: What industry-leading best practices should be considered? What stories of disaster should we read and learn from?On regulation: What is taking shape at the local, state, and federal levels that will impact the business? What is the plan to get compliant and stay compliant?

3. Know the potential costs and how they influence risk tolerance. In the event of an attack, it will be important to demonstrate to regulators good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices will determine the strength of their case for reduced penalties. For most organizations, cybersecurity incidents and regulatory noncompliance are associated with legal, financial, and reputational risks.

Compliance and risk mitigation come with
their own set of financial costs. In Arizona, the maximum fine is $500,000 per
breach event while Alabama can impose a fine of $5,000 per day for failure to
comply with its notification law. To make decisions about risk tolerance,
companies need to balance the risk with the cost of everything from business interruption
to notification costs and potential fines.

Directors of companies should also closely review their own director and officer liability insurance policies frequently to see if cyber-risk-related incidents are covered.

4. Establish metrics for governance. One of a board’s most important roles is to establish and assess metrics to enable oversight of the company’s cybersecurity program. The board should prioritize the development of a well-documented plan that is designed to account for and address evolving regulations, including a board-level metrics portfolio focusing on the following categories:

Program
status, including cybersecurity strategy milestones and program tracking; Internal
environment updates such as patching and the state of infrastructure, and the capacity of people to prevent phishing and data
loss;External
environment updates, including the ability to gather threat intelligence and
respond to emerging cyberthreat trends; Compliance
and audit figures on cybersecurity audit planning and regulatory compliance
tracking; andResponse
figures on disaster recovery, business continuity, and incidence response planning.

Board members’ oversight of
cybersecurity programs is crucial to protecting business interests from current
and future threats. This requires boards to take an active role in strategy,
validation, detection, and response
plans, ultimately steering the dialogue with stakeholders to better understand,
assess, and identify cybersecurity needs and deficiencies that need to be addressed.

It is impractical and
inefficient for organizations to revamp their cybersecurity risk management
program each time a new law goes into effect. Organizations with a presence in
multiple jurisdictions should instead think holistically about their programs.
With the cyberthreat landscape
constantly changing, it requires that risks be regularly weighed against
strategic goals—and that the company meets the regulatory demands created to
protect businesses and consumers alike. By ensuring the quality of a company’s
cybersecurity framework through leadership and oversight, a board can fulfill
its obligation to protect the overall health and sustainability of the
organization.

David
Ross is a principal and the cybersecurity and privacy practices lead at Baker
Tilly.

NACD Advisory Council Discusses the Board’s Role in Crisis Preparation

In today’s world of real-time communications, companies are
now expected to respond immediately to emerging crises, and boards are feeling
more pressure to ensure that their companies can navigate effectively through
challenging crisis moments. Peter Gleason, NACD president and CEO, explains, “Boards
have always provided oversight of crisis response plans, but the key difference
today . . . is [that] with the advent of social media, the window for response
time has all but disappeared. It’s critical for directors to engage with
management on a regular basis to discuss the outline of the crisis response
plan.” 

The 2019 NACD Public and Private Company Governance Surveys find that less than a third of companies have delineated roles for the board and management in their crisis preparation plans, while fewer than 20 percent  indicated that they’ve assessed the effectiveness of early-warning capabilities—a critical aspect of crisis preparedness.

While each crisis is unique, there are leading practices boards can adopt to improve their governance of crisis readiness. To help directors prepare for this issue, NACD, Heidrick & Struggles, and Sidley Austin LLP cohosted a meeting of the NACD Nominating and Governance Committee Chair Advisory Council—comprising Fortune 500 company nominating and governance committee chairs and lead directors—on April 24, 2019, in Washington, DC. The meeting was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.

Participants identified three important benefits of
effective board-management dialogue on crisis planning and preparation:

Effective crisis planning
identifies skill gaps within the executive team.Thoughtful crisis planning exposes
potential risks related to information flows to the board.Nominating and governance
committees can use insights from crisis planning to inform their reviews of
board structure and composition.

Effective
crisis planning identifies skill gaps within the senior management team.

