Questions Boards Should Ask to Guide Cybersecurity Preparedness

"Boards are demanding more oversight of cybersecurity," says EY, a consultancy, in a report on how boards can help the companies they govern be better prepared to prevent cyber attacks. After surveying "411 CEOs, chief information officers (CIOs) and other cybersecurity decision-makers about their companies' use of information security solutions," the report reveals "that simple actions taken now can reap substantial rewards later." The report adds that "[t]hese lessons," which are outlined below, "have emerged from those who have experienced major breaches."

1. Focus on "zero trust." "Zero trust security is not a single technology, but a holistic approach to security, incorporating different cyber principles across people, process and technology. The basis of the concept is the assumption that there are threat actors within and outside of organizations, so no users or machines should be trusted. All users and devices (both inside and outside of the organization) are authenticated, authorized and continuously validated for security configurations and context before accessing applications and data."
2. Educate and involve your board now. "Not surprisingly, boards of directors are increasingly interested in preventing data breaches and determining how to prioritize cybersecurity needs. Executives that have experienced a data breach say the experience has taught them to involve many more stakeholders in cybersecurity decisions, including boards. Companies should proactively create a board-level executive dashboard, while simultaneously briefing the board about cybersecurity issues at least once per year."
3. Reinforce the role of the CISO as a strategic partner to the business. "During the pandemic, every organization had to adapt to a new way of working. However, the speed of change came with a price. Seventy-five percent of companies saw increases in the number of disruptive attacks during the pandemic. In this sense, many companies were forced to adapt to a different cyber risk profile just like an organization has to do after experiencing a breach. CISOs had and still have an opportunity to reinforce their value proposition with the business. With the onset of the pandemic, 55% of cybersecurity leaders believed this gave them an opportunity to position themselves as strategic partners to the business. Dave Burg, EY Americas Cybersecurity Leader, noted that 'I know of many security officers who were viewed as superstars, and we want those superstars to be brought to the front of innovation.'"
4. Assess usage of managed security service providers. Keeping up with the latest security technologies and evaluating threats are the most challenging pain points for today's CISOs. Companies that have recently experienced a breach are more likely to outsource cybersecurity responsibilities after the breach. By starting the time-consuming process of reviewing outsourcing options and vendor capabilities prior to a breach, companies can develop the best security architecture and posture."
5. Spend now, save later. "According to the survey, companies that have recently experienced a breach expect to spend more across all security domains, with vulnerability assessments and access controls expected to see the largest budget increases. To protect themselves from today's sophisticated attacks, companies must bolster their cybersecurity capabilities or outsource them to external vendors. Many executives make decisions to bolster capabilities to not only prevent attacks, but also to mitigate the damage and shorten the recovery time."

The report importantly notes that "In today's environment, corporate boards are increasingly held accountable for cybersecurity and resiliency. Boards may want to focus on the governance of their enterprise-wide cyber programs, while the highly technical CISO focuses on the risk management aspects." Moreover, "To help facilitate productive discussions, EY US has developed the following key questions about effective cybersecurity oversight that boards can refer to during an intrusion."

1. Was the organization affected by this intrusion?

• If yes, how is the organization mitigating and responding to the vulnerabilities identified?
• If not, what proactive measures were deployed to prevent a similar intrusion?

2. What is the potential impact of the intrusion?

• Which areas of the network, including data assets, were compromised?
• What is the total risk exposure, including financial, regulatory, reputational and operational impacts?
• Has an independent third party assessed the network to analyze the extent of the impact?

3. How effective was the response plan?

• What gaps were identified in the investigation, containment, eradication and recovery processes?
• Does the company have appropriate insurance coverage? Has the insurance provider been engaged?
• What lessons were learned?

4. Are third-party and supplier ecosystems secure?

• Have any of the company’s third parties and fourth parties been compromised?
• Do any of those parties have access to the network?

5. Is the company focused on preventing and responding to future compromises?

• What is the efficacy of the company’s current cyber risk management efforts? Should the company’s risk appetite be re-evaluated?
• How does the company become more resilient to future incidents?
• Where should the next cybersecurity dollars be invested based on the evolving threat landscape?
• Has the company built cyber diligence into its acquisition and integration plans?

Based on regular discussions I have with cybersecurity professionals about how their role of keeping their organization's IT systems secure is an arduous battle that goes on each and every day throughout the year, I appreciate the report's conclusion:

Unlike many corporate functions, cybersecurity departments don't have an off season or a period of reduced activity and demand. For cybersecurity professionals, every day is a race against time and resources, and a balance of competing priorities. Corporate cybersecurity executives are faced with a choice — take simple steps now to lessen the impact of future breaches or continue operating in a reactive mode and responding to daily demands and possibly facing the fallout from inevitable breaches.

