To Accenture’s Bob Kress, who was recently named one of the most influential leaders in corporate governance by the National Association of Corporate Directors (NACD), it’s not surprising that many boards and directors aren’t keeping up with the latest and greatest in cyber security.
After all, they’re busy. Plus they already have smart people handling such things.
All true, says Kress. But he believes boards and directors need to get their eyes on the security ball soon. It’s too important. It’s an issue responsible boards and directors must take on personally.
Ransomware … a significant increase in connected devices, thanks to an explosion in the Internet of Things … third party attacks … phishing that is becoming more sophisticated and more successful. Whether from within or outside the organization, cyber threats are mounting just at a time when new digital technologies such as artificial intelligence, advanced analytics and machine learning are increasing the potential attack surface.
"We’re digitizing and connecting everything now," said Kress, managing director for Accenture Security and a recognized authority on IT and corporate governance. "Cars, medical devices, oil and gas infrastructure, industrial plants, data lakes—the list is bigger every day. Then you combine that with the demands of understanding and implementing things like AI to remain competitive, and you have some serious challenges for leadership."
But, Kress adds, "leadership needs to make the effort to understand the landscape. This isn’t just important—it’s vital. Revenue and reputation and competitive standing and even survival are at stake here, so leaders have to get involved. Too many organizations are very early in their thinking on security."
Positive steps to take
As the Global Quality and Risk officer at Accenture Security, Kress is responsible for identifying, assessing and managing risk in Accenture's Security business, along with overseeing the quality of Security services delivered to clients. He is also responsible for Accenture Security offerings to boards of directors, and is the Midwest Region Security lead. Kress is a trusted C-level advisor for Accenture’s clients. Combine this with his work with many members of the NACD and it’s clear he enjoys a high-level view of this landscape.
"Not too long ago I participated in a panel where they were talking about AI," he said. "Bottom line, probably 50 or 60 directors—these are very smart people—admitted they really didn’t know what AI is going to mean to their organization from a risk perspective."
His advice for leaders? First, take the time and make the effort to educate yourself—and keep educating yourself as technology, security and cyber criminals all evolve. Bring in your internal experts for some informal lessons. Take courses offered by the NACD or other organizations.
Second, diversify. That is, consider adding people to the board with specific skills in cyber security and/or people who come from tech. The importance of this cannot be overstated. Many directors and board members simply come from a different generation. Many are brilliant when it comes to business strategy, but security concerns have shifted the game, mandating a need for new skills and thinking.
"Blockchain, quantum computing, 5G, and the fact that AI requires so much sensitive data to do its job … technology change is non-stop, which means security must be top of mind," Kress said. "Good directors recognize this and seek out opportunities to learn and to bring in new skills into the highest levels. Where are we without trust?"
In fact, Accenture research estimates the difference in revenue growth rates between losing and earning employee trust through the use of workforce data is as much as 12.5 percent, or US$3.1 trillion globally—and that doesn’t include trust breaches outside the organization, with consumers and stakeholders such as investors.
Third, and just as important: Leaders should bring in an independent third party to help them understand what they are facing, and what to do about it. Even if the in-house people are saying, "We’ve got this," Kress warns that it’s better to make sure. "White Hat" teams can test defenses, for example, and some organizations offer safe lab environments that replicate a company’s IT and cyber defense environment—thus enabling the company to test potential security solutions in real-world situations.
"Education, technology diversity and getting the advice of a trusted third party," Kress said. "Those are the three legs that make up a firm cybersecurity foundation."