Crisis planning offers more benefits than just a routine
hygiene check. As one director noted, “When
you are doing a good job as a board overseeing crisis preparation, issues are
going to rise to the top that you need to address.” These issues can take
many forms, including identifying potential disconnects in the assignment of
roles and responsibilities. Ted Dysart, Vice Chair at Heidrick & Struggles,
noted “Crises can accelerate to a point where senior leadership is no longer
equipped to serve in some roles—for example, acting as a spokesperson for the
organization. As part of the crisis planning process, the board can discuss
whether any skill gaps have been identified, and how they will be addressed
with training or other support.”

Delegates discussed that the right candidate isn’t
always the most obvious one. One participant noted, “We need to ask the questions about whether the CEO is fully prepared
if a crisis arises, but it goes beyond that. Some crisis response roles should
be assigned according to skills, not necessarily titles, so the board needs to
know who else in the management team is crisis ready.”

Thoughtful
crisis planning exposes potential risks related to information flows to the
board.

While it’s important to have a process around what
information is escalated to the board, judgment is often more important than process.
One delegate commented, “At one of my
companies we had an issue with a senior leader that never reached the board.
The reporting process was part of the roadblock. What worries me most [are the
gaps in information.] What does the organization know, [that] the board does not?”
Another participant noted, “The [glaring]
crises that are acute and major are easier to prepare for. It’s the
under-the-radar ones that result from a series of seemingly insignificant
activities that can be more difficult to detect, and they’re often the ones
that the board is most accountable for.”

Some council participants indicated that their boards use
the latest news stories as a mechanism to evaluate the effectiveness of their crisis
readiness. One director noted, “In the
aftermath of some of the recent headlines related to culture and #MeToo, we’ve
had discussions with management about when the board will receive information
about issues that may not be financially material, but could be culturally
significant.”

The relationship between the board and the general counsel
(GC) also emerged as a critical component of effective crisis planning. A
delegate said, “I have a conversation
with the GC monthly. [This practice] started when I was new to the [nominating and
governance committee chair] role, and was an opportunity to set up a trusted
relationship, that has strengthened over time.” Another director shared a
similar approach: “Before every committee
meeting, I sit with the GC and review the agenda. Then we have an open
conversation about anything else on the GC’s mind. The regular rhythm of these
conversations helps me stay informed about potential challenges.”

Nominating
and governance committees can use insights from crisis planning to inform their
reviews of board structure and composition.

Delegates discussed benefits outside those traditionally
associated with crisis preparation, zeroing in on board structure. Sara
Spiering, principal at Heidrick & Struggles, commented, “In our board
search work, we’re seeing clients asking questions about prospective directors’
past experiences with turnarounds or other challenging situations. One of the [qualities]
boards are starting to [recruit for] is confidence and calmness in
high-pressure situations.”

Directors are also using these insights to weigh the
merits of changing committee structure. One participant explained, “We had a situation on one board that
required establishing a special committee. Luckily, [the board] had enough
independent directors with the [requisite] capacity and skills— [that is,] the
ability to get into the details [and] ask tough questions, [as well as] the
time commitment and energy to take on the [additional] workload. As nominating
and governance committee chairs, we have to factor this into board succession
planning.”

The boards of companies in heavily regulated industries
often align committee structure with risk management and crisis planning. One
director remarked, “I’m on several boards
with a separate safety committee. Other industries have compliance or
regulatory affairs committees; some are [establishing separate] cybersecurity
committees. In all cases, it sends a strong signal about the importance of the
issues and the level of oversight. On our safety committee, we’re looking at [granular]
information—if a truck hits a ditch on Christmas morning, [the committee] hears
about it.”

Conclusion

As Benjamin Franklin pointed out, “By failing to prepare,
you are preparing to fail.” In light of growing public scrutiny, board and
management preparation for crises is likely to remain a priority for nominating
and governance committees. When confronting these complex and unpredictable events,
Holly Gregory, partner and co-chair of the Global Corporate Governance &
Executive Compensation Practice at Sidley Austin, advised directors to closely
monitor corporate culture, noting, “Periods of crisis are when the cracks in an
organization’s, and a board’s, culture really show up. If there’s been a
tendency to avoid difficult conversations, if relationships with management are
strained, if there are skill gaps or factions within the board, these things
will all make a bad situation worse.”

