The second area that I think you’ll see more and more boards invest in is bringing on a technology or cyber risk expert to your board. Step one, like I said, is asking the right questions. Step two is, you have to have someone sitting in the room as a board member where, when the CTO or CIO or CISO, the chief information security officer, comes and says, “Here’s what we’re doing?” Someone who has the depth to push that person and actually get underneath whether there is more that you could be doing, more so than just bringing a consultant or someone else. So I think you will see more and more investment around either technology expertise specifically, that means someone who has a very technical background, has been a CTO or CIO, and/or specific cybersecurity experts who sit on the board.
Michael: Yeah, I couldn’t agree more… I do think you are going to see, whether it’s a changing of the guard or an enhancement to the broader board and, look, also the management team. Brian referenced data privacy officers and whatnot. A lot of organizations are going to have to sort of a responsibility, whether it’s under the CFO or the general counsel. That’s how you’re going to see it evolve. But I think on both sides, corporate management as well as the board, I think the evolution of this is going to be, you’re going to see more dedicated expertise for sure.
Why is it so important for directors to kind of look in the mirror and start with themselves when it comes to cybersecurity?
Brian: Ultimately, in a world where we’re constantly reading about culture and the tone from the top, I think the tone from the top not just comes from the CEO and CFO, but also from the board. And you have to be in a world where people practice what they preach, and you can’t have the top of the house preaching something else and not adhering to those same principles at the very least, if not a higher principle or standard. You’re right, you have some of the most sensitive information that is out there for a company, in many cases going to board members in insecure kind of channels that’s out there in the open for everyone. So whether that is emailed board materials, whether that is emailed or sent around a M&A pipeline, material, whatever it might end up being. I think you’ll probably remember the phishing attack that Colin Powell was unfortunately caught by where all Salesforce’s M&A pipeline got out in the open.
No director means for anything bad to happen to any of the companies that they’re associated with, but you know, hacking and sophistication around cyber just continues to go up and people need tools to help them be more effective. Most directors are retired and they use their own personal email address, and we would be kidding ourselves if we didn’t think that there was communication about company initiatives, decisions, actions that weren’t happening between the board [through those emails]. And we just recently released a survey where 92 percent of directors said they used their personal or unsecure email for communications… so you look at all this communication that goes back and forth over free third-party email service providers that have either been hacked [or are] prone to a phishing attack. So just more secure tools that can help directors actually be more protective of their data and kind of practice what they preach are incredibly effective and helpful.