To Mitigate Cyber Risks, Some Board Members Should Look in the Mirror

When chief information security officers (CISOs) present the state of cybersecurity to board members, the “insider threat” is a common topic. And for good reason—insiders are the number one security threat facing organizations today, according to the Optiv Security 2019 State of the CISO Report. CISOs tell the board often that they are trying to mitigate this problem through employee education, since many breaches caused by insiders are due to careless, rather than malicious, behavior.

But one thing CISOs probably don’t talk about—unless they’re
particularly brave—is that board members can identify the most dangerous
non-malicious insider threats by looking in the mirror. When one considers that
board members have access to the company’s most sensitive information, and that
they are likely too busy (or too disinterested) to participate in cybersecurity
training programs, it becomes clear that this toxic combination makes them a significant
security threat.

How Board Members Become Insider Threats

There are a number of ways in which board members
inadvertently become security risks:

Falling victim to “whaling” attacks. These are highly researched, highly targeted phishing attacks directed at board members, designed to gain access to their computers and to sensitive information. For example, a whaling attack could take the form of a spoofed email from the chief financial officer with a malicious file attachment and a message saying, “I’ve attached the minutes from the meeting last week—please let me know if you have any changes. We need approval from everyone by 5 PM tomorrow.” Board members who are unaware that they are prime targets for whaling attacks can be susceptible to these types of scams and click on the attachment.Using personal email. A study by Forrester Consulting and Diligent Corp. found that 56 percent of board members use personal email, rather than business email, to communicate with other directors and executives. This may be well-intentioned—they may be concerned that IT personnel monitoring email could see their messages—but as a cyber risk, this practice is a disaster. Companies should establish secure portals or encrypted email for all board communications.Giving away too much personal information. As noted in the discussion of whaling attacks, cybercriminals understand who the most valuable targets are, and will conduct in-depth research as the basis for targeted social engineering scams. Board members may be contributing to this problem without knowing it. If they, or even their family members, disclose personal information on social media channels, it can be used as the basis for such attacks. For example, if criminals see through posted photos or the like that a CEO’s family is going to Hawaii on vacation, they can execute a business email compromise attack where they send a bogus message from the CEO to an accounts-payable person in the company, saying, “My Hawaii vacation is off to a terrible start—the president of one of our biggest partners called me in the airport about this delinquent invoice. Please wire the money to them ASAP. I don’t want to be bothered by this.” There would be a bogus invoice with wiring instructions to the criminals’ bank account attached to the email, and the poor finance person would wire the money, fearing the wrath of the CEO. The FBI reports that these kinds of scams bilked companies out of $26 billion between June 2016 and July 2019, and they are growing by 100 percent every year.  Turning Insider Threats into Hardened Targets

These are just three examples of how board members can
compromise the security of their companies. The first step to solving this
problem is to remember the famous quote from the classic comic strip Pogo: “We have met the enemy, and he is
us.”

Once board members have established that degree of
self-awareness, the next step is to ask the CISO to make sure to include the
board and all senior executives in cybersecurity training and awareness
programs. Then, when they look in the mirror, they’ll see a hardened target—not
an insider threat.

Brian Wrozek is vice president of Corporate Security at Optiv.

Survey Finds Appetite for Board’s Role in M&A Oversight to Grow

Mergers and acquisitions (M&A) activity continues to be a significant strategic tool for many organizations, and the management teams of organizations are looking to the board for deeper involvement and for their own wisdom. In an effort to gauge the extent to which boards are sufficiently equipped to support management on this front, NACD partnered with Deloitte to conduct a poll on the subject. Two hundred and nine NACD members responded to the poll between May 22 and June 24, 2019. Two findings from the survey are particularly noteworthy:

Both directors and management seek greater involvement from the board’s nonexecutive directors. Integration is a critical phase of M&A, and one where the board’s greater involvement can serve as a real asset to their organization.Boards Seek a Greater Role

There
is evidence that efforts to combine businesses remain an important lever in
formulating and executing business strategy, as the pace of M&A activity
remains high. Survey respondents indicate that boards would like to be more
directly involved in M&A activity, and there is good evidence that
management is increasingly keen on this growing board involvement.

Directors want to
share their business wisdom. More
than 80 percent of survey respondents indicated that there is a greater
opportunity for nonexecutive directors to use their previous management
experience to support management throughout the M&A process. Management is
reaching out to the board for help. Sixty-three
percent of respondents report that senior management has attempted to engage
the board more frequently about M&A activities compared to prior years. Further,
management is looking at new and innovative ways to engage with directors. Senior
management has gone on to employ new M&A tools or methods to involve the
board in more dialogue around M&A at 45 percentof respondent companies.Boards are seeking directors
with M&A expertise. Nearly a quarter (24%)
of poll respondents indicated that their board has
considered bringing on new directors with specific M&A expertise.Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

Opportunity Abounds for Board Involvement In Integration

While
it is evident that there is an increased desire for board guidance through the
span of the M&A process, the integration stage in particular may merit more
nonexecutive director support. It might also be the stage where their advice
could yield the greatest value.

