By Stuart R. Levine
Published in, Forbes
Last week I moderated an NACD Boardroom Excellence webinar in partnership with Broadridge Financial Solutions that focused on the issue of cybersecurity. Approximately 200 directors representing various corporations participated. The data shared was unnerving and troubling in its scope and implications.
The cybersecurity statistics are jarring. In an April 2016 study by Tanium, in partnership with NASDAQ, results indicated that more than 91% of high vulnerable board members said they can’t read a cybersecurity report and are not prepared to handle a major attack. The worst part of the survey results is that 40% said they feel no responsibility for the consequences of being hacked. Leaders of an organization, including CEOs, CIOs, board members and executives are still struggling to define responsibility for customer data. They have transferred this burden to the CISO (Chief Information Security Officer) and the IT department. This trend is problematic.
When board members were asked about the amount of knowledge they had on cybersecurity, less than 20% had a high level, 65% had some and 15% had little knowledge. During the webinar, over 50% were dissatisfied with the quality of information provided to the board by management pertaining to cybersecurity and IT risk. This number is in line with the NACD’s Public Company Governance Survey which indicates a significant communication gap between boards and executives. In this survey as well, nearly a third of directors are dissatisfied with the quality of information provided to the board about cybersecurity and IT risk. Forty-three percent said that they do not receive enough information at all.
It is clear that there is a need for significantly greater knowledge around this threat that is costing the U.S. $5 trillion each year, or approximately one-third of our country’s GDP annually. Ninety to 95% of all hacking begins with a phishing email . Secure information is no longer safe and hackers have a way or getting to it by providing money and desired goods and services to people with access. Companies like Nortel and American Super Conductors have gone bankrupt through unprotected codes that led to “corporate homicide.”
Gone are the days when cybersecurity was considered just an IT issue. Now, it requires a multi-disciplinary approach for preparedness, oversight and execution. For board members, cybersecurity preparedness is an enterprise risk management priority, involving both management and the board. Secondly, reporting by management and communication to the board is essential to effective cybersecurity oversight. We can all agree on the gravity of this situation. It’s critical for directors to focus on what they can do to improve communication about these issues. Management must focus on how they can set the standards for a culture that increases vigilance and distributes the responsibility and accountability across the organization’s leadership structures.
Cybersecurity protection is a human capital issue. Ninety percent of all breaches are through human error, not a lack of technology protection. Culture plays a huge role in setting the standards for behaviors throughout an organization starting with the CEO and c-suite on down. Training is needed. CIOs are often the problem as they will not admit weaknesses in the system for fear of being fired.
I am reminded of an experience we had years ago working for a global telecom corporation. This organization determined that they could accelerate their product development by building a technology platform in the nation of India. The idea being that once the products were developed, they could then, when the sun set in India, be transferred to other work platforms in the United States, implying a 24 hour work cycle.
Our actions were counter-intuitive. Prior to onboarding 5,000 new employees, we led the development of leadership characteristics required for all new hires. The criteria was not only the predictable technology capacities, but more importantly, the values that these potential new employees embraced. This was critical because in a highly regulated environment, having access to sensitive individual and business data was the beginning of the journey for that platform. What strikes me about conversations regarding cyber, is the role that individuals and employees play in protecting IP and the assets they represent.
Before we all get consumed with the data points that define economic destruction, let’s begin the conversation by ensuring that people understand and share our values in order to protect shareholder value, jobs and the customers we serve.