As an article by The Economist points out that: "Corporate boards need to have a stronger grasp of the threat levels. As one former cyber-spook says, they need not just gender and racial diversity but technological diversity, too, in order to grill the company's techies on cyber-defenses. Furthermore, they need to recognize cyber-war as one of the growing number of geopolitical risks that firms face."

Do you agree with the findings of EY's survey? What questions should boards ask to guide cybersecurity preparedness?

Aaron Rose is a board member, corporate advisor, and co-founder of great companies. He also serves as the editor of GT Perspectives, an online forum focused on turning perspective into opportunity.

Report Presents Relevant and Timely Questions Directors Should Ask in This New Era

The coronavirus pandemic has presented a company's board of directors with unforeseen challenges that tests long-held principals in governance and leadership. The balance of mitigating risks while keeping an eye of corporate growth will be a challenge for directors in this new era. Taking a philosophical approach to business strategy throughout my professional career, I support the following notion made by EY, a multinational professional services firm: "We believe that better questions lead to better answers and a better working world. Likewise, we believe that a board's most effective tool is asking compelling questions. These questions can lead to better governance and organizations that drive value for all stakeholders."

Produced annually by the EY Center for Board Matters, the 2022 report presents a list of relevant and timely questions, segmented by four themes, for a company's board of directors to consider:

Theme 1: Strategy and innovation - Strategy that positions companies to innovate and differentiate for a sustainable future

1. How is the company rethinking its definition of "long term" to maximize value while also focusing on near-term risks and opportunities? Is the strategy appropriately focused not only on where the company is going, but where it can go?
2. Are material environmental, social and governance (ESG) issues considered in the company's long-term strategic planning? How do the company's business model, practices, products, and services address urgent environmental and social challenges as we move toward a more inclusive and sustainable future?
3. What data and metrics are being used to assess the health and vibrancy of the organization's culture and its alignment with strategy? Is the culture appropriate to inspire and enable innovation?
4. Is the company's capital allocation aligned with the necessities of its long-term strategy? How is the company addressing barriers toward optimal allocation?
5. Does the board have the appropriate governance process to oversee strategic investments that seed innovation to change the game? How is it supporting the acceleration of idea generation, trialing and assessment while also encouraging appropriate risk-taking?
6. Has management appropriately considered partnerships, joint ventures and alliances, along with M&A, to accelerate the strategy, particularly with longer-term adjacent and transformational opportunities?
7. Are newer and innovative technologies, including digital platforms and cryptocurrency solutions, appropriately leveraged to accelerate goals and objectives? How can these technologies accelerate the speed to market and enhance virtual collaboration and customer engagement?
8. What is the company's transition plan for thriving in a net-zero future? Is that plan integrated with the company strategy? Does it include specific short-, medium-and long-term greenhouse gas reduction targets and related decarbonization initiatives? How is the company preparing for additional climate-related disclosure requirements?
9. How is the company investing in protecting and restoring the natural ecosystems and biodiversity on which its business relies?
10. Does the board understand the company's supply chain constraints? Is the board confident that the supply network is flexible and agile amid continued global supply chain challenges? How is it addressing increased calls from stakeholders for sustainability and less waste?

Theme 2: Talent oversight - Broader oversight of culture and talent that is prepared for the transforming labor market

1. Do scenario analyses consider an appropriate range of extreme and even improbable scenarios, including existential threats? Do they incorporate the potential compounding effects of various risks, such as supply chain disruption, talent acquisition and retention, inflation, future interest rates and an evolving tax landscape?
2. Are contingency and response plans related to material and high-impact risks, such as cybersecurity breaches and natural disasters, periodically simulated and reviewed with the board?
3. How is the company revisiting and adapting its risk management strategy and management's approach to the three lines model in response to potential changes in the external and internal environment, changes in the strategy and risk landscape, and the company's operating model?
4. Has the board considered how the organization's risk assessment capabilities are evolving, including how analytics, artificial intelligence and other emerging technologies can be used to review and validate data and information to unearth insights into enterprise risks and opportunities?
5. How has the company's cybersecurity risk management program evolved to address the current environment in which attackers are targeting a larger surface area and using increasingly unpredictable tactics? How are cybersecurity and data privacy considerations proactively integrated into all major strategy or tactical decisions, such as transactions, alliances, new products or services, and technology upgrades?
6. What types of data is the organization collecting from its customers and other stakeholders to better assess the trust, risks and opportunities related to changing preferences and needs? How is the collection occurring?
7. How is the company scanning and assessing geopolitical developments, including a rapidly changing trade and regulatory landscape and governments moving to a more interventionist policy position?
8. What is the company doing to address material social risks across its value chain, including the treatment of employees and suppliers' human rights practices and impacts on customers and the communities in which it operates?
9. How is the company assessing the impact of physical and transition climate risks on products and services, supply chains and operations that can materially affect operating costs and revenues across the enterprise?
10. Has the organization's tax planning strategy been reevaluated to address potential tax policy changes, as well as impacts arising from potential shifts in the supply chain and capitalization? Has the organization considered growing stakeholder interest in tax transparency and potential related reputational impacts?
11. Does the board understand and approve the company's data privacy and data usage policy? How is customer and employee data use managed? Are social surveillance algorithms reviewed for bias? Is data protection considered beyond cybersecurity protection?