The board can help
field points of increased scrutiny in the deal. Nearly two-thirds (64%) of respondents feel it is likely that
the integration stage of the acquisition process will be subject to increased
levels of scrutiny by a range of stakeholders. This stage may deserve this
extra attention, as the complexities of merging finances and cultures can
hinder any sought-after efficiencies. It is at this stage where many deals fall
flat, leading to decreased yield on the deal’s potential value. Having the help
of an engaged board could help companies avoid deal failure.Integration is a key opportunity
for board contribution. After reviewing
management’s strategy with respect to a given transaction and subsequently approving
that transaction, the third-most-common task undertaken by respondent boards is
holding management accountable for integration strategy. Currently, 66 percent
of respondents indicate that their boards review post-merger integration plans,
and 40 percent go on to oversee post-merger execution. However, further
nonexecutive director involvement may be necessary, as a narrow majority (50%) of respondents feel
that it is very
importantor extremely importantthat the
board include at least one nonexecutive board member who has experience
managing or overseeing integrations. Executives welcome board
support. This sentiment was particularly strong
among executives who indicated that they would value the input of directors
whose professional involvement with M&A was in an executive role (as
opposed to a director or advisor), perhaps reflecting the value such a director
can have for a sitting executive.Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

Click graph to enlarge in a new window.

There are a number of complicated issues (financial and cultural issues, for example) that boards should help executives consider and sort out at the integration stage, up to and including what happens to the board itself.  Nearly half of respondents indicate that they have recently discussed the impact that an M&A transaction would have on the board. The difficulties encountered at this stage are many, and given the consequences of failure, it is perhaps not surprising to find that additional board guidance may be required—even on tough topics that might lead to the elimination of a board seat, for instance, in the name of deal success.

Additional Resources

NACD can support directors in several ways. A recent report from NACD’s Director Essentials series on “Strengthening Oversight of M&A” includes a summary of M&A trends and provides guidance for boards in fulfilling their role throughout the M&A process. Additionally, Deloitte’s report, The State of the Deal: M&A Trends 2019, provides an overview of the outlook for M&A in 2019 and can be found here.

For more NACD content related to the board’s role in M&A oversight, please visit our Resource Center dedicated to the topic.

Proposed International Tax Changes Could Rattle Multinationals

After decades of operating within a generally stable
international tax regime, multinational companies have had to acquaint
themselves with a flurry of new acronyms and rules in the past several years. In
2015, efforts by regulators got underway to reduce BEPS, or base erosion and profit
shifting. US tax law changes in 2017 introduced GILTI to address global intangible
low-taxed income and the BEAT, a base erosion and anti-abuse tax.

The acronym that those in the boardroom should be
familiar with now? OECD.

The Organisation for Economic Co-operation and
Development is hosting an ambitious project consisting of 130-plus nations
attempting to revise the international tax architecture to account for the ways
in which the digitalized economy has blurred traditional lines of jurisdiction.
Whether consensus can be reached—and, in particular, whether it can be reached
by the target of year-end 2020 by countries with vastly different priorities,
politics, and domestic industries—remains to be seen. But there may be
significant risk to those entities ignoring this project.

Why should boards be concerned? The OECD project has
the potential to significantly impact a company’s risk profile and strategic
planning, two of the key areas of board oversight. Accordingly, directors
should stay informed about the status of the project and how it might impact
the companies they serve.

At its core, the multilateral effort—which also has a
mandate from the finance ministers of the G20—seeks to write new rules that reallocate
some portion of companies’ profits to the market jurisdictions where they have
sales and/or users, but not necessarily a physical presence. The revisions seek
to take into account the fact that physical presence is no longer required for
entities to profit from a jurisdiction (what the OECD has dubbed Pillar 1 of
the project), and to ensure that profitable companies are paying some minimal
level of tax (Pillar 2).

In the project’s earliest stages, a cohort of key
countries, led by France, had their sights set on a relatively small group of digital
giants—just about all of which are headquartered in the US. After the US made it
clear that it would not sign on to an effort targeting only its own high-profile,
high-tech companies, the countries engaged have generally conceded that any new
regime will need to apply more broadly. The work being done is now looking not
just at highly digital business models but also at other large, high-profit multinationals
that benefit from marketing intangibles.

It’s not clear that there has been significant progress made towards a consensus design, but in early October the OECD staff released a proposed “unified approach” to Pillar 1. This proposal is an attempt to move the ball forward, and it gives companies and business organizations the opportunity to provide input on both the overarching design of new rules and the myriad details that will be critical to the impact on any individual company.

Should a group’s profits be looked at on a global
basis? By business line? By region? Should there be size thresholds? Exempt
sectors? While the proposal seeks to reallocate to markets a company’s operating
margin in excess of a formulaic “routine return,” it is not yet agreed what
constitutes a “routine return” and whether it should differ from industry to
industry. How much of the residual return should taxing jurisdictions get? And the
questions go on, and on.   

This project is a political one as much as a technical
one, and the government participants have acknowledged the implementation
challenges that lie ahead even if consensus on the details is reached. However,
with many countries anxious to stake a claim to profits beyond their
traditional reach, the only greater risk for multinationals than a new global
agreement may be the failure to reach
a new global agreement. One need look no further than France, which implemented
a digital services tax (DST) this summer, to foresee the challenging landscape
that dozens (or more) of similar but uncoordinated unilateral measures may create
for businesses. 

Because the project has the potential to change
international tax rules well into the future, directors are strongly advised to
learn and understand how the proposals could affect their company’s bottom line
and strategic decisions. There is a great deal of engagement by the business
community, with both their respective governments and the OECD itself. How is
your company engaged?

Bob Stack is a managing director in the international tax group of Deloitte LLP’s Washington National Tax practice. Storme Sixeas is a senior tax policy manager in Deloitte LLP’s Washington National Tax practice.

As used above, Deloitte refers to a US member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (DTTL). This article contains general information only and Deloitte is not, by means of this article, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This article is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this article. Copyright ©2019 Deloitte Development LLC.

