Securing a Board role: The informal knowledge
The business landscape is changing at an accelerating pace and Boards find it increasingly difficult to keep up. If you want to secure a Board role, understanding how your specialist knowledge can contribute to this challenge is key. The relative importance of some specialist areas is readily accepted, like financial and legal input, but some are less so. One in particular is information technology, of which cyber security now forms an important part. Whatever knowledge you have, will be significantly affected by the changes in the information landscape.
In this article I will discuss why this is an effective strategy, and how demonstrating your knowledge of this area can make it more likely that you get the Board position you want.
Current state of cyber security
I thought I had a pretty good grasp of internet technology and hence cybersecurity, but doing a cybersecurity course recently, helped me realise just how ignorant I and my generation are regarding the use and abuse of information. This would not be so important if it were not for the fact that the more established organisations are run by people of my age. People who have been used to knowing about things are suddenly people who know very little about really important things.
There are several areas that need to be addressed to make a business more secure. These include, ageing infrastructure, external and internal security, the maintenance of a competitive operations process and sufficient investment in training to stay up to date. All are complicated by the continued high speed of technological progress.
IT challenges are caused partly by the fact that the IT infrastructure in large organisations is unable to meet the demand now being put on it. Witness the recent examples in Banking and Airlines. RBS had a serious malfunction in 2015 when 600,000 customers’ payments and direct debits went missing owing to the growing strain of customer transactions on the archaic technology systems caused by the demands of digital banking. Delta Airlines, the following year, was affected by a computer outage which led to the airline cancelling 2,300 flights causing 3 days of chaos. Again they blamed an ageing piece of equipment at their data centre.
Whatever size an organisation, its ability to be successful relies more and more on good security. In 2017 cyber attacks increased by 60% and the rate continues to accelerate. For small organisations, the worst breaches cost between £65,000 and £115,000 on average and for larger organisations the cost may run into many millions of pounds. These costs can occur as direct financial losses due to fraud or theft; the loss of productivity due to time spent recovering from the effects of a successful attack; or the loss of trust and reputation. Having the necessary qualified staff to keep abreast of the increasing number of security breaches is a huge task and finding those staff is becoming more and more difficult.
In late February 2016, at Snapchat, the Washington Post reported a whaling attack (like phishing but impersonating senior management) where a "social engineer" with criminal intent posed as CEO Evan Spiegel, and sent an email to someone in the social network's payroll department causing the personal protected information (PPI) of some 700 employees to be released. Another high profile example is Google, in a currently running laws accusing, previous employee, Anthony Levandowski, of stealing 14,000 files from Waymo, Google’s self driving car unit, and taking them to Uber. In 2016 Cyber Security Intelligence Index reported that IBM found 60% of security breachers were internal.
Maintaining a competitive operations process
With the accelerated integration of AI into business operations, risk to the business is often caused by a lack of understanding about its impact. A narrow focus on technology without a broader understanding of the relative risk of each innovation to the business as a whole, can have serious consequences. Digital Risk Management is gaining greater acceptance now as the complexity and speed of change make it more difficult for Boards to make sensible and affordable decisions about what to focus on. @steveschlarman an information security thought leader, supports this joined-up approach, suggesting that “Digital Risk Management depends on the strength of the intersection between understanding business risk and the effectiveness of security operations."
Regular learning opportunities
Opportunities to keep up with developments need to be built into the DNA of organisations at every level if they are to stay relevant - given the speed of change in business models and delivery of services. An [Infosecurity Europe survey] [https://www.infosecurity-magazine.com/news/employee-training-tops-list-of/] revealed that while a slight majority of companies had implemented an internal information security policy to secure computers, networks and data, only a minority had provided staff training to raise awareness of potential security risks. @GeraldCKane in his book The Technology Fallacy, stresses the importance of easy access to training resources throughout the organisation if they are to keep abreast of the cyber security landscape.
How it supports your contribution
The cyber issue has become the elephant in the room. As with climate change, cybersecurity seems to be an issue that is so big we struggle to get our minds around it. J.Yo-Jud Cheng and Boris Groysberg in a recent HBR articlefound that cyber security processes came last on the list ranking effectiveness of Board processes, even though the threat is recognised as up there with regulatory and reputation. The figures suggest that, while there is a recognition of the need to act, the ability to analyse the threat and relate it to specific business risk and opportunity is falling short, even in the most sensitive industries. For example, health care is the most often targeted but least protected. Personal details including your National Health number and Social Security numbers, once hacked, cannot be protected by changing your password and are so valuable they can be sold on the dark web for up to £1000 each. The evidence suggests a frightening level of paralysis when it comes to taking effective action to improve the situation.
What Boards need to hear
David Hopland @ThreatConnect believes that the biggest difficulty for companies is the complexity of security itself. He uses the metaphor of “a soldier being told to guard a certain hill and to keep it at all costs, without being told who his enemy may be, what they look like, where they are coming from, or when (or how) they are likely to strike”. As the gap widens between a breach occurring and its detection (detection deficit), so does the gap between managing the risk and day-to-day practice. for a cohesive strategy he recommends identifying and implementing a process.
A would-be Board member with relevant knowledge of cybersecurity, and a thoughtful approach to managing risk better, may be of great interest. The mesmerising threat of cyber risk can distract from generating an approach that mitigates risk in the areas that support overall business strategy. It is not necessary to have deep technical knowledge; more important is maintaining an overview, which enables innovation whilst managing risk as the business moves forward.
James DeLoach and Jeff Thomson in their thought paper suggest five common risk management failures hampering organisations when it comes to understanding the relationship between cybersecurity and business strategy. They raise important questions about Boards' ability to access the appropriate information to make informed strategic decisions from within. This is such a common problem, that I am convinced that asking thoughtful questions to establish the technology focused blind spots and encouraging a more integrated cyber approach focused on business risk and litigation, would be a welcome contribution to a prospective Board, a contribution that might make the decisive difference between yourself and another candidate.
Take a view
There is a lot to think about here. Many of the risk issues haven’t actually changed, but the increasing cyber risk requires an organisation to function more effectively than ever. What has changed is the level of risk, and the devastating consequences if an organisation is not able to sufficiently raise its game. If you have done some thinking about cyber security in relation to the business you are considering, you will be in a better position to discuss and assess cyber risk in a way that will command attention.