Theme 3: Risk and resiliency - Risk management that enables resiliency amid new and evolving challenges

1. As the nature of work and employment further transforms, how will the organization adapt its talent functions to realize its strategy? Does the board spend the same amount of time with the chief human resources officer (CHRO) discussing data and metrics to assess the health and welfare of the workforce as it does with the CFO reviewing and assessing the overall financial health and stability?
2. To attract and retain talent in a hypercompetitive labor market, how is the organization implementing plans to address calls for better pay and benefits, including flexibility, the opportunity to work from anywhere, programs to enhance well-being, and funding for training and educational advancement?
3. How have the desired skills and behaviors for the organization's leaders evolved in response to the events of the last two years, and how has the board's succession planning and oversight of talent development changed in response?
4. Given that more than half of employees say they would leave their job if flexibility in their schedule and work location is not extended after the pandemic, has the organization considered how to make flexibility integral to the company's human capital strategy?
5. How is the company seizing strategic opportunities to tap into larger talent pools, diversify across numerous dimensions and expand working hours across time zones, while being mindful of work location, regulatory and legislative challenges?
6. Is the board comfortable with how the organization is nurturing its existing and future talent pools (e.g., reskilling and upskilling, educational alliances) to position the company to meet current requirements, address enterprise risks and prepare for continued strategic pivots?
7. How is company leadership enabling cross-functional collaboration and seeking input from a broader set of internal constituencies to support an inclusive culture, enhance engagement and spur innovation? How are these efforts measured?
8. Are there any efforts to identify and address disconnects between how management views the employee experience and the employee's actual experience? Are employee engagement scores, periodic pulse checks, summaries of exit and onboarding interviews, and social media data routinely reviewed?
9. With continued virtual work, how is the company addressing any impacts on employee engagement, inclusion and career development?
10. How is the company embedding diversity and inclusion into its workplace policies and human capital management programs throughout all steps in the employee life cycle to enable equitable opportunities, advancement and compensation?

Theme 4: Dynamic governance - Dynamic governance that addresses expanded and changing oversight requirements

1. How is the board adopting a continual learning mindset and strengthening its education program? Is the program sufficiently tailored to the company's and individual board member's needs, seeking diverse views from inside and outside the company that allow for challenges to status quo thinking?
2. How can the board's structure be refreshed to be more agile, future-focused and aligned to the risks and opportunities on the road ahead? Is the board considering the use of ad hoc committees made up of directors, management and third parties to address specific strategic issues?
3. How is the compensation committee evolving its charter to address oversight of broader human capital issues? How does the board hold senior management accountable for progress against related goals via incentive plans and other reward mechanisms? How is the company preparing for ongoing human capital disclosure requirements?
4. How is the company refreshing its investor engagement strategy to be more efficient and productive? Is it considering new engagement approaches (e.g., more collaborative engagement via working groups or investor days)? Is it leveraging the proxy statement and other disclosures as communication tools?
5. How is the board thinking like an activist in considering and proactively addressing the company's operating vulnerabilities? How is the board obtaining an unfiltered view of shareholder feedback on the company's strategy and pace of performance? Do select individual board members have direct dialogue with shareholders to understand their priorities?
6. Are information flows to the board being appropriately challenged to include more forward-looking and predictive insights, coverage of emerging risks, external perspectives, and corroborating data from third parties to keep pace with the evolving market, economic and geopolitical developments? Is a consent agenda used to maximize board discussion of strategic initiatives?
7. How is the board expanding its director search to maximize diversity and broaden board competencies in critical areas such as technology, human capital management, cybersecurity, and sustainability, and how are those individuals onboarded to set them up for success?
8. With increased board diversity, what changes to its protocols are being made to leverage diversity of thought, improve decision-making and create an inclusive boardroom?
9. Is the board prepared for increased accountability as ESG matters become a multi-stakeholder priority and investors increasingly embrace proxy votes against directors as their most effective tool to accelerate progress on ESG matters?
10. With growing scrutiny of sustainability reporting and stakeholder concerns around greenwashing, how is the board — particularly the audit committee — overseeing nonfinancial disclosures made in regulatory filings, sustainability reports, analyst calls and other mediums? Are internal or external assurance procedures applied to material assertions and data?
11. Is the company progressively reporting on human, customer and societal value to attract capital and meet the increasing demand of stakeholders for consistent and comparable ESG and other nonfinancial‑related data that aligns with evolving external frameworks?
12. What is the board's policy for timely review of corporate political and lobbying expenditures and any public political positions taken by senior executives? How is the board assessing the alignment of those expenditures and positions with the company's values, commitments and strategy?
13. Could the board create more effective meeting agendas and protocols (e.g., consent agendas) to increase director engagement on priority matters? Can virtual sessions augment and enhance traditional in-person meetings?