It’s Time to Reassess ESG and Sustainability Reporting

Nearly all S&P 500 companies provide some form of environmental,
social, and governance (ESG) or sustainability reports today, but there are
growing concerns by a range of stakeholders—investors, employees, customers,
regulators, and activists—regarding the quality, comparability, and usefulness
of these reports. For a variety of reasons discussed below, and based on
analysis of several approaches to disclosure, we expect increasing stakeholder demands
for more transparent and higher quality ESG reporting.

The Current State of
ESG Reporting

In a post in the Harvard Law School Forum on Corporate Governance, the Investor Responsibility Research Center Institute’s Jon Lukomnik describes the current state of ESG reporting based on findings of a 2018 report by the Sustainable Investments Institute (Si2): “Most companies reporting on sustainability issues are navigating the landscape in their own way, using multiple reporting models and customizing guidance for their own needs. […] But Si2 also found a surprising share of companies are including sustainability information in their financial filings—annual reports, Forms 10-K and proxy statements—indicating elementary but growing acceptance that sustainability information is material to investors. All these findings show most companies are paying attention and adapting to raised expectations from stakeholders, including but not limited to investors. Integrated reporting just may be the future of corporate disclosure its proponents assert, even if change is slow and constantly shifting.”

Among Si2’s other findings cited in the Harvard blog
mentioned above:

Of all the S&P 500 companies, 92 percent posted
public sustainability data on their sites.78 percent publish sustainability reports, and
these come in the form of a download or are posted on a website.97 percent of companies with such reports
customized their sustainability reporting rather than adopting a single
structure.35 of the 395 reporting companies pointed to the
Sustainability Accounting Standards Board (SASB) frameworks and 4 companies
pointed to the International Integrated Reporting Council frameworks as having
helped shape their own.In 2018, a total of 14 S&P 500 companies published
an integrated report.Demands for More Transparent,
Higher Quality ESG Reporting

ESG reporting has been of growing importance and concern to institutional investors for a number of years. BlackRock has cited ESG disclosure as one of the priorities of its stewardship program, stating that “the quality of information which underpins both investors’ and businesses’ pursuit of greater sustainability is uneven and presents a barrier for further progress in sustainable finance.”

Institutional investors understand that ESG issues may pose huge financial risks. The World Economic Forum’s The Global Risks Report 2019 shows that ESG-related matters account for more than half of the world’s top 10 risks in terms of both likelihood and impact. Investors are demanding information—and seeking engagement with companies—on core ESG issues and their impact on such companies.

Employee activism regarding ESG issues is in its early
stages but is growing rapidly. Millennials have a particular interest in ESG
issues. And the number (and success) of shareholder proposals relating to ESG
matters—particularly
the “E” and the “S”—continues to increase.

Shearman & Sterling LLP’s 2019 Corporate Governance & Executive Compensation Survey identifies other forces driving ESG, including the proliferation of ESG research and ratings firms. Institutional Shareholder Services and Glass, Lewis & Co. have indicated they will make voting recommendations based on ESG positions taken by a company, and state governments and European countries have been catalysts for change.

In August, the Business Roundtable released its “Statement on the Purpose of a Corporation,” which, according to its press release, redefined the purpose of a corporation “to promote ‘an economy that serves all Americans.’” The statement was signed by 181 CEOs who committed “to lead their companies for the benefit of all stakeholders—customers, employees, suppliers, communities and shareholders.” The statement concluded, “Each of our stakeholders is essential. We commit to deliver value to all of them, for the future success of our companies, our communities and our country.” In light of this statement, expectations will be high for organizations to articulate in their ESG disclosures how they are meeting their commitments to stakeholders and reconciling competing interests.

Considering an ESG disclosure
reporting framework

According to a recent World Economic Forum whitepaper, there is general agreement that one of the biggest problems with ESG reporting is that a specific organization’s ESG data, thanks to varying voluntary reporting standards across industries, geographies, and other factors, isn’t easily compared to other organizations’ reporting. To date, over 100 ESG standard-setting initiatives have been developed, causing option overload. Among the most prominent are SASB, the Global Reporting Initiative, and the Task Force on Climate-Related Financial Disclosure.

The Financial Times has reported that poultry business Sanderson Farms received a shareholder proposal urging the company to follow SASB’s guidelines in its ESG disclosures, and that similar requests are expected to be submitted at other companies across sectors during the 2020 proxy season.

Conclusion

Given the heightened focus and attention on ESG reporting, boards
should encourage their management teams to reassess the scope and quality of
the company’s ESG reports and disclosures—including benchmarking against peers,
consideration of the methodologies and standards of various ESG raters, and
understanding the expectations of investors and other stakeholders—and review
various ESG reporting frameworks for possible adoption by the company. To bring
the right focus and attention to the effort, a board committee, such as the
audit or governance committee (depending on bandwidth and expertise), should
oversee the effort. Management’s disclosure committee should be part of these
discussions to help ensure that the company has the necessary infrastructure, including
disclosure controls and procedures, to support its ESG reporting.

For more about connecting ESG, strategy, and long-term value, see The ESG journey: Lessons from the boardroom and C-suite.

The How, Why, and What of Artificial Intelligence

If you’re anything
like me, you don’t have to step outside your front door to see what an impact
artificial intelligence (AI) is having on our lives. My virtual assistant helps
me to wake up at the right time, informs me what weather I can expect, and
schedules those all-important anniversary reminders. And once I’m on the road,
my satellite navigation system finds me the quickest route while news updates
stream to my phone based on my preference history.

