Top 2015 Board Issue: Cybersecurity Governance

Of top director issues for 2015, cyber security is the No. 2 concern behind strategic planning.

— Kerry Berchem, Head of Corporate Governance practice, Akin Gump Strauss Hauer & Feld, based upon an extensive survey of corporate directors

If you’ve been paying any attention at all to business headlines, you’re aware of how critical a concern cybersecurity breaches have become. Home Depot, Adobe, Ebay, JP Morgan Chase, Target, Sony, and a host of lower profile organizations have suffered expensive losses during the past several years.  If the threat of such losses weren’t putting pressure on businesses, recent comments by SEC Commissioner Luis Alvarez have set board rooms abuzz, e.g.:

Board members cannot expect to avoid personal responsibility for [cybersecurity] losses that might have been prevented by the application of “reasonable business judgment.”

  — Luis AguilarSEC CommissionerSeptember 2014

Translation: for losses incurred due to cybersecurity breaches, corporate directors are no longer safe behind the “corporate veil” protecting their personal assets from shareholder lawsuits. Boards who can’t demonstrate that they’ve exercised considerable oversight (“reasonable business judgment”) to ensure that their companies are taking appropriate measures to protect their information from hackers are now exposed.

Does this mean directors must become internet security experts? Of course not, but they should become conversant enough to understand what their companies are doing to minimize the danger and impact of a breach. One place to start is a framework developed a couple of years ago by NIST (“Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology, February 12, 2012).

The framework comprises three major components:

  1. the Framework Core identifies “the key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk,”
  2. the Framework Implementation Tiers provide “context on how an organization views cybersecurity risk and the processes in place to manage that risk,” and
  3. the Framework Profile aligns the other elements with “the business requirements, risk tolerance, and resources of the organization.”

The Tiers illustrate how a company can grow its ability to deal with breaches by assessing its current state and upgrading its infrastructure and processes where appropriate in the context of the specific business. I’ve summarized the Tiers in the table below.


Companies can evaluate themselves in three key areas: (1) the risk management processes currently in place, (2) how integrated those processes are across the organization, and (3) the extent to which the company shares information and collaborates with its business partners and other external organizations. While NIST suggests using the framework to create a unique plan for improvement rather than employ it as a maturity model, it nonetheless offers a good way to assess a company’s readiness to deal with breaches.

The vertical scale outlines increasingly sophisticated stages of cybersecurity implementations, from Partial through Risk Informed and Repeatable to Adaptive. Examining each column reveals the relative strength within each of the three areas (Risk Management Process, Integrated Risk Management, External Participation). Viewing the company through the lens of these tiers empowers a board member to ask the right questions as they add “cybersecurity governance” to their responsibilities as a director.

CEOs, Company Culture, and Performance

How often do you get to sit in on a conversation with a room full of CEOs? That’s exactly what I did recently when I moderated a CEO Roundtable for TexasCEO and Somerset Consulting Group at the Hotel ZaZa in Dallas (great venue).

We brought together seven executives who run significant businesses in varied industries: communications, commercial construction, manufacturing, chemicals, health and fitness, franchising, and financial services. Each is a recognized leader in their respective industry, and each contributed a unique perspective on the topic of the day: how does company culture affect employee performance?

Everyone naturally agreed that an organization’s culture is a key determinant of its performance. It’s also clear that a CEO’s actions and performance are major factors in creating and preserving that culture. So, what is it that determines who is a CEO?

Having accumulated a number of accomplished CEO friends over the years, I’ve concluded it’s not something that can be taught – CEO’s are a breed unto themselves. You can gain more knowledge by taking B school classes and by reading about others’ experiences in being a CEO (shameless self-promotion), but the basic attributes that drive a classic CEO start showing up early in life:

  • the need to succeed in a unique way,
  • the willingness to do whatever it takes,
  • a desire to have a hand in deciding what’s going on around them,
  • and the courage to take responsibility for failure.

The reality of being a CEO is that it requires the level of focus, dedication, and sacrifice that most people aren’t equipped to make. If you disagree, please state your case!

[For more, check out the article about the Dallas CEO Roundtable in the May/June issue of TexasCEO magazine.]

Surprise: Clients Tell It Best

It’s been awhile since the last post was published. Client deliverables, non-profit activities, and family priorities, as well as continual business development, have made it a hectic time.

The 20/20 elevator pitch is that “it is a process that helps a company get ready and stay ready for an exit,” but it’s more than that. While helping shoot some videos during that non-profit work, we were close to Infoglide’s offices, so I asked CEO Mike Shultz to stand in front of the camera and share his thoughts on his use of the 20/20 process.

