The danger of an arrogant board
I worry when I see consultants and thought leaders say the board needs to include experts on cyber or other topics.
I agree that cyber is one of today’s hot topics and represents a risk to pretty much every organization.
But is the answer to have a director who is considered a cyber expert?
After all, that usually means having one director who understands information security issues, probably because they served as an IT executive or had a leadership position with a consulting organization.
One person who is limited in the amount of time they spend talking to management, a part-timer who is unlikely to fully understand the complete range of technology used by the organization, how it is used, the process for managing it, and the people relied on to address related risk.
One person who is almost certainly spending the great majority of his or her time running their own consulting business – or is retired and may no longer be current and up-to-date. After all, this is a dynamic technology environment.
For example, I have what many would consider a strong technology background. I was a senior IT audit manager with one of the Big 4 audit firms, was the executive responsible for information security and governance for a major financial institution, and had both the IT audit and IT quality assurance functions report to me.
But while I still understand the principles of technology use and related risk, I would not position myself as an expert.
I would not be comfortable having any board rely on me for assurance on technology risk.
I would only be comfortable if I was able to surround myself with experts on whom I could rely. (I was fortunate to have several during my time as CAE.)
Boards should, in my opinion, take the same approach.
Rather than relying on the mistaken belief that a single board expert (who may not be current) can cover a critical topic, they should ensure that management has the personnel they can rely on.
The board should question management with an appropriate level of professional skepticism in discussions about cyber.
Management presentations and the ensuing discussions are opportunities for the board members to seek and gain assurance that management has a good handle on technology-related risks.
The goal should be to get comfortable with management rather than to decide themselves whether cyber is properly managed.
Cyber is just one of the topics requiring specialized experience and insight. Others might include commodity and/or currency hedging; compliance with anti-bribery and other regulations; conducting business in China and other nations; the activities of competitors; and so on.
The board cannot be an expert in every area of risk.
They cannot have an expert on everything.
Believing that they can discuss cyber and all other specialized areas and decide whether risk is at desired levels is, in my opinion, both arrogant and unwise. One former CIO who talks to the company’s technology people once a quarter is insufficient
Boards are generally composed of current and former CEOs, CFOs, and similar. The directors are experts in the specialized area of hiring good people and monitoring their performance.
I would much prefer that board members not just once but continuously assess the executives individually and as a team.
Are they competent and capable of managing the organization to success, including addressing issues like cyber, economic disturbances, and so on?
So while I would be happy to serve on a board as their technology or risk management expert, sadly that is not the answer.
The answer is to have confidence in the people who run the organization every day.
Some may say that the board needs a technology person to ask the right questions and know when the answers are poor. My answer to that is that I need a CEO who can ask the CIO and others on his team the right questions. I need a CEO who can be comfortable that cyber is being addressed every day, not just once a quarter.
The board should be able to assess the CEO and how he or she works with the CIO, CTO, CISO, and so on to manage cyber risk.
I welcome your comments.