But what exactly is AI and is the current hype surrounding it valid? In a new technology brief from NACD and Accenture Security, we look at the nuts and bolts of AI, where it comes from, and how it works. Here are some of the report’s ideas on the opportunities and risks of AI, and how organizations can take their first steps toward responsibly employing it.

AI is far from
a new idea—but it does offer new opportunities. AI is
likely to become a new driver of economic value for organizations, but
businesses may find it difficult to leverage this technology without first
understanding the opportunities it presents. To set a clearer path forward,
corporate leaders should consider doing the following:

Review and, where appropriate,
introduce automation into business processes,Assess how AI can augment
employees’ current work, andAvoid concentrating or limiting
this technology; instead, diffuse it throughout business units or functions.AI benefits don’t
come risk-free. Organizations should get started on
their AI journeys with a clear-eyed view of the likely risks. AI-associated cyber
risks fall into two broad categories: data integrity and algorithm
manipulation. The learning and decision-making capabilities of AI can be
altered by threat actors modifying the data used in the training process. The
algorithms themselves should also be protected from manipulations by threat
actors hoping to change the outcomes of AI systems for malevolent purposes. Breaches
can also take the form of “poisoning attacks,” where the machine learning model
itself is manipulated.

Four principal
risks should be considered in the near-term:

Trust and transparency: Complex forms of AI often operate in ways that can make it hard to
explain how they arrived at the results produced. New approaches are needed to
offer better explanations of the processes underlying AI decisions. Decisions
taken by AI must be open to interrogation or appeal.Liability: Executive leaders and the board should carefully monitor changes
in legislative and regulatory requirements to ensure compliance.Control: Careful thought is needed on when and how control is or should be
shared or transferred between humans and AI. Security: As the growth of AI into all sectors increases, security becomes
paramount and is compounded by the current lack of protection to both AI models
and the data used to train them. Boards should ensure they are asking the right
questions of management and outside advisors to secure their burgeoning AI
tools.Securing AI

Many of companies’
current investments in cybersecurity are dedicated to securing the
infrastructure underpinning AI models. This includes patching vulnerabilities
in software and systems, implementing robust access management to ensure
employees only engage with the necessary information to do their jobs, and prioritizing
the security of the firm’s most valuable data assets. The adoption of AI
systems generally creates entirely new areas of infrastructure to secure the AI
models themselves and requires better security practices to mitigate against
these vulnerabilities.

Here are some
suggestions around meeting the many challenges of secure AI governance:

Limit the AI learning rate. Limiting the volume of data to be ingested in an AI system over a
set period can act as a major deterrent to hackers, since the learning process
will take longer and malevolent data may be spotted more easily.Validate and protect AI
input. In assessing data integrity practices, both
around protection and validation, companies should carefully focus on inputs
into AI models and confirm that these originate from identifiable and trusted
sources.Restrict access to AI models. Restricting access to AI models by limiting certain employees’
ability to make ad hoc changes is one of the most effective forms of defense.Train AI to recognize
attacks. If enough malicious examples are inserted
into data during the training phase, a machine learning algorithm can
eventually understand how to interpret toxic data and reject adversarial
attacks. Business continuity and disaster recovery are also vital practices.
Organizations should understand how to relearn and recover after a cyber attack
without negatively impacting the business.This article only scratches the surface of a broad topic that is going to have an even greater impact on our individual lives in the future. We know that data integrity is a fundamental requirement to help secure AI from malevolent influence, and we also know that AI raises ethical challenges as people adjust to the larger and more prominent role of automated decision making in society. Going forward, our report concludes that the emphasis needs to be on engineering resilient modeling structures and strengthening critical models against cyberattack by malicious threat actors. 

If you’d like to pressure-test your management’s preparedness to assess and mitigate the risks associated with AI, take a look at the board primer on artificial intelligence today. It may help to open the dialogue in your organization to some of the questions—and answers—that you need.

Bob Kress is a managing director, co-chief operating officer, and global quality and risk officer for Accenture Security.

Creating and Perpetuating an Ethical Workplace: The Board’s Role

What defines a “good place to work”? Employees want to be
respected. They want their ideas to be heard. They want clear expectations and
goals to meet or exceed. They want to be rewarded for their hard work and
dedication. And, perhaps most of all, they want to work for a company they can
trust. Providing these workplace components creates happy employees, encourages
good work, inspires loyalty, and ultimately leads to long-term success.

The first step to achieving all of the above? Ensuring the company’s
culture is centered on good character. Acting ethically—doing right by customers
and employees, and being clear and up front about individual and company
actions—is the most important building block in developing a positive culture
and solid reputation.

Company culture and company success are two sides of the same
coin. When employees feel supported, heard, and respected—when a good company
culture is lived and transmitted—they’re more likely to come up with creative
ideas, to care about solving problems, and to remain motivated. This leads to success
with customers, which in turn rewards employees, reinforcing the culture and creating
a virtuous, self-sustaining cycle. Culture can truly make or break a company.
Pay, benefits, and customers may draw people in, but it is the culture—the very
core of a company, what it stands for and how it operates—that will keep employees
or turn them away.

So, what role can a board play in promoting company culture?
How does a board support the adoption and enactment of ethical behavior?

First, the board must support and contribute to the creation
of strong teams. Is the board hiring the right people? How can you be sure? One
essential way is to incorporate ethics and behavioral elements into the vetting
and selection process of our teams. Be sure to ask the right questions; rather
than simply asking what someone has achieved, also ask “how?” What drove their
decision-making, and what effects did that have on outcomes? Were there any tradeoffs
or compromises made during this process? Growing a business is never easy, but
choosing leaders with good character is essential to ensuring that ethical
behavior is built into teams’ DNA and the decision framework. It all starts
from the top.