As directors scan the horizon for potential risks,
they should not lose sight of seemingly insignificant, but persistent,
problems. As a delegate framed the issue, “Major
crises don’t come along very often. We can learn not only from crisis planning,
but [also] from more minor issues. Both of these can help the board identify
underlying tensions and open up important conversations about the skills and
processes needed to weather a serious crisis.”

Questions directors
should consider:

Is there a crisis-response plan in
place? How often is it revised? How often is crisis planning discussed in board
meetings? Is there a common understanding among
management, the board, and board committees about their respective roles,
responsibilities, and accountabilities for crisis management?Have we identified which crises the
company is most likely to face? What steps can be taken to mitigate the risks
that would lead to those crises?Have we achieved a common understanding of what circumstances
trigger bringing an issue to the board’s attention? Has our management team
identified key indicators that offer early warnings about increased risk exposure
that could lead to a crisis? What is the threshold, and the process, for
reporting to the board about sudden changes to the company’s risk profile?Does the organization’s culture support a level
of trust between a) the board and the executive team and b) the executive team
and middle management that encourages candid discussions about risks? How
willing are employees to speak up about problems that can cause a crisis for
the organization?

Related
Resources

NACD Online Resource Center: Risk Oversight“Governing Through Disruption: A Boardroom Guide for 2018” Holly Gregory, Sidley AustinReport of the NACD Blue Ribbon Commission on Adaptive GovernanceReport of the NACD Blue Ribbon Commission on Culture as a Corporate Asset“Seven Steps to Minimize Fallout from Crisis Situations”

Sharpen Your Board’s Risk Oversight Process

A 2018 joint report prepared by NACD, Protiviti, and NC State’s Enterprise Risk Management (ERM) Initiative advanced the view that boards may not be overseeing the appropriate risks and outlined a road map for strengthening the board’s risk oversight in today’s complex and unpredictable marketplace.

As
the business environment changes, so must the board’s risk oversight. As the
pace of change quickens and the stakes for “getting it right” increase, a
question arises: Is our board risk oversight process still fit for purpose?

Below
is a refresher of four points from the report’s road map that continue to apply
today.

1. Revisit the board’s risk governance model and
director skill sets. Depending on the nature of the enterprise’s
risks and the extent of the expected change in its risk profile over time, the
board should assess whether it has access to the requisite expertise and
experience needed to provide appropriate oversight—either on the board itself
or among its external advisers. For example, with digital disruption affecting
many businesses, do directors have sufficient understanding of digital business
models, digital ecosystems, and the potential that hyperscaling digital
platforms has to facilitate rapid growth and reinvent the company’s business
model? These are trends that bring both opportunity and risk to the business,
and understanding them is essential to sound oversight. In addition, the board
should rethink how it organizes itself for risk oversight, including the
delineation of responsibilities among its various committees and the full
board.

2. Make culture an
enterprise asset as well as an oversight priority. Culture is
almost always the source of reputation and financial performance outcomes, as
it is a potent source of strength or weakness for an organization. A strong
culture is a critical asset for any brand. It is of vital importance to both a
differentiating strategy and superior performance. Accordingly, the board
should expect management to understand the culture at lower levels of the
organization, and whether the mood in the middle and the tone at the top are
aligned. Concerns that this topic may be “too soft” for objective assessment
should not distract the board’s focus on the real question:

Does the CEO really want to know the unvarnished truth about people’s
perceptions across the entity, and is he or she prepared to act on that
knowledge?

A “speak up” culture that encourages transparency and sharing of contrarian data and bad news entails convincing employees that they can indeed speak up without fear of repercussions to their careers or compensation. Anonymous and confidential surveys are an example of how executive management can learn what they need to know. Metrics addressing such things as mission and values alignment, innovation, resiliency (speed), collaboration, and employee satisfaction also offer insights regarding culture. Candid, open, and constructive board and management interactions should prioritize the tough questions on directors’ minds.

