Top 2015 Board Issue: Cybersecurity Governance

Of top director issues for 2015, cyber security is the No. 2 concern behind strategic planning.

— Kerry Berchem, Head of Corporate Governance practice, Akin Gump Strauss Hauer & Feld, based upon an extensive survey of corporate directors

If you’ve been paying any attention at all to business headlines, you’re aware of how critical a concern cybersecurity breaches have become. Home Depot, Adobe, Ebay, JP Morgan Chase, Target, Sony, and a host of lower profile organizations have suffered expensive losses during the past several years.  If the threat of such losses weren’t putting pressure on businesses, recent comments by SEC Commissioner Luis Alvarez have set board rooms abuzz, e.g.:

Board members cannot expect to avoid personal responsibility for [cybersecurity] losses that might have been prevented by the application of “reasonable business judgment.”

  — Luis AguilarSEC CommissionerSeptember 2014

Translation: for losses incurred due to cybersecurity breaches, corporate directors are no longer safe behind the “corporate veil” protecting their personal assets from shareholder lawsuits. Boards who can’t demonstrate that they’ve exercised considerable oversight (“reasonable business judgment”) to ensure that their companies are taking appropriate measures to protect their information from hackers are now exposed.

Does this mean directors must become internet security experts? Of course not, but they should become conversant enough to understand what their companies are doing to minimize the danger and impact of a breach. One place to start is a framework developed a couple of years ago by NIST (“Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology, February 12, 2012).

The framework comprises three major components:

  1. the Framework Core identifies “the key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk,”
  2. the Framework Implementation Tiers provide “context on how an organization views cybersecurity risk and the processes in place to manage that risk,” and
  3. the Framework Profile aligns the other elements with “the business requirements, risk tolerance, and resources of the organization.”

The Tiers illustrate how a company can grow its ability to deal with breaches by assessing its current state and upgrading its infrastructure and processes where appropriate in the context of the specific business. I’ve summarized the Tiers in the table below.


Companies can evaluate themselves in three key areas: (1) the risk management processes currently in place, (2) how integrated those processes are across the organization, and (3) the extent to which the company shares information and collaborates with its business partners and other external organizations. While NIST suggests using the framework to create a unique plan for improvement rather than employ it as a maturity model, it nonetheless offers a good way to assess a company’s readiness to deal with breaches.

The vertical scale outlines increasingly sophisticated stages of cybersecurity implementations, from Partial through Risk Informed and Repeatable to Adaptive. Examining each column reveals the relative strength within each of the three areas (Risk Management Process, Integrated Risk Management, External Participation). Viewing the company through the lens of these tiers empowers a board member to ask the right questions as they add “cybersecurity governance” to their responsibilities as a director.

20/20 Outlook’s Third Anniversary

It’s been three years since the launch of 20/20 Outlook as an advisory service for CEOs, and I’ve been blessed with wonderfully rewarding and interesting experiences along the way. By acting as a sounding board for creative business leaders and helping them get clarity about their purpose, value, and relationships, each one has accelerated the quest to achieve his/her business vision.

Recently, Brad Young came into the 20/20 fold as another trusted CEO advisor, bringing with him a whole new set of gifts and talents. His major focus is on initiatives that complete strategies with flawless execution.

Our client discussions cover every aspect of each business, and we often discuss areas of personal challenge and growth. Similar to traditional executive coaching, building trusted CEO relationships has enabled discussions of their strengths and weaknesses, passions, and even the personal search for meaning and purpose. A side benefit that clients have cited is more effective communication with board members, leading to more productive relationships.

Along the way, a wonderful network of people has evolved around us. Each one has generously supported 20/20’s steady growth with introductions and recommendations, suggestions for new offerings, adoption of 20/20 processes, and partnering to help clients. Because of this network, LinkedIn recently recognized my profile as among the top 1%  frequently viewed profiles in 2012.

To our friends and colleagues, thank you for your continuing support!

 

 

Breakout Strategies in Tough Times

Entering 2013, we have larger challenges than ever.  Economic slowdowns in Europe and projected softening demand in Asia and elsewhere are forcing CEOs to pursue more challenging growth opportunities.  This is not an option: we grow or we die.