Second, the board must set expectations that employees will
be offered certain resources that teach and reinforce a culture of ethics to
and in employees. Ethics training must be mandatory but also engaging, which will
enable employees to understand the importance of ethics and good character and
then live it, not just parrot obvious responses. Interactive training, whether
it be digital or in person, should facilitate discussion and incorporate
real-life scenarios and dilemmas into its program.

An ethical workplace doesn’t stop at training. There must be
a visible system in place for team members to escalate concerns. Does the
company have an ethics hotline? Who monitors the hotline? Are management and
other relevant parties checking to make sure it’s being used? How are they
making sure that everyone knows how and when to use it? If it is never used, it
may indicate that employees are afraid to escalate issues.

The board should ensure that management  always communicates to employees that they
have access to the information they need about policies and procedures. Employees
should know what conduct is expected of their role, and also understand how the
company’s written code of conduct applies to their work life. Ensure that refresher
training is readily available and accessible, that employees are instructed to escalate
issues when necessary, and that they understand there is no threat of
retaliation if they do so.

The third step is reinforcement. Accountability must be
demanded from leadership by the board. Is there a review system in place to
make sure top executives continue to follow the code of ethics? How can the
board encourage ethical behavior? CACI established a board-level culture committee
that is assigned to oversee management’s efforts to foster and institutionalize
our culture at all levels of the company.

We also created and institutionalized our own award for
ethical behavior to acknowledge and positively reinforce actions that align
with our culture of good character. Our ethical culture is made visible in many
ways, including through our robust community volunteering program, called “CACI
Cares,” and our support of veterans through several nonprofit organizations. I
am very proud of CACI’s strong and generous presence in both our nation and our
neighborhoods through volunteerism and charitable giving.

Now, renew, repeat, reinforce. To be successful, a culture of
good character must be a priority from the top down. Everyone must put in
effort to ensure that it exists and persists. Make it a key piece of every
single business decision the board makes—where to invest, who to hire, what
policies to implement. At CACI, we expect the same ethical behavior from our
suppliers and even our customers. Turning away from doing business with
unethical organizations might cost the company in the short run, but it has
certainly paid off for us over time.

Finally, it is the board’s duty to ensure that leadership and
others in charge of decision-making not only understand but embrace the
culture. It won’t always be easy, but the board decides who remains in positions
of power—and who doesn’t. Acting ethically establishes trust, both with
employees and with customers. And if you show customers that your company can
be trusted, they will continue to give you their business. Creating an environment
where individual and organizational character is the expectation, not the
exception, will ensure long-term success.

Michael A. Daniels is
a director of CACI International. He also serves on the boards of the Northern
Virginia Technology Council, Two Six Labs, Mercury Systems, and Blackberry.

Cybersecurity: AI to the Rescue?

It’s no secret that the technology industry is prone to overhyping
the latest, greatest, shiny new thing. Sometimes technology lives up to the
hype (cloud computing), and sometimes, well, not so much (blockchain).

And then there are the technologies that are impossible to overhype. Artificial intelligence (AI) is this kind of technology. Over the next five to ten years, we’re going to see AI and machine learning penetrate virtually all aspects of business, not to mention fundamentally change the way we work and live. From medical diagnoses to contract reviews and self-driving automobiles, AI will change everything.

A Cute Puppy Will Change the World

What we see today from AI—applications like chatbots and
virtual agents for customer service—is only a hint of things to come. These
applications have launched AI into what I call its “cute puppy” phase. CEOs and
other executives think it’s cute when they see a chatbot work, but it’s worth
equating the chatbot with witnessing Alexander Graham Bell’s first telephone
call—it’s pretty neat, but to the casual observer the ramifications may not be
readily apparent. Bell’s “cute” telephone wound up changing life as we know it,
acting as a catalyst eventually for the creation of the internet, smartphones,
satellite communications, and many other things in our connected world. AI will
cause a similar global transformation.

Directors need to understand this parallel to Bell and the
telephone because the effective adoption of AI will be a competitive
determinant similar to the adoption of e-commerce 20 years ago: those that
adopt the technology early and do it well will thrive, and those that don’t
will be left in the dust by a burgeoning megacompany because they didn’t adapt.
And, while virtually every functional area of the typical enterprise stands to
be transformed by AI, cybersecurity is one of the areas that stands poised to
reap enormous benefits in the near term.

How AI Transforms Cybersecurity

When we look at the critical issues in cybersecurity—the
skills shortage, the complexity of securing digital assets caused by technology
overload, the need to manage every employee (not to mention every director) as
a potential security threat, and the fact that security teams have to be
perfect while the bad guys only have to be right once—AI can potentially solve
all of them.

As a point of illustration, let’s look at how cybersecurity
teams currently manage threat detection and response. Typically, an
organization will have lots of security technologies in place that generate
alerts when they detect something suspicious. Most of these alerts are false
positives—that is, things that look suspicious but really aren’t. This approach
causes “alert overload,” where so many alerts are generated (tens of thousands
in some cases) that security teams simply cannot investigate them all, which
creates a “needle in the haystack” problem where alerts of legitimately bad threats
get lost amid the sea of false positives.

Now, imagine a world where AI manages the entire threat detection
and response process. The alert overload problem is no longer an issue, because
AI can scale to investigate and respond to every last alert within your
company’s unique architecture. Beyond that, AI learns every time it sees an
actual threat and can use that knowledge to forecast how future threats will
look. Finding the needle in the haystack is a near-impossible task for humans, but
it’s relatively trivial for AI.

