Inside The Boardroom: CEO Succession, Cybersecurity, And More

In this edition of Inside the Boardroom, Betsy Atkins answers readers' questions about CEO succession, cybersecurity and more.

Negotiating difficult boardroom situations is something veteran director Betsy Atkins knows a thing or two about, and she’s got plenty of battle scars to prove it. In 2003, for example, during a brief stint as a director of HealthSouth, she chaired a special litigation committee to investigate massive accounting fraud charges levied against the company. More recently, as a director at Wix, Atkins and the board had to make a painful, but ultimately correct, decision to pay a ransom after a serious DDoS cyberattack locked up the company’s servers.

In light of her broad governance experience serving on the boards of more than 20 public companies, Atkins often receives inquiries from fellow directors asking for advice—something we thought was worth sharing with our readers. Therefore, in the spirit of “Dear Abby,” we’re inviting you to submit questions to “Ask Betsy” about your toughest boardroom dilemmas. Chances are, she’s been in the same trenches as you and has sage advice to share.

Dear Betsy,
Our CEO for the last 12 years is a member of the founding family that started our company 32 years ago. It’s become obvious to the board that he is an impediment to the growth we feel is necessary to move forward, and we have spoken in executive session about how to plan for his leadership transition. Unfortunately, the CEO has made it clear he does not wish to discuss his own succession plan. What can we do?

CEO succession is consistently the most sensitive subject, and a significant majority of CEOs are very resistant to addressing the succession topic. The key duty of care and duty of loyalty obligation of all public directors is to ensure leadership continuity. Doing so implies an obligation to ensure the right leader is in place for the company’s future.

An effective way to address succession is to first reach consensus and alignment in an executive session led by the nonexec chair or lead director on what the ideal profile is for the future leader, identifying the skills, experiences, attributes, and characteristics needed for the coming five years. By creating a nonemotional profile, the directors will reach a common view. It is critical to have the board aligned and totally supportive to successfully drive change.

The next step is to put succession on the agenda as a consistent topic for the coming four board meetings. Expect the first meeting to be the most awkward, with some degree of bad behavior by the current CEO. Expect the second meeting to be only slightly less awkward, with more bad behavior and some of the directors beginning to equivocate, since it’s likely the CEO will back-channel to allies on the board. Stay the course. By the third meeting, things should start to cohere a bit, and by the fourth meeting, there should be acceptance and alignment that a change is needed.

The third step is to create a formal search committee, typically made up of two or three committee chairs, plus the lead independent or nonexec chair. And the final step is to engage an outside executive search firm to conduct a review of the current CEO and internal successors, as well as the external marketplace. –B

Dear Betsy,
Our board struggles with what our role ought to be with regard to the corporate strategy, though we’ve always heard “fingers out, noses in.” In your experience, how much involvement should a board have in setting strategy?

This is a very tricky and important question. At a high level, the board reviews and approves the strategy. A best practice is an annual, multiday board meeting devoted to strategy, where board members may contribute input. The critical delineation is that management owns, operates, and implements the strategy. The board is not an operating group; the board is an oversight group operating on behalf of the shareholders to make sure the strategy is robust for both the short and, importantly, longer term.

Balancing the pressures of short-term quarterly performance against the need to be competitive and strong for the long-term where capital investments are required is one of the key discussion items to address annually. Often, part of a quarterly board meeting relates back to the annual strategy execution with presentations on competitive market dynamics, along with any potential acquisition that supports the strategic goals. A clear strategy with a well-understood framework will allow the board to understand the company’s goals and measure the success of the strategy. –B

Dear Betsy,
How important is it for board members to visit the company and observe its operations and managers? We’ve debated whether or not to institute this on a regular basis.

Board members need access to the senior leadership team. One of the most important insights is to understand the morale of the company and whether senior leaders are encouraged to contribute, question, and challenge, or is it a command and control environment? Directors cannot get this insight unless they have access, and a CEO that discourages access presents a big red flag.

Visiting operations is extremely valuable; it is motivating for the company’s leadership team to see the directors’ interest. It is also highly valuable for the directors to get a deeper understanding of the company’s business and competitive dynamics through these interactions.

An evolving best practice is for directors to visit the company’s operations annually. Additionally, new director “onboarding” often includes one-on-one time with the senior leaders and exposure onsite to the operations. –B

Dear Betsy,
I am the audit committee chairman on the board of an $800 million health care company, and cybersecurity is a huge concern. What do you recommend as a best practice for overseeing the cyber risk arena? Right now we are trying to get a handle on oversight within our full board meetings, but would you recommend setting up a special committee for that purpose?

Cyber risk is certainly a huge priority for companies in the health care arena. There is special liability around protecting patient identity as well as the high-value intellectual property associated with new drug development. Creating a separate committee for cyber would typically not be necessary. Normally, cyber oversight would be handled by the audit committee as part of an enterprise risk framework review. Cyber is sometimes considered the next step following the IT disaster recovery planning that the audit committee oversees.

A more innovative approach to consider would be to have a technology committee that looks forward to anticipate risks. The type of forward-looking risks to consider would be new market competitors with business models that could impact and disintermediate your core business, i.e., e-commerce giants like Amazon and Alibaba or marketplace business models like Airbnb, Uber, and eBay, or other competitive market risks.–B

To submit a boardroom question for Betsy Atkins, email

  • Get the Corporate Board Member Newsletter

    Sign up today to get weekly access to exclusive analysis, insights and expert commentary from leading board practitioners.



    AI Unleashed: Oversight for a Changing Era




    20th Annual Boardroom Summit

    New York, NY