Top 2015 Board Issue: Cybersecurity Governance

Of top director issues for 2015, cyber security is the No. 2 concern behind strategic planning.

— Kerry Berchem, Head of Corporate Governance practice, Akin Gump Strauss Hauer & Feld, based upon an extensive survey of corporate directors

If you’ve been paying any attention at all to business headlines, you’re aware of how critical a concern cybersecurity breaches have become. Home Depot, Adobe, Ebay, JP Morgan Chase, Target, Sony, and a host of lower profile organizations have suffered expensive losses during the past several years.  If the threat of such losses weren’t putting pressure on businesses, recent comments by SEC Commissioner Luis Alvarez have set board rooms abuzz, e.g.:

Board members cannot expect to avoid personal responsibility for [cybersecurity] losses that might have been prevented by the application of “reasonable business judgment.”

  — Luis AguilarSEC CommissionerSeptember 2014

Translation: for losses incurred due to cybersecurity breaches, corporate directors are no longer safe behind the “corporate veil” protecting their personal assets from shareholder lawsuits. Boards who can’t demonstrate that they’ve exercised considerable oversight (“reasonable business judgment”) to ensure that their companies are taking appropriate measures to protect their information from hackers are now exposed.

Does this mean directors must become internet security experts? Of course not, but they should become conversant enough to understand what their companies are doing to minimize the danger and impact of a breach. One place to start is a framework developed a couple of years ago by NIST (“Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology, February 12, 2012).

The framework comprises three major components:

  1. the Framework Core identifies “the key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk,”
  2. the Framework Implementation Tiers provide “context on how an organization views cybersecurity risk and the processes in place to manage that risk,” and
  3. the Framework Profile aligns the other elements with “the business requirements, risk tolerance, and resources of the organization.”

The Tiers illustrate how a company can grow its ability to deal with breaches by assessing its current state and upgrading its infrastructure and processes where appropriate in the context of the specific business. I’ve summarized the Tiers in the table below.


Companies can evaluate themselves in three key areas: (1) the risk management processes currently in place, (2) how integrated those processes are across the organization, and (3) the extent to which the company shares information and collaborates with its business partners and other external organizations. While NIST suggests using the framework to create a unique plan for improvement rather than employ it as a maturity model, it nonetheless offers a good way to assess a company’s readiness to deal with breaches.

The vertical scale outlines increasingly sophisticated stages of cybersecurity implementations, from Partial through Risk Informed and Repeatable to Adaptive. Examining each column reveals the relative strength within each of the three areas (Risk Management Process, Integrated Risk Management, External Participation). Viewing the company through the lens of these tiers empowers a board member to ask the right questions as they add “cybersecurity governance” to their responsibilities as a director.

Register Early for RISE Week Austin!

Registration is now open for RISE Week Austin to be held May 13-17. Named a “Must-Attend 2013 Conferences for Entrepreneurs” by John Hall at Forbes, the event “offers a variety of events, including fast pitch competitions, funding forums, and talks from well-known keynote speakers.”

In a session called “Self-Fueling Partnerships” on Friday, May 17, we’ll discuss how to grow revenue and profits by leveraging the marketing clout, technology, and customer base of larger companies.

To ensure quality interactions, only 25 people are can attend each session, and savvy attenders sign up early.

See you there!

Optimal Board Conversations

Based on feedback from experienced CEOs, getting the optimal value from boards of directors is a common challenge. Of course, it starts with picking solid board members. As serial CEO Bill Bock said recently, “Building a strong board is every bit as important as building a strong management team.” He recommends at a minimum that you include at least one very strong financial mind and at least one “crusty operational type” on your board to provide balanced guidance to the management team. “The ideal director sees a bigger world than the CEO.”

Assuming that you already have the right people, deriving value from them is up to you, the CEO. You have to engage their best thinking while keeping in mind that they don’t manage daily operations – you do. Giving too much or too little control to the board can decrease its value.

By focusing on growing the value of the company, the 20/20 Outlook process provides a constructive framework for discussions at the appropriate level. Another serial CEO, Mike Shultz, describes 20/20 Outlook as “a methodology that is clear and focused on developing the strategies to fulfill Job One for the CEO and in the process, creates a framework for solid communications with the Board of Directors about their most important measurement of success.” Job One, of course, is increasing shareholder value.

The diagram below depicts the continuum of choices a CEO has for achieving value from his/her board of directors:

Board Balance

Two common problematic relationships with boards can develop: micromanagers and cheerleaders . A CEO may allow the board to have too much control and encourage micromanagement. Since board members often have CEO and operational experience, they can be easily tempted to fill any perceived vacuum in leadership that you display as CEO. While reviewing financial and operational performance is valuable and appropriate, constrain the resulting conversation to high level suggestions for improvement rather than drilling into the nuts and bolts of daily operations. (If a particular board member has directly applicable experience, engage that person offline and don’t occupy the entire board’s time.)

On the other hand, a CEO who over-controls the board wastes everyone’s time. Having a board full of cheerleaders that rubber-stamps decisions and flatters the CEO may feel good, but it defeats the purpose of having directors and prevents their having an impact on the value of the business.

Either extreme implies weakness. The CEO who allows the board to micromanage may lack confidence in his/her ability to lead, while the CEO who totally controls the board may incapable of handling constructive criticism. Optimally you want to engage the board in strategic conversations about increasing shareholder value.

Are you having optimal conversations with your board?