This is just one simplistic example of the impact AI will
have on cybersecurity. There is a dark side to AI as well—the bad guys will use
it to create ever more sophisticated and elusive attacks. But when we look at
the lopsided “arms race” today, where the bad guys get to start the 100-meter
dash 99 meters down the track, AI will at least make it a fair race, where
everyone starts at the same line.

Living Up to the Hype

There are a number of hurdles that must be cleared before AI
can realize its potential in the cybersecurity sphere, or any other area of
business, for that matter. There are no standard AI architectures today, no
regulations (there will be), no transparency into technology vendor algorithms
so there is no way to validate how their AI is making decisions (which raises
the specter of two AI systems arguing with each other), and there are not
enough data scientists. We also haven’t really focused on securing AI itself; there
are already algorithm manipulation attacks underway, which is a problem that
must be stopped dead in its tracks.

But, as with e-commerce, the benefits of AI are so profound
that these initial hurdles will be cleared, and cleared quickly. So, when we
look at solving today’s problems with cybersecurity, will AI live up to its
hype? The vote here is a resounding yes—the technology really is that
transformative.

Greg Baker is the vice president and general manager of Cyber Digital Transformation at Optiv.

Realizing the Value of Generational Diversity on Boards

As the topic of boardroom diversity has gained prominence over the
years, considerable attention has been given to the value that women and
minority representation can bring. For the most part, however, generational
diversity hasn’t been discussed as much as other forms of diversity. This
situation has recently started to change.

The 2018 US Spencer Stuart Board Index indicated that independent directors of S&P 500 companies are 63 years old on average. It also reported that 17 percent of new directors were age 50 and younger in 2018, up slightly from 16 percent the previous year. What is driving this trend? The Index indicates that some boards may be bringing on younger directors to obtain specialty skill sets and diverse perspectives. Others may be seeking not only to obtain particular skill sets but also to gain insight into what motivates customers and employees within certain demographic groups.

New Director Differences

It’s becoming clear that introducing more generational diversity
into the boardroom is a priority, and that doing so may bring new perspectives,
unique skills, and varied backgrounds into the board’s oversight role. But, if
not managed properly, adding directors with different experiences and
perspectives may not be as successful as hoped. For some time, new directors
were automatically exposed to either their own boards or nonprofit boards
through their C-suite experience. This often gave them an intrinsic understanding
of the role of the board as well as a good sense of the information they would
need from management in order to perform their roles.

As the search aperture widens beyond the C-suite, candidates may
hold positions that are two or three layers down from the CEO or lower—or, they
may come from academia, the military, government, or other nontraditional
sources. This means they may not have had previous exposure to how corporate boards
operate. Even though less-tenured directors can bring extremely desirable
skills and capabilities, they may not be as familiar with the role of the board
in terms of governance—particularly, the nuances of oversight versus
management. Without this understanding, they can sometimes struggle to find
their voices and to deliver meaningful insights. This suggests that more
education and better onboarding may be required in order to enable new board
members to contribute effectively.

Leading Practices for Generational
Inclusivity

A first step in optimizing the contributions of directors of all
ages is simply recognizing that there may be perceptual and experiential differences
among different cohorts, and that some may be less savvy about the workings of
a board than others. Mentorship
and coaching are initial ways to bridge these differences, with more-tenured
directors offering guidance to new directors on what is expected of them in a
governance role. This includes suggesting strategies for adding value, such as how
and when to lean in and add perspective.

Targeted committee assignments are another way
of including less-tenured directors. For example, consider a new director who
is deeply experienced in technology but less so in finance. The audit
committee, which often has responsibility for overseeing technology risk, may
invite that director to take a lead role on technology
strategy or cybersecurity. This type of assignment can provide newcomers with
an opportunity not only to showcase their strengths, but also to gain valuable
insight into areas where they have less experience. There may also be
opportunities outside the boardroom to invite members to offer their
perspectives, such as meeting with employee councils or customer focus groups
to explore talent strategies, product development, or consumer trends. Offering less-tenured directors specific,
well-defined opportunities to add value within a more informal setting, such as
a committee or working group, can help them form connections and feel more
comfortable in larger meetings of the full board.

Although targeted assignments can be helpful in creating
an inclusive culture, directors should bear in mind that newcomers can feel demoralized if they perceive that they’ve been brought in to “check
a box” or if they are only valued for a specific attribute. Every director, regardless of age or experience level,
should be valued for their ability to offer broad business insights as well as
specific expertise. Accordingly, it is important
not to let conscious or unconscious biases color one’s perceptions. Directors
should be open to understanding each other’s experiences, skills and perspectives,
so they truly allow each person to provide their own unique value.

In terms of generational differences, this need for unbiased
openness goes both ways: one shouldn’t assume that an older person lacks
certain capabilities just as one shouldn’t assume that a younger person possesses
them. A classic example of this bias is the pervasive stereotype that older
people don’t understand technology while younger people inherently do.  

Be Intentional About Realizing
Potential

With boardroom diversity expanding today in all of its forms, performance and value of such diversity are increasingly about the “and”: It’s the skill set and the cultural fit. New members may need different ways of becoming effectively integrated onto the board than their more-tenured counterparts. As more boards intentionally pursue generational diversity for the value it might deliver, they should be equally intentional in creating an inclusive culture that allows this potential to be realized.

Deborah DeHaas is a vice chair and national managing partner, Center for Board Effectiveness, Deloitte LLP.