3. Focus on the quality of the risk management
process. Given the
pace of change experienced in the industry and the nature and relative
riskiness of the organization’s operations, does the board understand the
quality of the process informing its risk oversight? For example, how much
manual effort is required by management and various board-reporting departments
to generate the reports used in board meetings? How actionable is the entity’s
risk information for decision-making? These and other questions focus on how
mature and robust the risk management process is and whether it is effective in:

Delineating
the critical enterprise risks from the day-to-day risks of managing the
business; Establishing
accountability for results; Fostering
an open dialogue to identify and evaluate opportunities and risks; and Informing
key decision-making processes with current, reliable information.

4. Ensure management integrates risk considerations
into strategy, performance, and decision-making. The unique
aspect regarding exposure to disruptive change is that it presents a choice: On
which side of the change curve do organizations want to be? Organizations must
make a conscious decision about whether they are going to be the disrupter and
try to lead as a transformer of the industry, or whether they are going to play
a waiting game, monitor the competitive landscape, and react appropriately and in a timely manneras an
agile follower to defend their market share.

These market realities strongly suggest that the board should
ground its risk oversight with a solid understanding of the enterprise’s key
strategic drivers and management’s significant assumptions underlying the
strategy and risk appetite. Directors need to ensure that risk oversight and
management are not appendages to strategy-setting, performance management, and
decision-making, but contribute information and insights relevant to the
success of these core processes.

We encourage everyone to read the joint report from 2018. Boards should take a fresh look at how they are approaching risk oversight, including how the company’s ERM is informing that oversight. With risk management practices for many industries largely rooted in the prior century, the big question is:

Are we prepared to
improve our risk management and risk oversight, or do we face the challenges of
the next 10 years in the digital age with what we’ve been doing over the past
10 years?

The nature, velocity, and persistence of risks have changed. Consequently, it’s time for boards to revisit their governance model and skill sets and refresh the focus of their risk oversight.

Jim DeLoach is managing director of Protiviti.

It’s Time to Focus on the CHRO: The Hidden Innovation Hero

Innovation is top of mind for most C-suite executives and directors of companies, and both have every reason to prioritize innovation as part of the company’s strategy. According to a study by Credit Suisse, the average lifespan of a S&P 500 company is now less than 20 years compared to 60 years in the 1950s. Additionally, Mercer’s 2019 Talent Trends Survey found that 73 percent of executives predict significant industry disruption in the next three years, up sharply from 26 percent in 2018.  In many industries, continued innovation is critical to a company’s ability to survive and thrive.

In the recent past, having a dedicated, centralized innovation team seemed like the obvious answer to this corporate imperative, and companies made the move to create such teams—the number of corporate innovation centers has grown from over 300 to 580 from 2015 to 2017.  Unfortunately, the success of these innovation centers has been mixed. Centers that tend to lag in performance usually have unclear strategic goals, suboptimal set-up, and vaguely defined success metrics.  

Developing a culture of innovation requires commitment from the top, starting with the CEO. The company’s CEO needs to define what innovation means to the firm, be its biggest advocate, and get the entire leadership team’s buy-in and support—including the backing of the board. Boards should make sure that the innovation strategy is forward looking with a balance of incremental and disruptive goals. Once the vision is defined, leaders need to infuse innovation into the company’s DNA by cultivating an open-minded and intellectually curious culture that is ready for change.

To truly embrace a culture that is open and prone to innovation, CEOs are also looking to their chief human resources officers (CHROs) to help lead this cultural change and drive innovation.   

The CHRO as Innovation Catalyst

The role of the CHRO has evolved, and it has never been more critical for the board to focus on this role’s ability to drive a culture of innovation throughout the organization. To enable innovation at scale, having a sound people strategy is equally important as having the right infrastructure, processes, and tools. 

When considering the CHRO’s role in setting the framework to build a
workforce that drives innovation, the board should consider how the CHRO is
leveraging the following four building blocks. 

