If there’s one thing corporate boards have heard a lot about over the last few years, it’s cybersecurity. In my engagements as a director and my work on governance issues, a day doesn’t go by without another briefing that tries to tell board members something new about digital and cyber dangers.
We’ve already heard the hacking horror stories, statistics, and anecdotes, and those are important to understand for managing risk. There is one crucial aspect of board responsibility for digital that does demand more support and guidance from boards. That is establishing the role the board should take in digital oversight and determining what contributions should be expected from the board.
Setting the right tone from the top
It is not the board’s role to directly create a company’s digital/cyber policy, but rather to ask the right questions and set the tone from the top.
Questions to ask:
- How does our strategy take into account the next digital revolution of IoT, AI, cloud computing, and Big Data?
- Are we leveraging our data assets to build our business?
- What kind of data do we hold? Where is it housed?
- Who has access, and what is the authentication process?
- Have we segregated our key intellectual property and treated it with higher security?
- What are the firewall/encryption/protocol systems in place, and are these actively monitored?
- How do we review past attacks and responses? Do we establish a cyber-breach response plan? Is it tested?
- Who is directly responsible? Is there a chief information security officer (CISO), and what is the reporting line?
Asking the right questions
The ability to ask the right questions requires digital expertise on the board. Since not everyone on the board will be digitally savvy, it’s important to touch on this subject at each meeting to build that knowledge. Each board should have at least one digital director, if not two. Good digital oversight can also mean that the board reaches outside for information and validation. The board needs to budget time for outside advisors on digital trends and guidance on looking around the corner at how digital will impact their business models and channels.
Digital expertise is one of the boardroom’s newest demand areas, but one with vague qualifications. While CFOs are go-to talent for filling a board’s need for finance expertise, chief technology officers (CTOs) or CISOs are still uncommon in the boardroom. Despite the “C” in their titles, these execs still aren’t at the corporate level of a CFO. They are perceived by some search firms and board members to lack the seniority or seasoning in broader governance oversight to be effective in a board setting, and their tech skills, while solid, may be seen as narrow or limited. A CTO on your board could well be an expert on cybersecurity, data privacy laws, or trending mobile retail opportunities but prove weak on other urgent governance issues.
Determining who should lead
How the digital oversight role is filled and led at the board level is also crucial (and often overlooked). Modern corporate boards, especially at public companies, face a huge, demanding workload. A common tactic is to assign digital governance to the audit committee. But audit has increasingly become the board’s dumping ground for risky technical matters. Unless you upgrade the committee’s skills and capabilities in tech, your digital governance could grow worse instead of better.
Another alternative is to consider chartering a new board committee for tech and innovation. Whichever route you take, be sure to have a committee chair who is savvy in the specific tech issues facing your company and able to lead with a well-planned agenda.
Finally, remember that your board can’t properly oversee digital matters in isolation. First, it needs a solid relationship with your company’s tech staff (CTO, CISO, etc.), particularly for the committee chair in charge. Staff’s ability to effectively explain technical matters to board members requires tact and emotional intelligence. Skill in building and maintaining these relationships should be reviewed as part of the tech staff’s professional organizational development and be part of their evaluation and compensation.
This staff/board interface includes reporting in the slide deck that the board sees on technology matters. Start with careful discussions on the indices the board needs to see, what matters they cover, and how they are reported. Each slide should have a brief, bulleted conclusion at the bottom. Dashboard reporting is useful here, but first devote careful thought to what is to be reported. Be sure you have a summary that explains the insights and recommended actions.
A tech/innovation perspective can be folded into the annual governance committee review on potential board refreshment needs. Your board’s evaluation and turnover policies might assure board continuity. But is the board bringing in the fresh skills in tech and other fields the company will need tomorrow? And are you “siloing” board tech oversight, but missing its application to other areas, like shaping future corporate strategy?
Ensuring strong board leadership requires continued education on the impact of a digital strategy on the business, a clear assignment of digital oversight responsibility, and good relations with the IT staff. Well-defined, insightful board reporting on digital info will keep your board informed and ahead of the trends.
This seems like a big shopping list for the board, but once your course is set, it becomes surprisingly simple. If every business today is a digital business, that means every role your board plays must now become part of its digital governance.
For a primer on hidden risks to look out for, read “Data Security Mistakes Most Businesses Don’t Realize They’re Making.”