As used above, Deloitte refers to a
US member firm of Deloitte Touche Tohmatsu Limited, a UK private company
limited by guarantee (DTTL). This article contains general information only and
Deloitte is not, by means of this article, rendering accounting, business,
financial, investment, legal, tax, or other professional advice or services.
This article is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect your
business, you should consult a qualified professional advisor. Deloitte shall
not be responsible for any loss sustained by any person who relies on this
article. Copyright ©2019 Deloitte Development LLC

NACD Chapter Leaders Discuss Top Issues Shaping Programming

At conference tables in more than 20 cities across the
country, the volunteer leaders of NACD’s chapters have been sitting together to
discuss the topics of greatest import in today’s boardrooms. Out of those
conversations will spring more than 300 NACD chapter programs in the 2019-2020
program season, during which NACD members and guests will hear from high-level peers
and experts in panel discussions, keynote presentations, roundtable discussions,
and the like.

I recently asked five NACD chapter leaders for a sneak peek
of the top issues facing directors now and in the coming quarters, according to
their local discussions. These themes will be reflected in the new program
season, and are discussed below.

1. Innovation and change. How do you reinvent the wheel? This is a question on the mind of NACD New England chapter program committee Chair Ellen Richstone, who is currently a director of Superior Industries International, one of the largest aluminum alloy wheel manufacturers. She also serves on the boards of eMagin Corp. and Orion Energy Systems, and has served on corporate boards across eight different industries since 2003.

“Directors need to focus on innovation,” she said. “Regardless of industry, the world is changing, accelerated by technology, geopolitical factors, and economics.” Richstone gives an example from automotive supply, which is not thought of as a high-tech environment. “Just think of a wheel,” she said. “Many years ago, the wheel was a standard product. Now, we must be concerned with material sciences and design. Consumers are looking for choice, and the company must think about making these products stronger and lighter to increase fuel efficiency and reduce environmental impacts, while reducing costs overall. We also have to ask if we have the right talent capital to get the job done, and whether we have the right culture to attract and keep the right talent.”

Richstone looks forward to an upcoming chapter program showcasing New England-based companies whose products are changing the world, to be held in October, along with a variety of programs that will touch on the area of innovation and change.

2. Sustainability and purpose. Anna Catalano, co-chair of the program committee at NACD Texas TriCities chapter, agreed that innovation and disruption should be at the top of each director’s list. That said, a closely related topic that should also capture the attention of directors is the evolving importance of sustainability and purpose.

“There is a growing sentiment that business takes from people,” stressed Catalano. One of the companies she serves, Kraton Corp., has been proactive rather than reactive. “We have changed the name of the nominating and governance committee to the nominating, governance, and sustainability committee. We are discussing what we stand for, and how we are going to market,” she shared. Kraton, a publicly traded chemical company, has also published a sustainability report, a step forward for the industry. NACD Texas TriCities will offer programs on this and other leading topics in Houston, Austin, and San Antonio this season.

3. The global economy. The thread of the global economy weaves through the various issues facing directors, so much so that no company can ignore it, according to Elizabeth Camp, program co-chair for the NACD Atlanta chapter. “I sit on the boards of Genuine Parts Co., a global public company, and Synovus [Financial Corp.], a public regional bank with community banking roots. The former has a nimble supply chain, but must manage price risk. The latter has exposure to global companies and must manage the business accordingly.” So, she added, “The community is now the world. No matter the industry, you have to consider the global slowdown and tariffs.” Rooted in factors ranging from the global economy, to forces of disruption and change, NACD Atlanta’s program year will have the theme of “the future of boards” and kicks off in September with a program featuring Benjamin Pring, director of the Center for the Future of Work at Cognizant and recognized expert on leading-edge technology and its intersection with business and society.

4. Macro-level risk management. Tom Leppert, the former CEO of large companies in five different industries and former mayor of the city of Dallas, is the program co-chair for the NACD North Texas chapter. He wraps many of these topics together under the notion of macro-level risk management.

“We are good at micro risk analysis,” he said, “but we are less skilled in managing existential and macro risks. We aren’t used to dealing with them because they often had a low probability of happening, although the impact when occurring is enormous. And that probability is increasing.” Leppert currently chairs the boards of building company Austin Industries and dynamic glass manufacturer View. “I spend more than 50 percent of my time on these types of discussions. The board as a whole spends less than that, but still a significant percentage of time looking at macro risks.”

According to Leppert, the board’s role is to ensure that there is a process in place to address these forms of risk and that management has created relevant policies—with appropriate board oversight—to handle the risks. This encompasses reputational risk, both for the company and for the individual director. “I bring a public sensitivity to my work, having been a mayor and having worked at the White House,” he said. “But every one of us, whether in management or on the board, is a news article away from being a public figure.” Leppert expects that macro-risk management will be explored in several of the upcoming NACD North Texas programs, held in both in Dallas and Ft. Worth.

5. Defending capitalism. NACD Pacific Southwest chapter President Larry Taylor is focused on risk management of another kind: the role of corporate directors in our capitalist society. “We should be asking whether directors have a responsibility to protect the long-term viability of the corporations on whose boards they serve as directors,” he opined. “We must face the need to protect the capitalist system in which their corporate entities exist, operate, and earn profits because capitalism and the private sector are under fierce attack.”

