In August 2019, the National Association of Corporate Directors (NACD) and Marsh & McLennan Companies (MMC) released a report with foundational advice for board directors to improve their oversight of digital transformation efforts and emerging technologies, such as artificial intelligence (AI), the internet of things (IoT) and robotic process automation (RPA). While aimed at directors, “Governing Digital Transformation and Emerging Technologies” offered several recommendations that chief information security officers (CISOs) can use to improve their organization’s handling of cyber risks and emerging disruptive forces.
Good News, Bad News
The good news is that board directors are aware of the potential impact of many disruptive technologies, with 18 percent pointing to AI, 15 percent to RPA and 10 percent to the IoT as key disrupters over the next five years. Directors are also aware of other potential disrupters, including blockchain, mobile computing, augmented reality and drones. Sixty-six percent of board directors agreed or strongly agreed that their organization was vulnerable to the disruptive impact of emerging technologies in the coming year.
The bad news? The digital economy won’t wait for your organization’s board and leadership to embrace change, and executives know it: Research by Harvard Business Review Analytic Services found that almost half of survey participants reported that “their organization’s traditional business model will be obsolete by 2020.” And, as the NACD/MMC report made clear, boards have a lot of work ahead to improve their understanding and governance of disruptive technologies. The current board governance, management structures and processes work, but primarily for periods of gradual changes in markets and conditions. If organizations are to survive rapid digital transformation, they will need to adopt governance and management strategies that can handle these changes, measured not in decades, but instead in months or, at most, a couple of years.
So, why should CISOs concern themselves with this maelstrom of activity at the top of their organizations? Because CISOs are uniquely positioned to help their organizations plan their digital transformation efforts, test the impacts of those efforts — including impacts on security, privacy and overall cyber resilience — and provide insights to top leadership and the board on the likelihood of success of each of those efforts and how they will impact the digital health of the organization.
To that end, I’ve reorganized the five principles outlined in the NACD/MMC report into three broad areas that are relevant to CISOs.
1. Treat Emerging Technology as Strategically Imperative
The report noted that not everyone means or understands the same thing when they talk about “going digital.” It’s important for the organization to have a clear internal picture of what is meant when those words are uttered. Many of us have seen a simple misunderstanding over terminology turn into a huge disagreement, with all the frustration, stress and inertia that misalignment and mistrust can create. Here the CISO can be part of the conversation, ensuring that new terms are put into proper context when first encountered in the C-suite or the boardroom.
CISOs can also play a key role at the planning stage, making sure organizations don’t fall into what the report called “random acts of digital innovation.” This happens when the organization doesn’t have a strategic road map to discuss, plan and implement various IT innovations. An overemphasis on immediate returns from narrowly focused technology investments can also backfire, creating conditions where the rate of change is prioritized over doing it right and ensuring security and privacy.
Yet readers are also encouraged to adopt a culture of experimentation with rapid feedback and lessons learned to help the organization deliver on its IT innovation projects. Finally, we’re reminded that technology governance is not the same thing as risk governance. Simply having board-level processes in place for risk governance doesn’t mean that the organization has a handle on technology governance — or cyber risk governance for that matter.
The CISO can help the organization recognize and treat emerging technology as a strategic issue. It starts by ensuring that everyone is on the same page when using terms like “going digital,” but also requires appropriate plans and processes to discuss, select and implement those changes. The CISO should take the lead in ensuring that the organization has a road map that places emerging technology in a strategic role, including outlining a path for reviewing and deciding on the best approach.
2. Provide Frequent and Forward-Looking Reports
The study reminded us of the need for clarity in cybersecurity and cyber risk reports. Information overload is a common mistake, where executives and the board are provided with too much information that in actuality provides little insight into how security decisions impact business objectives. Another pitfall is trailing metrics that, at best, focus on the present situation or only focus on past performance or conditions.
CISOs need to ensure that they not only provide the right information in the right way at the right time, but also that their dashboards aren’t received as a mumbo-jumbo of trailing metrics. Board directors not only want to know how well the organization is doing, but they also want to know how well the organization is adapting to technological change and the disruption that comes with it.
But CISOs don’t have to go it alone. They can ask for a board-level or C-level mentor to help them improve the quality of their reporting and communications, even learning what mode of communication is most appropriate to reach each board director. If organizations are to take steps to embrace digital transformation, top leadership and the board must receive forward-looking metrics instead of those that show the breadcrumbs that got them where they are.
3. Culture, Boards and Top Leadership Must Cope With Technological Change
The NACD/MMC report cautioned against boards that have a closed mindset, one in which continuous education isn’t valued and where only certain directors are versed in all things digital. The structure of many boards relegates cyber risk and digital disruption to a few select committees, thereby ensuring that the issues get little attention at the full-board level. The executive team should also embrace digital fluency, leading the way for the rest of the organization to adopt a change-ready culture, one that welcomes innovation instead of fearing it or actively stifling it.
What role can the CISO play in those issues? For one, the CISO should look for opportunities to engage with board directors and share educational tidbits that can be consumed in a matter of minutes, as directors are strapped for time. CISOs can also look at what other organizations — especially those similarly sized and in similar markets — are doing in terms of board governance and director education.
Simply sharing a clipping of competitors that have taken part in a cyber crisis simulation with the CEO and board allies can help gain support for similar activities in the future. However, CISOs should avoid appearing to curry favors in any small-group or one-on-one settings with directors if they want to encourage an open mindset of curiosity and innovation on all things digital.
Focus on the Key Disrupters of AI, RPA and the IoT
Of particular value for CISOs are the sections on the top three disruptive technologies: AI, RPA and the IoT. Each section contains a list of challenges that management and the board should consider, as well as trends and specific advice.
For example, in the case of artificial intelligence, the three key challenges are AI governance (safety, accountability, transparency), the increase in cyber risks posed by AI use (growing attack surface, complexity, data sharing mechanisms) and the labor market disruption it poses. While CISOs can’t do much about labor markets, they do play a leading role in reporting on and managing the cyber risks stemming from AI, and can play an important role in AI governance — either by participating on a governance committee or by educating decision-makers.
CISOs are in the front seat, and their masterful steering is needed to ensure safe digital transformation for their organizations.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato
Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...