What boards should focus on when working with tech leaders.
The dialogue between corporate chief information officers and the boards of directors can be both enlightening and frustrating — often at the same time. The two of us have seen many boardroom discussions from both sides of the table and while the results can be positive and supportive, too often the discourse breaks down over the incompatible languages of technology and governance.
Adding to this problem, corporate board members typically ask their CIOs the wrong questions. This leads to wrong answers, wrong assumptions and — most likely — wrong actions. Here are the top three mistakes board members make when it comes to communicating with CIOs — and how they can do it right.
1. Prioritizing the latest tech trends — artificial intelligence (AI), internet of things, big data, the cloud — and not what “keeps the lights on.”
Corporate board members, like most high-level business execs, stay informed on the latest trends in information technology (IT). They realize this technology is advancing at incredible speed, and will bring huge changes and opportunities to business. But the board also tends to be dazzled by the latest buzzwords and tech concepts, often at the expense of some of the basics, such as the core network infrastructure and systems needed to support new technologies.
“Digital transformation” is as exciting as it sounds, but the CIO (and board) need to also focus on the homely, hard-working enterprise resource planning (ERP) systems that keep the lights on.
Supply chains, customer relations, sales and human resources may not be sexy. However, these ERP elements are crucial to any modern enterprise. They typically gobble up 70% or more of the IT budget, and much of any CIO’s time and energy. ERP systems may also be an aging patchwork, and appropriate budgets must be allocated to keep these systems current which can also contribute to protecting from cyber vulnerability. A modern high-performing “digital ERP core” makes it easier, quicker and more cost effective to connect and deploy new sought-after technologies.
IT, data and digital business issues have multiplied to cover a huge number of disciplines. These include purchasing, strategic planning, marketing, compliance, logistics, customer relations — and on and on. Often, CIOs have these responsibilities dumped into their laps, without the budget, staff or authority to properly handle them. Even worse, many companies forge ahead building and selling exciting new digital products and services without involving the CIO, often resulting in non-compliant, insecure products that don’t work well, are difficult to upgrade, and ultimately disappoint customers and expose the company to cyberattacks. A smart board move to deal with this is to ask management for a top-down assessment and scoping of company digital responsibilities.
2. Asking, “Are we secure from hackers?”
In this board question, almost every word requires clarification. First, when it comes to IT and system protection, the word “secure” is like using the term “unsinkable” about a ship — the idea itself tempts fate. The CIO and chief information security officer are instead in an endless competition between best practices for protection versus best practices for hacking (with hackers aided by worst practice sloppiness among company executives and other users). Securing systems is thus not a destination, but a journey. Better to ask what is being done to secure data (don’t merely ask how much is being spent on data security), and what actions will be undertaken when a breach occurs.
For example, ask what’s being done to uncover current break-ins? (At the enterprise level, it’s often 18 months or more before a break-in is even discovered). Where are the most vulnerable system access points? (Boards are often satisfied with protections at company HQ. But hackers know it’s easiest to tap in at far-flung, less-sophisticated company nodes in places like Latin America, Africa or Eastern Europe, or through third-party vendors). What outside resources are used to test and monitor security? (External cyber monitoring, “ethical hackers,” newer AI testing platforms, etc.) Ask instead for crisis management plan details in the event of a breach, because surely it will happen. It’s how quickly, decisively and effectively “pre-agreed” actions will be executed that will make a difference between the winners and losers when it comes to break-ins.
3. Staying silent regarding the potential damages from a hacking or data incident.
If boards don’t like discussing bad news with CIOs, they surely won’t ask about potential worst-case scenarios. Yet they must, because the health and possibly the very future of the company depend on it.
The numbers should gain board attention — $148 million in losses from the 2014 Target retail stores hack. The data breach at Equifax brought a preliminary loss of over $80 million (and a $4 billion hit to its stock price). Last summer’s NotPetya virus attack set FedEx back $300 million. Uber is one of many companies that faced a ransomware attack. It cost them “only” $100,000, but opened them up to heavy legal and, more importantly, reputational “brand” cost claims. The WannaCry outbreak impacted computers in over 150 countries. Damages ranged from not being able to print pallet labels in factories to complete or partial operations shutdowns for days and even weeks at other companies. Think, “What would this cost me and my company?”
This legal and disclosure fallout could soon make the direct losses from digital mischief seem minor. The European Union’s new General Data Protection Regulation (GDPR) sets very tough standards for company data security, privacy and handling. Companies found noncompliant can face fines of up to 20 million Euros or 4% of the company’s group worldwide turnover (whichever is greater) when data breaches occur. And these standards can reach out to touch firms not based in Europe as well. A lessor fine of 2% of turnover (or 10 million Euros) can be imposed for merely failing to implement measures to ensure privacy when designing new systems or for failure to report breaches.
We’ve seen this delicate dance when it comes to discussion between boards and the CIO. Both sides have powerful incentives to wish IT problems away. CIOs get rewarded for saying everything is fine. For directors, this is just the response they’d like to hear, and they can safely then move on to the next agenda item.
But as every business is now a digital business, there is no more room for boardroom evasion. Board members have a fiduciary duty to ensure that the company’s digital profile is safe, strategic and effective. And CIOs have a duty to keep them asking the right questions.
Betsy Atkins, CEO of Baja Corporation, serves on the boards of public companies Cognizant, Wynn Resorts and Schneider Electric. Terence Stacey is the former CIO of the Nestlé Group.