I was recently at a networking event for corporate directors, and a question was posed to a panel and the audience: “Does a board need to have members with technology and cyber security experience to effectively manage risk for their company?”. I was quite surprised to hear several board members state that “No, they would look for more well-rounded members.” Now, this implies that people with technology and cyber security are, by default, not well rounded, which is a bit insulting. Forgetting for a moment the insult, I still found this statement to be amazing. Two of the biggest risks facing companies these days are technology disruption and cyber security. Hubris may therefore be keeping boards from addressing these risks most effectively by ensuring board members have real-life experience with managing technology disruption and cyber security risk.
Strangely, I have watched boards over the years strategically add board members specifically to bring specialized expertise to better manage risks such as Mergers & Acquisitions, Industry specific Legal or Regulatory items, Investor Relations, planning to go Public/Private, Global or Country/Region specific items, and many more. In every case, of course, the board found someone well-rounded who could contribute to the broad board agenda, but they also ensured the new board member had extensive experience in the area of risk management that the board and company strategicaly needed. Today’s new risks are no different, and for most boards, they absolutely need to strategically add members with well-rounded business experience to the board that also has extensive experience either managing technology/digital disruption or cyber security risk.
Now, I will admit that I am biased when it comes to technology disruption and cyber security risk management and expertise. As a former CIO for a Fortune 500 company, and a CIO for a Fortune 1000 company, I was responsible for making numerous presentations on both technology disruption and cyber security to our public company board of directors. Sadly, it was obvious that my audience just didn’t have the technical background, the expertise, and the relevant knowledge to adequately assess and question what was being presented to them. There were individuals who spent time reading up on topics like cyber security, and therefore they asked good questions, but, sadly, they were unable to adequately challenge my answers because their knowledge was thin, not deep. I also found it amazing that many board members were not intimately aware of what was happening in the broader industry with competitors and upstart companies. I certainly didn’t expect them to be intimately knowledgeable, but I expected them to at least have knowledge of the industry trends being driven by technology disruption, given how big a risk this is to companies in modern times. Because of these gaps, board members didn’t ask for risk assessments that included such topics as “How are you sure all your public facing servers are patched worldwide, and would an IP scan of all owned and hosted IP domains confirm this surety?”, or “There is a new competitor XYZ that has a ‘not quite as good’ new product that competes with our biggest revenue product, but at a lower price, and with new technology that is cloud based versus our on-premise software. This new technology could be incorporated into a lower cost, less feature-rich, version of our product, that could attract customers that don’t currently purchase our more expensive on-premise product. Is this being considered as both a growth strategy and as a way to hedge against this new cloud competitor solution?”
Now, I realize both these quotes are self-serving, since they are based on easy-to-interpret risks that have been missed by many companies and reported endlessly in the press. However, the fact still stands, it would require a technology background to both (1) think to ask these questions in the manner stated, and (b) to have the knowledge to assess the answer and review or audit what data was provided as an answer.
Ultimately, as always, it all boils down to how effective the board is at managing risk. If the company is in an industry facing technology disruption, or if the company processes any PII, PCI, HIPAA, or other sensitive information, is the board managing risk effectively if they do not have people on the board who can adequately assess whether company management is responding to the technology disruption and cyber risk challenges? My answer is no, and I think only hubris prevents boards from logically accepting this reality.