Mike has started and sold several companies, which enables him to speak with authority in this 2:47 of unedited footage. With just one take, Mike captures the essence of the process better than any marketing firm I could have hired. Enjoy.

The Reality of Being a CEO

Tactics is knowing what to do when there is something to do.
Strategy is knowing what to do when there is nothing to do.
– Savielly Tartakower

The reality of being a CEO differs in many ways from the popular conception. After many candid conversations with CEOs, it’s clear that the media portrayal of the CEO role as being glamorous, highly lucrative, and psychologically rewarding is incomplete at best. All of the above are true at least some of the time for many CEOs, yet when they’re being candid, most will tell you that it’s far from being chocolates and roses all the time.

In fact, one business leader laughingly told me that people don’t realize how often a CEO gets to “experience sheer terror.”  Many things can go wrong that adversely affect the business and ultimately impact CEO priority number one, i.e. increasing shareholder value. What moves are competitors taking that we can’t respond well to? What drivers in the economy threaten the willingness and ability of customers to stop buying? Is our own inability to execute holding us back? Do we have a realistic vision for growing the company?

An earlier post about “The CEO Dilemma” discussed these and other challenges. Many CEOs live life on a high wire, balancing operational issues, cost and cash management, a realistic vision for growth, productive business partnerships, market presence, go-to-market and sales strategies, and many other priorities. Contrary to the supremely confident leader portrayed on-screen, a CEO is not always sure what to do.

Should we pity the poor, downtrodden CEO? Hardly! Most tell me they can’t conceive having any different role. They love what they do and feel fortunate that they have the opportunity. At the same time, life at the top can be lonely. The buck always stops there. As the CEO, you ultimately have to make the big decisions. And sometimes it pays to get assistance.

Where do CEOs look for help? If they’re lucky, experienced individuals on their board of directors are able and willing to serve as sounding boards, yet the fiduciary nature of their relationship may limit those discussions. Alternatively, the CEO may have one or more friends who are or have been chief executives whom they can trust for advice.

Often CEOs are more isolated than they need to be. Organizations like Vistage, CEO Netweavers, and others have evolved to meet the needs of CEOs over the years.  They comprise CEOs who are willing to give time to help other CEOs with advice in a trusted environment, often facilitated by experienced serial CEOs. And, of course, there are independent trusted advisers who work individually with CEOs as well as with groups of CEOs to share expertise and experience that can help companies reach new levels of performance.

Optimal Board Conversations

Based on feedback from experienced CEOs, getting the optimal value from boards of directors is a common challenge. Of course, it starts with picking solid board members. As serial CEO Bill Bock said recently, “Building a strong board is every bit as important as building a strong management team.” He recommends at a minimum that you include at least one very strong financial mind and at least one “crusty operational type” on your board to provide balanced guidance to the management team. “The ideal director sees a bigger world than the CEO.”

Assuming that you already have the right people, deriving value from them is up to you, the CEO. You have to engage their best thinking while keeping in mind that they don’t manage daily operations – you do. Giving too much or too little control to the board can decrease its value.

By focusing on growing the value of the company, the 20/20 Outlook process provides a constructive framework for discussions at the appropriate level. Another serial CEO, Mike Shultz, describes 20/20 Outlook as “a methodology that is clear and focused on developing the strategies to fulfill Job One for the CEO and in the process, creates a framework for solid communications with the Board of Directors about their most important measurement of success.” Job One, of course, is increasing shareholder value.

The diagram below depicts the continuum of choices a CEO has for achieving value from his/her board of directors:

Board Balance

Two common problematic relationships with boards can develop: micromanagers and cheerleaders . A CEO may allow the board to have too much control and encourage micromanagement. Since board members often have CEO and operational experience, they can be easily tempted to fill any perceived vacuum in leadership that you display as CEO. While reviewing financial and operational performance is valuable and appropriate, constrain the resulting conversation to high level suggestions for improvement rather than drilling into the nuts and bolts of daily operations. (If a particular board member has directly applicable experience, engage that person offline and don’t occupy the entire board’s time.)

On the other hand, a CEO who over-controls the board wastes everyone’s time. Having a board full of cheerleaders that rubber-stamps decisions and flatters the CEO may feel good, but it defeats the purpose of having directors and prevents their having an impact on the value of the business.

Either extreme implies weakness. The CEO who allows the board to micromanage may lack confidence in his/her ability to lead, while the CEO who totally controls the board may incapable of handling constructive criticism. Optimally you want to engage the board in strategic conversations about increasing shareholder value.

Are you having optimal conversations with your board?