Tag Archives: nacd

12 Questions for Managing Cyber Risk

Recently, I participated in an NACD Master Class. I was a panelist in discussions of technology and cyber risk with 40 to 50 board members very actively involved, because this is a hot topic for boards.

I developed and shared a list of 12 questions that directors can use when they ask management about their organization’s understanding and management of cyber-related business risk.

The set of questions can also be used by executive management, risk professionals or internal auditors, or even by information security professionals interested in assessing whether they have all the necessary bases covered.

This is my list:

How do you identify and assess cyber-related risks?

Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of intellectual property, compliance risk and so on) and not just IT risk?

How do you evaluate the risk to know whether it is too high?

How do you decide what actions to take and how much resource to allocate?

How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?

How do you assess the potential new risks introduced by new technology? How do you determine when to take the risk because of the business value?

Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?

How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?

Can you respond appropriately at speed?

What procedures are in place to notify you, and then the board, in the event of a breach?

Who has responsibility for cybersecurity, and do they have the access they need to senior management?

Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce new risks by signing up for new cloud services?

I am interested in your comments on the list, how it can be improved and how useful it is – and to whom.

How the ‘Internet of Things’ Affects Strategic Planning

When it comes to technology, the boardroom has been learning a new language: mobile, social, cloud, cyber security, digital disruption and more. Recently the National Association of Corporate Directors released an eight-part video series on the board’s role: The Intersection of Technology, Strategy and Risk. We have spent much of the past year focused on cyber security, an essential discussion given the widespread theft of intellectual property, privacy invasions and data breaches. A report on cyber crime and espionage by the Center for Strategic and International Studies (CSIS) in Washington, D.C., last year estimated that cyber crime costs the global economy $300 billion a year – an entire industry is growing around hacking! Research by PwC shows cyber insurance is the fastest-growing specialty coverage ever – around $1.3 billion a year in the U.S. As our boardroom agendas often get filled with discussions on risk, I asked Frontier Communications board director Larraine Segil how to shift the conversation to strategy. Larraine has a keen focus on opportunity and suggested we delve into solutions for governing “The Internet of Things.”

What exactly is the Internet of Things, and what are the implications for business strategy?

Think about connecting any device with an on and off switch to the Internet and to each other. This includes everything from cell phones, thermostats and washing machines to headphones, cameras, wearable devices and much more. This also applies to components of machines – for example, the jet engine of an airplane. If the device has an on and off switch, then chances are it can be a part of the Internet of Things. The technology research firm Gartner says that by 2020 there will be more than 26 billion connected devices. Think about Uber, the company that connects a physical asset (car and driver) to a person in need of a ride via a website. That simple connection has disrupted the taxi industry.

Airbnb has done the same for the lodging industry by directly connecting people with spaces to rent to those in need of accommodations.

What does this mean to for our companies? Larraine, what are you thinking when you hear about the Internet of Things for business opportunities? As a director, how can you help directors govern in this fast-moving digital age?

Frontier Communications provides connectivity services to a national customer base primarily in rural areas and is integrally involved in the Internet of Things. Frontier has a number of strategic alliances with companies that develop and market those very devices – or “things” – such as the Dropcam camera, a cloud-based WiFi video monitoring service with free live streaming, two-way talk and remote viewing that makes it easy to stay connected with places, people and pets, no matter where you are. Other alliances expanding the “things” will be introduced in the rest of 2014.

As a director, it is critical to be educated constantly about new trends, products and opportunities – competition is fast-moving, and customers are better-educated about their options than ever before. Strategically, the board has to think way ahead of the present status quo – and with the help of management and outside domain experts, explore opportunities for alliances. This requires using strategic analysis at every board meeting (not just at one offsite a year) and welcoming constant director education and brainstorming both within and outside of the company’s industry. The board should continually identify and evaluate strategic directions to keep the company fresh and nimble.

Remembering that we’ve only just begun, here are some critical questions boards should be asking about technology and the Internet of Things:

1. Are you including strategic discussions around technology at every board meeting?
2. Do your strategic directions include alliances within and outside of your industry?
3. How would you assess your current level of interaction with the chief information officer and chief technology officer? What can be done to improve the effectiveness of communications with them?
4. As a board, how are you helping to guide your company in innovative directions, taking into consideration disruptive technologies, competitor alliances and new ideas or skills coming from outside your industry?