Go to our firm’s website and click the “What We Do” link. The first three words you’ll read describe the key drivers that frame our scope of work as management consultants and executive search experts:
Globalization. Convergence. Disruption.
We could just as easily apply those words to the tumultuous state of cybersecurity—and, in particular, the unique demands now faced by and debated in every boardroom. In fact, it would not be an overstatement to say that cybersecurity is reshaping how boards assess risk, practice governance, advise management, and ensure the very long-term viability and prosperity of their organizations.
And, as is typically true of all forms of dramatic change, board members face critical questions that will determine if the board—and the overall organization—is going to thrive in an era of intensified cybersecurity risk, or be steamrolled by it.
As boards typically do, sorting out the issues, debating the options, and arriving at the most appropriate recommendations involves asking and getting answers to high-impact questions. But instead of simply posing those questions to management, now boards have to look inward, and ask those questions of themselves.
Essential Questions for the Board … About the Board
We’ve often seen that boards that are most successful at anticipating and coping with sea changes of the magnitude in cybersecurity risk are willing to look inward and ask very tough, often uncomfortable, questions. Four come to mind:
Are the right people on our board? A successful board starts with having the right people around the boardroom table. However, the answers to the question, “Do you have the right people—and if not, who should they be?” will vary widely depending on the type of organization you have and the current mix of experience on your board.
Do you have the right committee structure for evaluating and governing cybersecurity risk? Committees and sub-committees are important to give weight and light to such functions as audit, HR, regulatory, strategic planning, risk, and cybersecurity.
What should board members talk about? Board discussions around cybersecurity must be proactive and center on such issues as organization structure, investment, accountability and improvement. Of course, the board also needs answers to forward-looking questions: Which threats are imminent that we have yet to address? What would happen to our bottom line if we lost our ability to take orders online for an hour? A day? A week?
What are the responsibilities for the rest of the board? Even if you’re not the board’s resident cyber expert or you don’t sit on a relevant committee responsible for cybersecurity oversight and governance, you have a critical role to play. That’s because every board member needs to be involved in the discussions and deliberations around cybersecurity; you may decide to let your colleagues take the lead on the issues, but you still can and must ask good questions. And don’t assume that because a fellow board member experienced zero-day attacks at their own company, they are the only one qualified to ask questions about the organization’s threat detection, prevention, and remediation practices.
Why Changes Are Necessary at the Board Level
Aligning your board with the dramatic changes going on in cybersecurity risk is a strategic issue, one requiring a lot of thought, deliberation, debate, cajoling, and even a little good luck. Making the right moves in how the board operates is a facilitator in risk management. The technology shaping cybersecurity issues is undergoing dramatic change—AI, machine learning, blockchain, Internet of Things, and more. The technology risks are getting more complex and dynamic, but at the same time, they reflect important new business opportunities that cannot be shunted aside simply because of new/greater risk.
The right board composition, coupled with setting the right mandate for leadership and action, is the best way for board members to make the greatest impact. It’s about making the right choice, not the safe choice.
After all, nothing comes with zero risk. Boards have always had to deal with geopolitical, financial, regulatory, and product risks, and cybersecurity is the latest addition to the mix. The experience, expertise, mindset, and attitude of your board is critical to juggling the classic risk/reward equation.
There’s another important factor—one that is a bit “delicate,” to say the least. Although the pace of technology change in the past 20 to 30 years has been dramatic, this is nothing compared to what we will experience over the next few years. That’s extraordinarily difficult for anyone to manage, even experienced people. The reality is that the mean age of board members is creeping up in many organizations and industries, and it is becoming harder and harder for some to stay on top of the changes. Yet as the threats grow in number and sophistication, with new types of bad actors and threat vectors, people with current operating experience, fresh ideas, and greater comfort with technology will be needed to help guide policy and priorities.
Although many boards understand the need to come armed with fresh perspectives, not enough board members actually know what to do. This is likely to become more and more urgent as cyberattacks have material impact on an organization’s financial performance, regulatory standing, legal exposure, and customer confidence. Board members need to be fearless in proposing ideas that may seem unconventional, or even radical. That can be a very powerful force for debate and change, even when your board is properly composed.
How You Know You Are Succeeding
Truth be told, a very small minority of companies proactively come to us and ask for help in defining their board composition with an eye toward the future. An initial step we believe bodes well for a board readying itself for the impact of cybersecurity risk is recognizing the need for an orderly board succession plan and then laying out a methodical execution plan over a two-to-five-year period. Savvy board chairs will meet their evolving needs, such as in cybersecurity risk evaluation and governance, by thoughtfully planning around upcoming retirements and departures.
A successful board transition begins with a documented strategic plan that defines the board member archetypes who will be recruited to the board over the period, and sometimes even identifies specific/aspirational people to approach. Unfortunately, too few organizations actually think this through and invest the time and energy to map it. Often boards realize, “Oops, this person is retiring next year, we need to find an audit committee chair.” Or they may have been dinged with a poor diversity score from ISS or Glass Lewis that triggers a search for a female board member.
Experience has also shown us that successful transition plans involve creating and maintaining synergies and strong working relationships in the boardroom. While it doesn’t mean everyone has to spend quality time together outside the boardroom, it does mean avoiding adversarial, confrontational meetings where personalities and perceived slights get in the way of doing productive work. Give a lot of thought to the intellectual, personal, and political dynamics of your board.
Remember: We’re not recommending overhauling your board by orchestrating a palace coup in the boardroom. We’ve all seen examples of how messy those can get and the kind of unproductive, even hostile, environments they can create. The evolution of the board needs to be designed with its future desired state in mind, in conjunction with managing affected board members in a thoughtful, respectful, and personal manner.
Make no mistake: It has to be done. The very future of your organization and its success depends upon it.
The authors are part of the management team at Egon Zehnder, a leading consulting and advisory firm. Kal Bittianda is head of the North America Technology Practice; Selena Loh LaCroix is the global lead, Technology and Communications Practice, and William Houston is an advisor, Technology and Communications and Industrial Practices. This article was excerpted from Navigating the Digital Age, Second Edition.