For many firms, growth has historically come from new products or innovative extensions to existing products.  The simple growth strategy where R&D generates a new widget, Marketing promotes it, and Sales introduces it to customers isn’t working that well any more.  And even if revenue is growing, profits are often generated at the expense of ever deepening cuts in personnel, core capabilities, and reduced investment in capital and equipment.  CEOs are worried that soon they will have to pay the proverbial piper.

M&A alone won’t do it either.  While firms can and often should acquire or merge to become more competitive, most M&A data shows that the combined enterprise delivers little increased profitability.  At best, results are additive, not multiplicative or geometric.  So what’s next?  Where can we find that elusive growth?

Leading companies are broadening their definition of growth beyond traditional product-based categories to include more novel growth strategies.  For CEOs to take advantage of any of them, they must consider the real impacts on their businesses and determine the capabilities they will need to succeed.

First, creative CEOs need to generate a complete portfolio of growth initiatives that include: geographic expansion and M&A; product-based extensions and positioning; integration or bundling of products and services; marketing-driven initiatives like segmentation and value-pricing; localized delivery through outsourced capabilities; value-driven arrangements like performance guarantees; and IT-based strategies like remote services.

Second, CEOs need to determine how best to apply scarce resources to these initiatives, being especially careful to avoid the trap of over-investing in existing businesses – through both capital and key resource allocation – at the expense of novel and potentially much more profitable strategies.  Communicating the necessity of and how best to implement novel strategies to their boards is a critical challenge.  Key questions include: “Do I have the right leaders in the current businesses?  Can my current team succeed in these new lines of business?  Is the plan aggressive enough?  Have we achieved the right balance of risk and projected return?”

Finally, only careful analysis will determine whether any of these breakout strategies are appropriate for your firm.  Can you get buy-in from all stakeholder groups?  Will employees get excited about the new opportunities?  Will the board support the initiatives?  Can you communicate the new direction effectively to analysts and investors?

In these especially demanding times, CEOs must gain a broader perspective and challenge their internal teams’ assumptions.  Make sure that you incorporate external research and insights into your thinking before making the hard calls.

2012 CEO Resolution: Disciplined Dreaming!

During the holidays I focused far less on business and far more on family and friends. Pushing back from normal activities gave extra time for some creative thinking. High on my list was reading one of 2011’s top business books, Disciplined Dreaming.

Author Josh Linkner is a  successful serial entrepreneur.  Founder of ePrize, a dominant company in the promotions industry, he’s proven the value of tapping into the creativity of the every individual in his business. His book outlines various processes and techniques that encourage and enable innovation among employees.

But what about the CEO? If the CEO doesn’t dream, the business doesn’t grow. Most business leaders find it easier to work in their business than on it, i.e. to handle urgent operational matters than to focus on important growth initiatives. Incorporating more creativity into a CEO’s schedule demands opening space for it.

Linkner suggests deliberately scheduling “heads-up” time for the creative process. He contrasts the differences between heads-up and heads-down operation:

The challenge in switching between heads-down and heads-up thinking is learning to use the analytical and creative sides of your brain simultaneously. Daniel Pink has suggested that the most successful 21st century ventures will be led by those who combine both modes of thinking, enabling them to spot patterns and trends faster than competitors. The result will be superior products, more relevant services, and higher market share.

The CEO who neglects creative thinking and stays in the comfort zone (solving operational issues and managing finances) falls behind competitors. It takes effort to break out of the zone, and it can require reaching outside the organization.  Successfully implementing the discipline to dream may require creating a network of friends who are regularly tapped for advice and who act as a sounding board. It means joining a group of like-minded CEOs (e.g., Vistage), or leveraging a special board member, or hiring a trusted advisor, or a combination.

Resolve that 2012 is going to be different for your business. Despite a challenging economy, it’s time to take it to the next step. Leave your comfort zone and grow your business by unleashing your own creativity and the creativity of your entire organization, and resolve to do it in a disciplined way.