Talent identification

The most important building block for the
CHRO’s talent strategy is identifying the right people. One could argue that
innovation is an innate skill, and not a skill that is developed. In reality,
the answer is, “it depends.” The company’s definition of innovation drives the
types of talent needed, whether the talent can be developed from within, and if
recruitment from outside needs to happen. People also have varying degrees of
innovative talent. Organizations may have a limited number of innovation
whizzes available to create transformative ideas, but many are capable of
developing incremental innovations to improve existing solutions or modernize core
businesses with the right training, support, and tools.  The board and management need to think beyond
traditional approaches to identify the right talent and teams to lead
innovation initiatives. Depending on the level of disruption required, the
board and management may need to urge the CHRO to consider external talent such
as seasoned entrepreneurs to get an injection of fresh ideas. The CHRO should
keep a close pulse on innovation talent across the firm, meet with innovation
teams on a regular basis, and report back to the CEO and board to ensure the
firm has a strong pipeline of talent suited for innovation.  

Diversity and inclusion

It is no secret that diversity drives
innovation. Diversity in this context extends beyond gender, race, and ethnicity,
and includes experiences, expertise, perspectives, and even working styles.  Individuals with differing thoughts can
result in dissent and conflict, but this should be viewed as the gateway towards
developing breakthrough ideas. Inclusion must come hand-in-hand with diversity.
One can only maximize the potential of a diverse team when each individual’s
differences are respected and valued. In addition, a diverse and inclusive
workforce ensures that the innovations created are reflective of the
organization’s diverse customer base. The board should embrace and work with
the CEO and CHRO to measure how diversity and inclusion impacts innovation and
the company’s people strategy on an ongoing basis.          

Performance
management

Since innovation development processes are
agile in nature, workforce performance management and metrics should align with
“test and learn” principles. The “test and learn” approach ensures that
projects can fail fast and pivot as needed. To encourage such behavior,
performance management also needs to allow continuous and open feedback to
enable individuals to adapt according to project needs. The board and CEO can
make this feedback loop a priority by measuring how the CHRO structures
performance reviews at the firm.   Disruptive innovation initiatives require a
longer time horizon to realize their potential and impact. As such, these
initiatives should not be measured on a quarterly basis. Setting key milestones
that could be an early indicator of success will help boards monitor progress. Although
driving revenue, profit, and return on investment growth are the ultimate goals
of innovation, non-financial metrics are not to be ignored and are arguably
equally important. These metrics include, but not limited to, enhanced company
brand, increased ability to attract top talent, improved customer satisfaction,
speed to decision making and execution, ability to break down silos, the number
of ideas in the pipeline, and increased digital presence and digitization
across the firm.       

Learning
and development

In this rapidly changing environment, it is
critical for all employees to be on top of key trends and develop new skills—the
board included. Besides formal training courses, entrepreneurs and start-ups
are excellent channels for corporate “intrapreneur” learning. Including
exposure to these resources as part of a corporate people strategy could yield
measurable benefits that the board could use to assess efficacy of the program.
As an example, Mercer piloted a learning program with NewCampus, a startup that
invites entrepreneurs around the world to share their expertise and experiences
with Mercer colleagues. This type of alternative learning is a great source of
inspiration for new ideas. For companies with dedicated innovation centers,
having rotational programs will enable organizations to build stronger
innovation muscle, share what has been learned, and develop skills with broader
employee populations to achieve greater impact. 
 

For
CHROs to drive innovation, they need to innovate and reimagine the HR function
they lead. The CHRO and his or her team at entrepreneurial companies are more
progressive in their thinking, willing to experiment, and thrive on setting new
industry standards. If companies believe that their people are the ultimate
sustainable competitive advantage—the power for creating innovations for the
firm—the CHRO and that person’s entire team should be the key to unlocking human
capital potential at the firm. The board and CEO need to empower the CHRO to
experiment, and that could be as simple as trying out new technologies and
policies. The time to do so is now. 

Patty Sung is a senior principal
and innovation leader in Mercer’s Global Digital Innovation Hub.

Shaping a Better Future for Boards

This fall, NACD will release the findings of our latest Blue Ribbon Commission report (BRC). Carrying forward a tradition we have kept for more than a quarter century, seasoned directors and advisors will opine on yet another challenging new topic. In recent years we have tackled corporate culture and disruptive risk. This year, the topic will be the future of board leadership.