The report insightfully notes that companies will "continue to refresh their strategy to strengthen agility, resiliency and sustainability and leverage innovative opportunities that can accelerate their performance over the long term." Importantly, "Trajectories of companies that are thriving and leaning into this strategic reset are diverging rapidly from those that are merely surviving."

Moreover, "Boards have both the opportunity and the responsibility to help guide companies in this new era. They can support their companies in incorporating human and natural capital as part of business decisions and strategy, and harness risks as opportunities for innovation and a competitive advantage." I concur that this cannot "be achieved through a historical governance model. Boards should continue their own transformation to a new agile and dynamic form of governance and continuously challenge their composition, committee structure, agendas, and ways of working to position their organizations to thrive in the long term."

I appreciate how EY's report provides directors with insights and questions to consider as they engage with management on a variety of complex boardroom issues. What questions do you think directors should be asking to help companies in this new era?

Aaron Rose is a board member, corporate advisor, and co-founder of great companies. He also serves as the editor of GT Perspectives, an online forum focused on turning perspective into opportunity.

Report Presents Policy Recommendations to Better Support Women-Owned Businesses in the US

"As of 2017, there are 11,684,549 women-owned businesses in the United States accounting for 37.6% of all businesses," according to a report published by the National Women's Business Council (NWBC). "Revenue for all women-owned businesses in 2017 was $1,776.4 billion. The U.S. Census Bureau (Census Bureau) defines majority women-owned businesses as having more than 50% of the stock or equity in the business."

The NWBC, a non-partisan federal advisory committee created to serve as an independent source of advice and policy recommendations to the President, Congress, and the U.S. Small Business Administration (SBA) on economic issues of importance to women business owners, says approximately 38% of all businesses in the U.S. are women-owned and 80% of women business owners are over the age of 35. While there are over nine million women-owned businesses in urban areas accounting for 77% of all women-owned businesses and 38% of all urban businesses, there are 1.6 million women-owned businesses in rural areas accounting for 13% of all businesses and 35% of all rural businesses.

The report also presents policy recommendations on a different segments starting with improving access to capital and opportunity such as spotlighting successful venture funds investing in diverse women-founded enterprises, building back a better pipeline of women entrepreneurs, reassessing and strengthening SBA’s microloan program to better serve women entrepreneurs in emerging markets, and narrowing the wealth gap for women entrepreneurs by ensuring parity for the SBA’s women-owned small business (WOSB) and economically disadvantaged women-owned small businesses (EDWOSB) federal contracting programs.

With respect to rural women's entrepreneurship, the NWBC provides policy recommendations to improve promoting succession planning among rural women entrepreneurs, providing relief for women inheriting rural family businesses and farms, evaluating gaps in data for rural women business owners and farm operators, addressing family and child care concerns as barriers to women entrepreneurship, and advancing diversity, equity and inclusion to support rural minority women business owners.

On the topic of women in science, technology, engineering, and mathematics (STEM), the report outlines policy recommendations for advancing gender equity in STEM business and innovation and promoting commercialization of new technologies, increasing STEM business mentorship and education opportunities, supporting STEM accelerator programs partnering with minority serving institutions (MSIs) and historically black colleges or universities (HBCUs), and improving demographic data collection on minority women inventor patentees.

Having served as an advisor to women-owned enterprises, I have witnessed the exorbitant long time it takes for the SBA to review applications to receive a WOSB/EDWOSB certification. Therefore, I support the recommendation that the "SBA should improve the turnaround time for obtaining a WOSB/EDWOSB certification, and both Congress and SBA should work to ensure parity of the program by leveraging the same or greater contracting expectations, authority and penalties as other certification and contracting programs."

Moreover, the NWBC recommends that SBA's Ascent platform highlight and include relevant, existing federal resources uniquely tailored for women STEM entrepreneurs including links to existing Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) program online tutorials, U.S. Patent and Trademark Office (USPTO) video trainings, and other relevant federal resources customized for women innovators. (More information about SBA's Ascent program may be found in a post entitled "SBA Launches Its 'Ascent for Women' Online Platform Geared to Help Women Entrepreneurs Grow and Expand Their Businesses.")

Do you agree with NWBC's policy recommendations to better support women-owned businesses in the United States?

Aaron Rose is a board member, corporate advisor, and co-founder of great companies. He also serves as the editor of GT Perspectives, an online forum focused on turning perspective into opportunity.