Two Reasons for Five Common Strategy Mistakes

Growth relies on having a superior strategy, and in her recent HBR post, Joan Magretta identifies five common strategy mistakes. In reading the piece, two common antecedents became apparent. Hopefully, naming them will amplify rather than oversimplify her points, since she expertly explains how to correct each of the five.

The twin antecedent causes are a lack of clarity and a lack of focus:

  1. Confusing marketing with strategy – While good marketing is important, simply identifying your value to customers is insufficient to win big and often. A clear understanding of why you’ll win using focused execution is vital.
  2. Confusing competitive advantage with “what you’re good at” – Just being good at certain things isn’t enough to win business. Most companies are good in multiple areas, but sometimes the “strengths” they identify are merely minimum requirements to stay in business, like good customer service. Clarifying what you’re uniquely good at and how your unique blend of products, services, and relationships delivers higher value than competitors’ offerings leads to real growth.
  3. Pursuing size above all else, because if you’re the biggest, you’ll be more profitable – A young, smaller company with a clear and focused strategy can maintain higher margins than larger competitors. It happens in many industries, and Joan’s example of BMW versus GM makes the point.
  4. Thinking that “growth” or “reaching $1 billion in revenue” is a strategy – Desiring to “grow the business” and “enhance revenue” constitute objectives; they don’t identify the strategic moves needed to fulfill them. As discussed often in this blog (e.g., see “Attacking Business Entropy“), clarity about positioning is crucial and fundamental to a successful strategy.
  5. Focusing on high-growth markets, because that’s where the money is – The retail sector was not a high growth market when Amazon entered it. It’s a classic example of finding a new, better way of attacking an old, slow growth market to take share from existing competitors.

Why is it important to get strategy right? Operations-focused CEOs sometimes wonder if strategy is about hiring high-paid consultants to create pretty slides and well-written plans for consumption by boards of directors and investment bankers. As pointed out here before, clear and focused strategic thinking is the key to effective execution. Clarity and focus provide the foundation, and the value of the results – accelerated growth, higher margins, and increased understanding of the market – profoundly surpass the value of a new presentation.

Surprise: Clients Tell It Best

It’s been awhile since the last post was published. Client deliverables, non-profit activities, and family priorities, as well as continual business development, have made it a hectic time.

The 20/20 elevator pitch is that “it is a process that helps a company get ready and stay ready for an exit,” but it’s more than that. While helping shoot some videos during that non-profit work, we were close to Infoglide’s offices, so I asked CEO Mike Shultz to stand in front of the camera and share his thoughts on his use of the 20/20 process.

Mike has started and sold several companies, which enables him to speak with authority in this 2:47 of unedited footage. With just one take, Mike captures the essence of the process better than any marketing firm I could have hired. Enjoy.

Important Indicators are Up

Because I help companies define an exit strategy and grow value accordingly, I’m always seeking better sources of data that capture the current state of the investment world. Pitchbook is one source that publishes particularly useful information about fundraising, investments, and exits. A recent Pitchbook presentation suggests that we’re on the verge of significant growth in private equity investment during the next year, and that’s good news companies moving toward an exit.

One factor mentioned in the Pitchbook prez is that capital overhang is high and growing. When that happens, valuations tend to increase because so much money is looking for a place to land and produce a return.

Additionally, chart below depicts that the number of quarterly private equity exits through corporate acquisitions, initial public offerings, and secondary sales is on the upswing after reaching a low in early 2009.

Finally, one of the best analysts in the business, Richard Davis of Needham and Company, commented in his newsletter that it’s been 25 years since he’s seen so many companies in a great position for an IPO.

Taken together, all these indicators suggest that, despite the continuing malaise in the broader economy, a CEO who keeps his/her company’s partnerships, product strategy, services, and partnerships aligned with potential acquirers can expect to see greater opportunity this year and through the next.

The Reality of Being a CEO

Tactics is knowing what to do when there is something to do.
Strategy is knowing what to do when there is nothing to do.
– Savielly Tartakower

The reality of being a CEO differs in many ways from the popular conception. After many candid conversations with CEOs, it’s clear that the media portrayal of the CEO role as being glamorous, highly lucrative, and psychologically rewarding is incomplete at best. All of the above are true at least some of the time for many CEOs, yet when they’re being candid, most will tell you that it’s far from being chocolates and roses all the time.