According to Taylor, educating employees—particularly younger employees—about the role of the corporation in society can help them to be better informed in their own “employee activism,” making them able to defend capitalism externally as company ambassadors. Taylor believes that societal risk belongs in the risk management process, and he specifically believes that the risk to capitalism should be on the board agenda. Taylor will lead a panel on this topic at the NACD Pacific Southwest/USC Marshall Corporate Directors Symposium on November 14. The chapter will offer programs in Los Angeles, Phoenix, Las Vegas, San Diego, Santa Barbara, Santa Monica, and Reno this program year. 

In a year when NACD launches its director certification program, and directors are focused on refining their educational calendars, these and other NACD chapters will offer timely programs where you live, work, or travel this fall. To find a chapter program near you, visit here.

Kimberly Simpson is an
NACD regional director, providing strategic support to NACD chapters. Simpson,
a former general counsel, was a U.S. Marshall Memorial Fellow to Europe in
2005.

The CHRO Scorecard: Three Metrics Your Board Should Review

A chief human resource officer (CHRO) brings a unique skillset to any board. With deep knowledge of executive succession and the ability to maintain and engage individuals who execute business strategy, CHROs are an invaluable asset to corporate boards. Yet, there are only 28 active CHROs serving on the boards of Fortune 1000 companies.

Much like a chief financial officer might have to report on revenue or a chief marketing officer (CMO) on market penetration, CHROs should report to the board on specific, quantifiable metrics to show the value of their role and its impact. The CHRO’s greatest value often lies within the below fields:

1. Diversity and Inclusion: A commitment to diversity and inclusion (D&I) is apparent at many institutions today. Across North America, approximately 74 percent of corporate respondents in a recent PwC survey reported D&I as a value or priority within their organizations. Yet, to make serious progress, the drive for D&I must be underpinned commercially and financially by the board.

Numerous studies by strategic consulting
firms consistently demonstrate that heterogeneous boards and leadership teams
outperform homogeneous groups in value creation. For D&I to be truly embraced,
companies must look to the old adage that “strategy drives structure.” This
change must come from the top and be diffused throughout the company.

It is essential that the CHRO coordinate
with the CEO to ensure that cross-functional project teams have diverse
representation. A lack of quality D&I can represent a reputational risk to
an enterprise.

High-performing companies generally expect
D&I progress and enterprise goals to be a regular board topic and for the board
to hold the CEO, the CHRO, and other senior executives accountable for the
personal development of high potential diverse talent. Executive leadership
should also be familiar with the development tactics of diverse talent at
outside companies to round out the company’s succession strategy. The CHRO and the CEO should keep the board
informed of external, potential talent from diverse backgrounds while also
ensuring that its own talent development process is commensurate with the
enterprise’s needs—and competitive with others’ programs.

Another way to ensure the progress of a
company’s D&I objectives is for the compensation committee to consider
including personal incentive objectives, tying executive compensation to the
achievement of diversity goals.

When looking at how best to measure the success of D&I initiatives, consider sharing with stakeholders statistics that display the growth of high potential diverse executives in the succession pipeline and the number of senior executives mentoring diverse junior executives.

2. Culture: As Lou Gerstner states in his book, Who Says Elephants Can’t Dance?, “Culture is not the most important thing, it’s the only thing.”

While CEOs must serve as chief
culture officers, the CHRO needs to serve as the steward of cultural direction.
Corporate culture must complement the organization’s vision and its strategic
direction. Any disconnect will seriously jeopardize the prospects for future
success of the business.

As the culture steward, the
CHRO can direct staff to conduct various audits to determine if the desired
culture is being consistently embraced and followed. These audits may take the
form of individual performance reviews, random interviews with employees at
various levels, or employee surveys to determine which behaviors are being
rewarded and how these behaviors align with the desired cultural
transformation.

The CEO must require senior executives to reinforce cultural goals among their employees and call on human resources (HR) for support in embedding the messaging in company culture. Both the CEO and CHRO must have mechanisms in place to report to the board on cultural development. That said, culture change is not a quick fix. Milestones need to be set and understood widely to ensure appropriate progress is being made. An example of a milestone to evaluate would be the percentage change in annual revenue three years after introduction of a culture change.

3. Ethics: Today, as never before, corporate values and ethics have become major risk management considerations and require steadfast attention and monitoring. Recently, the business world has seen the loss of significant shareholder value stemming from sexual harassment claims, from lack of equal pay for equal work practices, and from improper management of consumer protection and rights—and the list goes on and on.

The intersection of corporate
values and the executive team’s individual actions is of paramount importance. As
with culture, senior executives must be the standard bearers of the stated
corporate values, consistently modeling and monitoring the enterprise’s values
and ethics. They may do this through small group meals or meetings with wide
ranges of employees.

A
vibrant culture is closely tied to the enterprise’s values and ethics. Any
significant misalignment risks the erosion of shareholder value through the
loss of talent, constituency confusion, and inappropriate behavior. What the
organization truly honors and rewards plays out in its day-to-day behavior. The
desired values and ethics must be lived daily from the boardroom on down
consistently with the desired culture. Otherwise, the culture will break down
and employees and constituents will become confused and disillusioned.

A CHRO may also consider utilizing
employee surveys or setting up an outside service platform for employees to air
concerns about breaks with the company’s stated ethics and values. The board as
a whole could receive periodic reports from this service and as needed, provide
feedback on matters requiring immediate attention.

Critical matters such as D&I,
culture, values, and ethics, in addition to talent development, need to be
receiving more board-level attention. The CHRO can be invaluable in making that
happen by serving up specific metrics that highlight where a company stands—and
where they need to go. Board engagement on these issues is not only good
corporate citizenship, but also serves the best interests of shareholders and corporate
longevity.