Bridging the digitization & cybersecurity divide
INSIGHT ARTICLE |
In pursuing the opportunities technological advances bring, boards must also navigate new vulnerabilities.
Across industries, how well companies fare over the next decade will depend largely on their ability to embrace transformative technology. Advances in areas like artificial intelligence, machine learning and cloud migration are driving the evolution of virtually every business model, as companies scramble to leverage the myriad capabilities they offer.
But the rewards of winning the digitization race—improvements in speed to market, customer experience and operating efficiencies—come with a caveat, noted Nazif Sharique, partner, technology and risk consulting at RSM US. “This uptick in the emergence of digital transformation can really elevate your risk profile in terms of cyber threats,” Sharique told directors gathered for a recent Corporate Board Member roundtable discussion hosted in partnership with RSM. “As your company becomes more technology based, there’s a need to calibrate heightened vulnerability into your digital landscape.”
For boards, the idea of assessing and addressing cybersecurity risks associated with technology during the transformation process represents a formidable challenge, agreed several directors participating in the discussion. “On the boards I serve on, the two areas are siloed,” said Cynthia Hostetler, a director at Vulcan Materials and Resideo Technology. “We talk about cyber when we talk about security, which includes physical security, not when we talk about AI.”
While the audit committee traditionally owns oversight of cyber-related risks, more and more boards are rethinking where digital transformation and IT-related risks fit into their committee charters. Amneal Pharmaceuticals, for example, created a new technology and risk committee charged with navigating oversight of the area. “The audit committee was covering such a broad definition of risk that the agenda was getting far too long,” explained Emily Peterson Alva, a director at Amneal. “So, in the past year, we created a committee that oversees what we think about as forward-looking and strategic risks, which include things like regulatory, security and other technology-related risks.”
“As your company becomes more technology based, there’s a need to calibrate heightened vulnerability into your digital landscape.”—Nazif Sharique, Partner, RSM US
Other directors, however, see a danger in relegating a strategic imperative like digital transformation to any one committee. At Regional Management, a risk management committee focuses on the company’s 10 most pressing risks, one of which is cybersecurity, while the full board engages on the company’s broader digital transformation imperative.
“We’re trying to help management define the company we want to be five years from now,” explained Carlos Palomares, a director at the company. “What do we want to be in terms of customer experience? How does digital help us achieve that transformation? How does digital help us compete with some of the new entrants into the field and create something sustainable?”
“Transformation is really something that should be discussed by the full board at every meeting,” agreed John Levy, a director at Washington Prime Group. “Even calling it digital transformation kind of characterizes it as something geeky, segregated into a corner. But transformation goes beyond digital integration; it’s about changing the nature of the business. These are huge massive changes, and if we don’t start seeing and treating them that way now, it will be too late.”
The board can help keep the big picture in focus by pressing management on transformation goals, added Ye Jane Li, a director at Knowles, who says her board holds “strategy days” committed to talking about long-term planning. “If we just do what ISS says, just focusing on quarter to quarter, we’ll do fine on paper, but we’re missing the point,” she said. “Every company is a technology company today. So, the challenge is making sure the company is still on top five years down the road. What’s the landscape? Why does the management team think we’ll be the winner in three to five years? And how do they get there?”
The people factor
Risks related to digitization extend beyond cybersecurity, noted Levy, who pointed out that many companies may find their transformation efforts thwarted by a dearth of technical talent. “Getting qualified, talented people is going to be a real problem for companies as we move further along. Will we be able to recruit or train to fill that need, or are we going to have a bottleneck where we all want to do something but there aren’t enough qualified people to help us do it?”
Companies that also face a lack of technical acumen in the boardroom should consider taking steps to help directors get and stay conversant with technological developments. Rather than rush out to recruit directors with a tech background, outside experts can help bridge technical gaps, said Jim Hunt, director at Brown & Brown.
“I’m not in favor of picking singularly focused board members,” he said. “Every one of us is probably getting asked about ESG experts on our board right now, but where does that stop? Board members need to look at things broadly. In an oversight capacity you have to think about the company, to be reading every day and not be afraid to ask penetrating questions. And, if you feel that you’re out of your depth, you go buy some expertise as a board.”
“When you wake up and see that email or get that early morning phone call, you want to know exactly what the next 24 to 48 hours looks like.”—Zachary Carroll, Partner, RSM US
Doug Curling, a director at CoreLogic and Progressive, is comfortable with that approach. “With the companies I work with, it’s par for the course to have a presentation by an outside cyber expert, so we’re not solely relying on ourselves, not solely relying on management, on our customers or on our outside accountants,” he noted. “We’re bringing in specialists who come and talk to all of us about their assessment of how we’re doing and what we should be doing versus where we are today. We also track very carefully the security investment and the cyber investment because it’s an increasing percent of our operating dollars.”
Regular engagements with members of the IT team are also key. “You have to bring not only the CTO and the head of IT but also the people under them to make presentations on a regular basis to the board and the committees,” advised Levy, who also recommends informal engagements with technical talent. “Invite them to lunch or a board dinner because those less structured interactions are where you really get a sense of people and what they’re doing.”
Vetting the cyber spend
Deciding how much to spend on cybersecurity and how to deploy it is another area where boards, which well know that no amount of cybersecurity can entirely eliminate risk of a breach, may opt to seek input. Several directors reported relying on benchmarking their investment against industry peers. “It’s difficult because the amount of money spent does not always equal the quality of the results when it comes to cybersecurity,” said Li. “So, if we spend way more or way less than our peers, we want to hear why. Benchmarks are very important to us.”
Alan Howard, a director at Movado Group, advocated devoting a significant amount of cybersecurity resources to workforce education. “The real risk is people clicking on an attachment or risks related to the new remote working environment,” he said. “So, we look to make sure that people way down in the organization know that a small footfall could cause a large problem at the corporate level.”
For Palomares, emphasis has shifted from prevention to recovery. “We now accept that fact that we’re going to be infiltrated, no matter how much we do. So, we’re spending an increasing amount of time on how we will respond after we’re penetrated. Making sure we know what we need to deploy is now part of the tabletop exercises that the boards I’m associated with require from management.”
“In the past year, we created a committee that oversees what we think about as forward-looking and strategic risks, which include things like regulatory, security and other technology-related risks.”—Emily Peterson Alva, Director, Amneal
Bringing in an outside company for an objective evaluation can help boards vet a cybersecurity program for gaps. “Someone who knows the space well can poke holes, challenge assessments, help you get a holistic perspective and, at the end of the day, to form a comprehensive response plan,” notes Zachary Carroll, partner, central financial services leader and practice leader at RSM US. “Because when you wake up and see that email or get that early morning phone call, you want to know exactly what the next 24 to 48 hours looks like.”
If companies learned anything from coping with the pandemic, it was that preparation pays off. Efforts to build resiliency, the ability to adapt and thrive through setbacks, positioned companies to overcome an event no one foresaw last year, noted Levy. “The biggest takeaway from all the events of the past year is that we can do all the risk assessment we want, but no matter how careful we are, the world is going to change and we have to be agile enough to change with it.”
As seen in Corporate Board Member Q4 2020.