Despite
the strong progress made in governance over the last decade, board leaders are
now being confronted with a wave of interconnected and simultaneous forces that
will only intensify in the next 5 to 10 years, requiring a profound
transformation of how boards deliver value. The BRC will offer a blueprint that
board leaders can use to prepare themselves and their boards for a much more
demanding future that in some ways has already arrived.

Can an NACD BRC help to shape that future? With 25 BRCs to date, and multiple recommendations made in each BRC (typically 10), our overall impact is hard to trace. Still, as was shown four years ago in a blog post about “Blue Ribbon Impact,” our voice is being heard. If you compare governance practices in the year of any given BRC to practices two or so years later, you will undoubtedly see that our BRCs do move the needle.

To focus on reports that had significant impact, I turned to Chief Knowledge Officer Emeritus Alexandra Lajoux’s insights from her 2015 blog post (excerpted and condensed below) as a reminder of the prescience exemplified by these reports. That changes in board governance and oversight practices are brought about by these BRCs is supported by data collected in NACD’s public company surveys on how our members have adopted these practices over the years.

1995: The BRC on Director Compensation recommended director
payment in equity, with dismantling of benefits. Before vs. After: Whereas in 1995 it was
common for directors to receive benefits but no stock, by 1999 the trend was
the opposite. By then, nearly two-thirds of companies included stock as part of
director pay, and less than 10 percent paid benefits.

2001: The BRC on Board and Director Evaluation recommended formal evaluation of boards and directors. Before vs. After: The 1999 survey showed 32 percent of boards conducted evaluations; the 2003 survey showed that 85 percent did so. This was no doubt due to new stock exchange requirements mandated in the Sarbanes-Oxley Act of 2002 and issued in 2003. But, the stock exchange rules themselves were born in part out of NACD recommendations made March 4, 2002 (included in this NYSE report). In fact, 9 of NACD’s 10 recommendations—all based on the Blue Ribbon Commission’s recommendations (including one on board evaluations)—subsequently became stock exchange listing requirements.

2003: The BRC on Executive
Compensation recommended an entirely independent compensation committee for
all public companies. This change was notable because it suggested an independent
compensation committee beyond those covered by the Sarbanes-Oxley–mandated
stock-exchange rules that would be issued in November of that year. Before vs. After: The 2005
survey showed a rise in overall independence of compensation committees
compared to 2003: “Three-fourths (75.9%) of firms overall, up from 65.5 percent
in 2003, indicated that they had only independent outsiders on their
compensation committees.”

2004: The BRC on Board Leadership recommended that boards
consider using an independent lead director in cases where they did not have an
independent chair. Before vs. After: In the immediate and near-term aftermath of this report there was
an apparent surge in the use of the lead director—even greater than that seen
when the “presiding director” disclosure requirement of the New York Stock
Exchange became effective in 2003. The 2005 survey indicated that over a third
(38.5%) of the boards studied had a designated lead director, almost four times
the number (10.0%) shown in the 2003 survey. The 2007 survey said that “44.8
percent of respondents’ boards have a designated lead director.”

2007: The BRC on the Governance
Committee recommended director orientation (as well as ongoing director
education). Before vs. After: In 2007, 60 percent of respondents said that their boards had a
policy or program on director education. In 2009, 72.8 percent said they had
such a program.

2011: The BRC on Lead Directors recommended continued use
of the lead-director role as a viable alternative to an independent chair. Before vs. After: The 2011 survey showed that
at the time this group was convened, only 65.4 percent of respondents sat on
boards with lead directors; the 2012 survey showed that 82.8 percent had a lead
director.

2017: The BRC on Culture as a Corporate Asset recommended stronger
oversight of this area, including not only oversight of the tone at the top,
but also oversight of the buzz at the bottom. Within one year, the impact of
this recommendation was already evident. Our 2018–2019 survey reported that
directors’ understanding of the mood in the middle rose 10 percentage points,
to 45 percent. It also found that 27 percent now say they clearly understand the
buzz at the bottom levels of the organization, a 9 percentage point increase
compared to 2017.