In fact, one business leader laughingly told me that people don’t realize how often a CEO gets to “experience sheer terror.”  Many things can go wrong that adversely affect the business and ultimately impact CEO priority number one, i.e. increasing shareholder value. What moves are competitors taking that we can’t respond well to? What drivers in the economy threaten the willingness and ability of customers to stop buying? Is our own inability to execute holding us back? Do we have a realistic vision for growing the company?

An earlier post about “The CEO Dilemma” discussed these and other challenges. Many CEOs live life on a high wire, balancing operational issues, cost and cash management, a realistic vision for growth, productive business partnerships, market presence, go-to-market and sales strategies, and many other priorities. Contrary to the supremely confident leader portrayed on-screen, a CEO is not always sure what to do.

Should we pity the poor, downtrodden CEO? Hardly! Most tell me they can’t conceive having any different role. They love what they do and feel fortunate that they have the opportunity. At the same time, life at the top can be lonely. The buck always stops there. As the CEO, you ultimately have to make the big decisions. And sometimes it pays to get assistance.

Where do CEOs look for help? If they’re lucky, experienced individuals on their board of directors are able and willing to serve as sounding boards, yet the fiduciary nature of their relationship may limit those discussions. Alternatively, the CEO may have one or more friends who are or have been chief executives whom they can trust for advice.

Often CEOs are more isolated than they need to be. Organizations like Vistage, CEO Netweavers, and others have evolved to meet the needs of CEOs over the years.  They comprise CEOs who are willing to give time to help other CEOs with advice in a trusted environment, often facilitated by experienced serial CEOs. And, of course, there are independent trusted advisers who work individually with CEOs as well as with groups of CEOs to share expertise and experience that can help companies reach new levels of performance.

Optimal Board Conversations

Based on feedback from experienced CEOs, getting the optimal value from boards of directors is a common challenge. Of course, it starts with picking solid board members. As serial CEO Bill Bock said recently, “Building a strong board is every bit as important as building a strong management team.” He recommends at a minimum that you include at least one very strong financial mind and at least one “crusty operational type” on your board to provide balanced guidance to the management team. “The ideal director sees a bigger world than the CEO.”

Assuming that you already have the right people, deriving value from them is up to you, the CEO. You have to engage their best thinking while keeping in mind that they don’t manage daily operations – you do. Giving too much or too little control to the board can decrease its value.

By focusing on growing the value of the company, the 20/20 Outlook process provides a constructive framework for discussions at the appropriate level. Another serial CEO, Mike Shultz, describes 20/20 Outlook as “a methodology that is clear and focused on developing the strategies to fulfill Job One for the CEO and in the process, creates a framework for solid communications with the Board of Directors about their most important measurement of success.” Job One, of course, is increasing shareholder value.

The diagram below depicts the continuum of choices a CEO has for achieving value from his/her board of directors:

Board Balance

Two common problematic relationships with boards can develop: micromanagers and cheerleaders . A CEO may allow the board to have too much control and encourage micromanagement. Since board members often have CEO and operational experience, they can be easily tempted to fill any perceived vacuum in leadership that you display as CEO. While reviewing financial and operational performance is valuable and appropriate, constrain the resulting conversation to high level suggestions for improvement rather than drilling into the nuts and bolts of daily operations. (If a particular board member has directly applicable experience, engage that person offline and don’t occupy the entire board’s time.)

On the other hand, a CEO who over-controls the board wastes everyone’s time. Having a board full of cheerleaders that rubber-stamps decisions and flatters the CEO may feel good, but it defeats the purpose of having directors and prevents their having an impact on the value of the business.

Either extreme implies weakness. The CEO who allows the board to micromanage may lack confidence in his/her ability to lead, while the CEO who totally controls the board may incapable of handling constructive criticism. Optimally you want to engage the board in strategic conversations about increasing shareholder value.

Are you having optimal conversations with your board?