Ever-Changing Tech
Would you agree that staying on top of technology developments shouldn’t be left to the one tech-fluent director on your board?
Just as it’s no longer acceptable to defer all the responsibility for understanding the financial statements to the accountant on the board, I feel that keeping up with the techies has to become a shared responsibility for all board directors.
It’s pretty clear to me that all directors need to have their heads in the tech game – at least well enough to know the score and who’s playing whom. These days, simply asking, “Are we covered here?” isn’t good enough to satisfy our legal duties when it comes to overseeing technology risks.
And what about the upside of that risk – the abundant opportunities posed by technology? Digital transformation is all around us, in organizations big and small. It can mean automating the manual processes that numb employees’ spirits, freeing them up to perform work that’s not only more interesting for them, but more profitable for the enterprise or more satisfying to customers, clients, or volunteers.
Since today’s tech issues are impacting organizations of all sizes, it follows that Savvy Directors in the digital age are looking for ways to stay one step ahead of the techies. They are looking for assurance that the present day is adequately protected. But they’re also looking for ideas about how today’s trends might create future opportunities.
But how do they keep up? How do they determine what’s most relevant for today? How do they stay abreast of what could be an exciting opportunity for tomorrow?
The good news is there’s information freely available to us all. But it requires someone to drive the board to become actively engaged in the changing technology landscape. That someone could be you.
You could be the Savvy Director who gets your board engaged. It requires collaboration with trusted advisors - whether that be the C-suite, the management team, or an outsourced tech firm - to distill information and share it with the board in ways that are compelling and relevant.
What We Have in Common
Let’s start with the tough stuff. Cyber risk is just as relevant to the small personal care home as it is to the large multi-national manufacturer. Both are vulnerable to a ransom malware or phishing attack. It happened to both, and when it did, both experienced debilitating situations for some time. Both had protection in place, but unknown vulnerabilities are always out there. For instance, it’s not uncommon to find that updated security patches had not been implemented within 24 hours of release as they should have been.
For the board, oversight starts with asking questions of management and external advisors. This works best if the board has already established a safe environment that encourages collaboration and avoids defensiveness. Here are some initial questions for directors to consider:
- Do we have a cyber risk policy in place?
- Is our cyber risk policy comprehensive enough?
- When was the policy last reviewed or updated?
- How might we determine and verify?
- What experts might we consult with?
Here’s today’s reality. Tech experts tell us to assume that our organization’s systems will be breached at some point, that we should consider it inevitable. In other words, it’s not a matter of if, but when. So, the next level question is, “How do we protect ourselves from the impact?”
That’s where two-factor authentication comes in. It’s proving to make a huge difference in limiting the negative impact of security breaches. So, the next time your computer, bank, or software provider wants to send a six-digit code to your mobile device before allowing you to log in, cyber security is the reason why. Personally, I’ve learned to appreciate how important that is.
Common to us all - whether you own the largest oil pipeline on the east coast of the United States or you have a small business called DirectorPrep - most ransomware attacks begin with malicious software, or malware, in a phishing email disguised to be from a trustworthy sender. The malware enters the network from an employee’s device when they open the email and click the link.
Basic security hygiene can provide protection from more than 98% percent of attacks. But if there’s a ‘key in the front door’ available on every employee’s device, along with a lack of training to help employees recognize and report phishing attempts, then having the system be taken down by an attacker should just be expected.
Recent stats suggest we’re not yet paying enough attention. In a September 2021 survey of more than 1,000 Canadian businesses, 55 percent of respondents said their organization had been a recent victim of ransomware. Of those, almost 60 percent paid a ransom, and 14 percent paid more than once.
Who on your board is paying attention to pose the questions that need to be asked to verify proper execution of cyber risk plans? Could that be you, the aspiring Savvy Director? Could you see yourself as the director who insists on sufficient agenda time for director education on ever-evolving tech issues? You could suggest that, like some leading organizations, such education could be provided in sessions before regular board meetings.
Fortunately, high quality cyber security and digital transformation information is abundant and free. For example, Microsoft, with software in millions of offices worldwide, spends over a billion dollars a year on security research, plus billions more on prevention to protect individuals and organizations from hackers and other cyber crime. Why not take advantage of that free information and adapt it for your organization’s use?
Who Drives the Tech Discussion at the Board?
Small, medium, and large organizations have different capacities to drive board engagement on tech issues. But size is irrelevant if you’re willing to do some reading to enhance your tech awareness. You don’t need to be an expert on the details, but should be willing to learn so you can frame your questions well.
(Want to know more about framing questions? Check out this article about eigenquestions, the art of framing problems. “What’s an eigenquestion?” you ask? It’s the question where, if answered, it likely answers the subsequent questions as well.)
Large scale organizations with thousands of employees have big projects, big budgets for consultants, C-suite executives leading the technology area, and board directors who are paid well. There are likely one or two directors who’ve been recruited specifically for their technology expertise, even more if the core business is tech-driven. Other directors may have gaps in their tech background and lack tech skills. On these boards, C-suite executives such as the Chief Technology Officer (CTO) or Chief Information Officer (CIO) usually make presentations from time-to-time.
Medium-sized organizations with 100+ employees also have IT networks and boards with a budget for professional development. There may be one senior employee in charge of tech and a small IT team, but other tech services are often outsourced. These boards quite often do not have a tech champion, or even a tech-fluent director. They rely on the occasional presentation from management to accompany a business case for a capital project.