So, what will the 2019 BRC recommend, and will it help predict the future? The Future of Board Leadership report will recommend practices to future-proof the boardroom. Our Commissioners have already begun convening, and here are several of the action items that they foresee for boards and their leaders:  

Change the board’s structure to become more
flexible.Disclose more about governance methods and
results to investors and stakeholders.Deploy data analytics capabilities and new
technology to enhance board oversight. With accelerating turnover, become more diverse.
Increase accountability for individual and collective
performance. Prioritize the fastest-changing drivers of
corporate strategy and risk. Represent a wider variety of stakeholder
interests.

These recommendations are all
credible and important. Will they provide an accurate lens into the future of
board leadership and predict where we’ll be in a few years? Perhaps. But the
important thing is not predicting the future of board leadership. Rather, it is
in making that future better through decisive, informed board leadership. That
is the goal of this Commission, and I am confident that they will meet it.

Once Considered a Career Killer, CISOs with Breach Experience Now Preferred

No C-level role has evolved as quickly and radically as
chief information security officer (CISO). The CISO role first sprang from the ground-breaking
“mega breaches” of the early 2000s, when it became apparent that cybersecurity
issues could have serious business ramifications. Back then, the role was
largely technical in nature (they would put up a technology perimeter to stop breaches
from happening) and, really, it was C-level in name only—most CISOs reported to
chief information officers and did not have a direct line to the CEO like other
C-level executives.

The early days of CISO evolution also had a dark chapter. As
the breach epidemic picked up steam, so did the scapegoat status of CISOs, who
often found themselves in career jeopardy following publicly disclosed data
breaches. Life in those days was difficult for CISOs. There was still a general
belief in boardrooms that breaches could be prevented with some degree of
certainty, so CISOs were tasked with an impossible job: preventing the
unpreventable.

That perception is changing today. I would venture to guess that no CEOs or board members in the Fortune 500 believe data breaches are 100 percent preventable. Those same enlightened executives and directors want to understand if the company is prepared to effectively respond to a major security incident. After all, if breaches are not completely preventable, then breach-response preparedness becomes the most effective tool for managing business risk associated with data breaches, which can include operational disruption, litigation, regulatory fines, customer attrition, and loss of intellectual property.

Cybersecurity has become similar to the electric grid. Utilities
can do their best to reduce the likelihood of blackouts, but violent storms
will still cause power outages. Therefore, the measure of competence for an
electric utility is not so much its ability to withstand violent storms without
blackouts. Rather, the company’s success is measured by how effectively it
minimizes impact and how quickly it can bring power back online after the
storm. Likewise, the measure of competence for a CISO is not so much their
capacity to prevent every conceivable breach, but whether or not they have a
codified, rehearsed, and company-wide incident-response plan in place that can contain
the incident and minimize the damage caused by a data breach.

Which brings us back to the evolving role of the CISO.

From those early days of being technical people and easy
scapegoats, today’s top CISOs have a much broader role within business. That
broader role requires a fuller skillset. They still need to understand the strategy
and technology of cybersecurity, not to mention IT in general, but they also
need to have the management acumen to make strategic investment decisions and to
effectively deploy staff and third parties. They also need to have the
vocabulary to translate security program objectives into business terms for the
board of directors.

And, most importantly, they need to be able to instill
confidence in the board that they know how to prepare the company to respond to
a data breach, because breach-response effectiveness can mean the difference
between a “blip” of bad publicity and an ongoing morass of litigation,
regulatory fines, and customer loss. It is for this reason that what was once
the career “kiss of death” for a CISO—being in charge when a data breach
occurred—is now a resume builder. Boards rightfully want to ensure that the
CISO knows how to “land the plane” following a breach, so what better
experience could there be than to have already managed a breach-recovery
situation—particularly when the outcome was as favorable as possible?

It’s been a wildly complicated ride for CISOs. Moving from
“tech jockey” to strategic business executive in little more than a decade is
not an easy shift. There is still a long way to go, as many CISOs are still
viewed as technical hands by senior management and directors, but the trends
are clear: more and more CISOs are getting a seat at the boardroom table. And with
savvy boards of directors, breach experience gets CISOs invited into the
boardroom, not thrown out of it. That’s a change for the better.

Mark Adams is the senior practice director of risk
transformation at Optiv.