It is the end of a long day of board meetings, and the company’s chief information officer is making a presentation, at the board’s request, about the major technological investments the company is considering. Halfway through the deck, the CIO mentions ransomware, then says, “Criminals are raking in hundreds of millions through these scams…”
A board member stops him. “That’s the first I’ve heard of this term. Are they actually holding people against their will in our IT department? Are they taking the general ledger hostage? How serious a threat is this?”
“It’s not that kind of ransom,” says the CIO. “But it’s pretty serious. An intruder gains access through a phishing scheme, uses someone’s password to breach the firewall, locks up the operating system so legitimate users can’t gain access, and then demands payment to remove the malware.”
The board member doesn’t quite follow the jargon, but lets the CIO move on to the next topic: the company’s plan to mitigate this risk, in part by tracking the online behavior of all visitors to the company’s cloud-based sites. Much of that discussion is lost on the board members as well. They already knew something about ransomware just from their general news reading, but this is the first time they’ve heard an introduction to its ramifications for their company. And cybercrime is only one of the technological issues facing them. Artificial intelligence, the Internet of Things, drones, 3D printing, predictive analytics, and driverless cars are also on the horizon, poised to dramatically affect the way this company competes and creates value. The board can’t judge the ramifications effectively unless its members are kept up to date, and they haven’t set that time aside.
Today’s rapidly changing technology environment often has boards scrambling to keep up. For example, most of the respondents to PwC’s 2016 global survey of CEOs said that the most direct path to meeting customers’ changing demands is investing in data and analytics — a new area of inquiry for many board members. By necessity, boards are more engaged with technology and digital transformation than ever before, and the directors are still scrambling to catch up. According to Spencer Stuart’s annual board index, the average age of a director at a public company is 63, and the majority of public company directors aren’t sitting executives who work through technological advancements in their day jobs. Given the pace of technological change, how can boards really be on top of their game unless they are continually brought up to speed?
This situation is no surprise to directors. Only 71 percent of those polled in PwC’s 2015 annual survey of corporate directors say their company’s IT strategy and risk mitigation approach is supported by an adequate understanding of IT at the board level. What’s the solution? Should we, as writers Chunka Mui, Toby Redshaw, and Olof Pripp suggest, add sitting directors with technological knowledge as their primary credential? Or should we push companies to prioritize IT awareness and devote elements of board meetings to IT education? The best answer lies in doing both things at once: recruiting more technical expertise onto the board while improving the quality of technology-oriented conversations in general.
On recruiting: Some boards are already seeking new members who are IT experts and can hold their own in a conversation with a CIO. But the debate over whether to designate a seat on a board to someone with specialized technology and digital expertise remains complex. Directors with this expertise are being added to some big-name boards, but other boards don’t want to give up a seat to someone who may not have a broader range of skills and experience.
One solution is to establish board succession practices that require future board members to demonstrate intellectual curiosity, strong learning skills, and some background in technology. It isn’t necessary to specify a particular digital background because the technological environment of tomorrow will undoubtedly be very different from that of today. But if directors are truly engaged and have the intellectual skills to be able to grasp new concepts, they should be able to understand any future critical issues.
As for conversations, the approach here is to create more effective communication between boards and the relevant technology leader — the CTO, CIO, or chief digital officer (a role that a growing number of companies are creating). Many boards are already communicating and engaging more: 25 percent of directors responding to the PwC survey say they meet with the CIO at every formal meeting, up from 18 percent in 2012. But those meetings are not always as productive as they should be.
Many boards are already meeting regularly with the CIO. But those meetings are not always as productive as they should be.
For example, many directors believe cybersecurity is a significant risk and want to spend more time discussing it. But if the board’s interaction with technology is primarily related to cybersecurity, it is missing the bigger picture. Technology leaders need to lay out the full IT landscape for directors, presenting the concepts and the data in a way that makes it easy for nontechnical business leaders to grasp the implications. If CIOs can present these issues to management, they should be able to present them to the board.
They should start with the basics. Prepare a broad look at IT, highlighting a baseline of where the company is today and then focusing on where it aspires to be in the future. How does the company’s technology compare to that of its peers? Is it ahead of the curve or always playing catch-up? Are significant IT upgrades or system implementations needed simply to get to an acceptable state? How does the company’s digital agenda fit with the rest of its strategic priorities — and particularly with the capabilities it needs to compete, which will inevitably involve leading-edge technology?
Setting up and conducting this conversation might require the investment of time and money at first, but smart boards should be able to move forward to an ongoing oversight role. In subsequent meetings, they should start to ask about deferred maintenance risks or probe the CIO about the company’s digital plan. They can also focus on technology skills and talent. And they’ll want to hear the CIO’s opinions on the company’s IT vulnerabilities and opportunities.
Occasionally, the company should also consider bringing in subject matter experts — sometimes hearing the data in a different way can help bring it all together. Open and transparent interactions with the CIO can help the board stay current on the fast-changing nature of technology and its impact on the company. These robust discussions will lead to better board oversight of technology, along with a better technological footprint for the company. And remember to limit the jargon.