Small organizations with fewer than ten employees often have an entrepreneurial mindset. They may be focused more on building the business to survive and thrive than on building out a comprehensive IT network. Instead, they find cost-effective hardware and software solutions from major providers and outsource a great deal of their IT work. Startups may have an advisory board or a small governance board of early-stage investors.
In this situation, it may seem unlikely that a director has undertaken to champion board engagement on the changing landscape of technology. But if we believe that, we could be mistaken. In fact, many small startups have embraced what technology has to offer to compete effectively against larger, established companies that are burdened by legacy systems. They take pride in being nimble and staying on top of the latest tech trends to help scale their business, and they’ll take advantage of a remote workforce to find people with the best possible skills.
Whether large, medium-sized, or small, all businesses would benefit from having a tech champion director or two to engage with the board on staying abreast of forward-looking tech trends and present-day cyber security issues. Very small organizations can start by asking their outsourced tech firm to deliver education to the board at a regular meeting.
Should you choose to be the tech champion on your board, your goal could be to create a tech-savvy board culture. That will take time. The volume of material can be overwhelming if it’s not fit-for-purpose. You may find that some trends are not relevant to you just now, so part of your role, in collaboration with management and tech firms, is to apply what you’ve learned to your particular situation.
Read, Read, Read … and Ask Questions
Training courses and webinars can add to your tech toolbox. There’s also an enormous quantity of high-value written material on technology for the digital age, cyber security, digital transformation, and more.
Here are some examples, widely available online and updated regularly.
- Microsoft Digital Defense Report
- Top Ten: Cyber Governance for Boards of Directors
- Deloitte Insights: Tech Trends 2024
- Boards Can Surmount the Cybersecurity ‘Intimidation Factor’: 10 Questions Directors Should Discuss With C-Suites
- Technology and the boardroom: A CIO’s guide to engaging the board
The key is to determine how to apply what you’ve learned to your situation and to make it interesting for the board. Not everything will work. Be a good curator.
Ideally, you’ll be able to collaborate with senior management to make a clear link to your strategic plan. The research you’ve found might spark an idea for digital transformation opportunities.
Relevant pre-reading material, concise position papers from management, and engaging board presentations all help to enhance a board culture that includes tech awareness and curious questions.
A single education session won’t produce a transformative decision or budget commitment. But it can get the ball rolling by introducing tech issues on the horizon that provoke directors’ curiosity. This ends up generating more robust and informed board discussion when the time does come to make a tech decision.
DirectorPrep Questions App (DQA)
To get you thinking about questions, consider using the DQA to find cyber questions for your meeting PREP.
We recently replaced the DQA with ChatDPQ™, an AI-powered tool designed specifically for board directors and available exclusively to DirectorPrep members. ChatDPQ provides easy, time-saving access to high-quality insights on anything to do with boards and board work, including tech trends. Click here for more details about ChatDPQ.
Your takeaways:
- Creating a board culture that embraces the evolving landscape of technology adds value to the board, and it takes a board champion to get the ball rolling.
- Tech issues impact organizations large and small. It’s a matter of scale.
- Common to most hacks and security breaches is an entry point from an employee’s device. Work-from-home and other remote work sites increase the risk.
- Directors and management teams can work together to explore emerging tech trends and present their findings as part of the board’s education program.
- Professional services firms publish regularly on the changing landscape of cyber security and other technology issues. They also produce reports that highlight future digital transformation trends that might impact your organization.
Resources:
- Microsoft Digital Defense Report. Microsoft Corporation. October 2021.
- Top Ten: Cyber Governance for Boards of Directors. Eric Friedberg. © Aon plc 2020.
- Deloitte Insights: Tech Trends 2024. © 2024 Deloitte Development LLC.
- Boards Can Surmount the Cybersecurity ‘Intimidation Factor’: 10 Questions Directors Should Discuss with C-Suites. Harry G. Broadman. Forbes. December 2021.
- Technology and the boardroom: A CIO’s guide to engaging the board. Khalid Kark, Tonie Leatherberry, Debbie McCormack et al.. Deloitte Insights. February 2019.
- Eigenquestions: The Art of Framing Problems. Shishir Mehrota and Matt Hudson. Coda,io
- Tech-savvy board members: A common language for transformation and the impact on performance. Irfan Saif, Rich Penkoeski, Nick Alimchandani, Dogan Eskiyoruk, and Bob Lamm. Deloitte Perspectives. February 2022.
- What’s All the Buzz About the Metaverse? Janet Foutty and Mike Bechtel. Deloitte Perspectives. March 2022.
- Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. Andy Greenberg. Anchor. October 2020.
Leave a comment below to get in on the conversation.
Thank you.
Scott
Scott Baldwin is a certified corporate director (ICD.D) and co-founder of DirectorPrep.com – an online hub with hundreds of guideline questions and resources to help prepare for your next board meeting.
Originally published March 20, 2022. Updated March 27, 2024.
Share Your Insight: Would you be willing to be the ‘Tech Champion’ on your board?
Comment
Scott Baldwin, ICD.D
Co-founder | Director
Scott has served on boards and provided governance advisory services to boards since 2001. Private company, nonprofit and government agency boards have been his focus. He is now leveraging that expertise with his own director work while helping directors prepare for their board role so they can collaborate, contribute and influence decisions.
