Much of my time is spent advising CEOs and boards of directors on board composition, and I’m always amazed how so many boards are simply having the wrong conversation. The primary focus and responsibility of a board is governance, and broken down to its essence, governance is all about risk awareness and mitigation.
Sure, boards can (and should) talk about strategy, director independence, board culture, board diversity, board succession, board education, board attendance and the like—all important issues. Committee structures, public policy, procedure refinement, media relations, constituency management, capital allocation and deployment are all great and worthy topics. However, these issues as important as they are, rarely do they pose immediate extinction level threats.
The hot topics at board meetings these days are very heavily skewed toward what I refer to as the double Ds of diversity and digital. Again, worthy topics which clearly need to be addressed, but neither of these issues pose an immediate threat of putting an enterprise out of business in the near-term.
“Boards should not be lulled into a false sense of security because the company has hired a chief information security officer or a chief risk officer.”
Most boards simply have easy, expected, and often pedestrian conversations – they don’t have the necessary and hard conversations. Average boards do easy well. Great boards do hard well. I often tell boards they can either do hard, or hard will do them. The former is a much better alternative than the latter.
So, what skill gaps are most prevalent in the board room? Almost universally, the glaring blind spot for boards are in the arenas of cybersecurity and risk. These are the two very large elephants in the room, these are the hard issue, these are the issues that can put even the most successful company out of business.
What’s the big deal around cyber risk you ask? For starters, a data breach will immediately cause a free fall in stock price, taint the brand, call into question the competency of board and C-level leadership, and will result in a guaranteed class action law suit. Those are just the obvious outcomes of data breach. Further fall-out from a breach could result in content or IP being held for ransom, confidential and embarrassing information being leaked to the media, systems being shut down, employees or customers being harmed due to exposure of personal information, physical (site security) vulnerabilities being exposed or exploited and the list goes on.
When it comes to physical risk, if the phrases, corporate negligence, wrongful death and corporate manslaughter don’t put the fear of God into you then I’m not sure what will.
Boards should not be lulled into a false sense of security because the company has hired a chief information security officer or a chief risk officer. This is a step in the right direction, but the best boards are expanding to have director seats representing cyber security and risk, as well as forming formal committees to oversee governance issues related matters with regard to cyber and risk.
The reality is when it comes to cybersecurity and risk, it’s not a matter of if, but when and how catastrophic? Boards that do not take the prudent and proper steps in these two areas will leave the company exposed and will pay a very heavy price down the road.