Are boards ready to deal with cyber-risks?

Published June 2nd 2017 - Even with the increasing exposure cyberthreats are receiving in the media, most boards of directors are not ready to deal with cyber-risks. This HBR article highlights survey results showing that only 38% of directors have a high level of concern with cyber-risks, yet the average cost of a data breach is $4 million. Two reasons discussed for this disconnect are the lack of effective processes for cyber-risk oversight and the lack of expertise. Do you agree?

https://hbr.org/2017/02/why-boards-arent-dealing-with-cyberthreats

Cyber-security: three useful insights for corporate directors

I just attended a Cybersecurity talk and wanted to share a few interesting insights for corporate directors.

Beware of the four basic types of people performing cyber-attack as each has different motivations influencing his mode of operation: Criminal looking for money, Spy looking for secrets, Hacktivist looking to make a statement and Internal looking to disrupt.

One way to check if your accounts have been breached in a major hack is to visit regularly the website www.haveibeenpwned.com to enter your email address.

According to CSO on-line, the threats to watch in 2017 are ransomware targeting more devices including mobile, manipulating IoT devices to wreak havoc, malware laden mobile phones, and politically motivated hacking that is on the rise and will now target a wide variety of businesses.

http://www.csoonline.com/article/3156893/data-breach/watch-these-top-4-cybersecurity-trends-in-2017.html

What boards can learn from Trump Tweets

Thank you @BobZukis for sharing this interesting article that leverages interest in Trump tweets to remind boards of the increased security risks if social medias are not managed properly. Boards should make certain companies have and follow a social media process policy that includes quality control. A few relevant advices: Ensure all mission critical directives to employees or third-parties are properly authenticated; Make certain high visibility executives are engaging in cybersecurity conversations with family members ; Avoid file transfer via external devices such as USB drives given to you by third parties, at conferences for example. But most importantly, verify that when using social medias, your executives, including board members, are putting the company reputation first. Also, that they are adhering to policies and procedures, have had situational awareness training and remember it when opening emails or clicking on links when abroad.

http://www.csoonline.com/article/3164840/social-networking/what-company-execs-can-learn-from-trumps-tweets.html

Three reminders for effective board minutes

I just attended a refresher training on board minutes and wanted to share a few of the take-away I found most relevant.

  1. The minute should have enough details to reflect the level of analysis, discussion and thoughts that lead to a decision. In that spirit, noting the start and end time of meetings can help demonstrate enough time was allocated to make insightful decisions.

  2. It is good practice to keep a table of minutes’ follow-up items, including what, who and when. It is however recommended to not include this table in the board minutes. This table is a working tool and having it inside the minutes makes it admissible for litigation purposes.

  3. If you circulate a resolution via email for signature in lieu of a meeting, all directors have to sign, as opposed to only the directors present at a meeting. It is acceptable to keep a photo or scan of the signature page as proof of signature.

Can you prove your board cybersecurity policies meet reasonable standards?

An important read for directors that want to understand the current legal landscape on board cybersecurity oversight, to evaluate how current their cybersecurity approach is and how exposed they are personally. Boards have to be able to defend that they meet reasonable standards in security. And just being compliant is not enough, cybersecurity policies must meet the industry norm. This is even more important for boards of unregulated industries, for example mobile services and apps, and of small and medium companies that feel wrongly they could not be the target of cyberattacks.

http://www.csoonline.com/article/3147628/leadership-management/why-security-leaders-need-to-embrace-the-concept-of-reasonable-security-now.html

Canada Health Infoway Board Member

I am honored to announce that I have been nominated to the board of Canada Health Infoway. I will serve as an observer until July 2017. I am very much in agreement with Infoway mandate to accelerate the development, adoption and effective use of digital health solutions across Canada. My career in digital health solution in Canada and the US enables me to understand first hand the importance of digital solution to transform healthcare and keep it affordable for all Canadian. I am glad to be able to actively contribute to the advancement of digital healthcare solutions and to leverage my technology and governance background in this role.

Boards must stay aware of technology predictions

I just participated in a Gartner Webinar: Top Predictions 2017 and Beyond; Surviving the Storm Winds of Digital Disruption. These events help keep me abreast of technology that impact my governance role. Of interest, for consumer facing businesses, was the gradual adoption of virtual reality in the shopping experience and of voice interface to browse the web without screens. For other business, its is worth noting that more and more algorithms will influence the tasks of global workers thus reducing cost of operations and that business should achieve 10% maintenance-cost reduction with the adoption of specific IoT devices. Board of directors must keep a watchful eye, digital disruption is everywhere, after all driverless cars were not invented by car producing companies…

http://www.gartner.com/newsroom/id/3482117

Canada Health Infoway partnership conference

I will have the opportunity to attend the Canada Health Infoway partnership conference in Toronto on November 17th. I look forward to learning more about digital health in Canada, more specifically medication management, interoperability and consumer health solutions. Come meet me there…

https://www.infoway-inforoute.ca/en/what-we-do/partnership-conference?gclid=CjwKEAiAjIbBBRCitNvJ1o257WESJADpoUt0Um3q3h-fmpyUaYsP-tx6dSVZXwgKyvdbEdws8SQ3rhoC2inw_wcB

How can the board question strategies to respond to escalating cyberthreats?

An informed blog on the current situation with cybersecurity but more interestingly proposing solutions from trusted source (DoD) for businesses that are overwhelmed by the pace of intrusions: Simplify networks, Build your cyber support community but, most importantly, Be ready for cyber incidents and practice practice practice. Do we have more work to do? Absolutely. This is an area where every time you get better, so does the threat

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/your-security-team-is-outgunned-wheres-the-help.html

Key questions for boards on cyber-risk and cyber-insurance

An interesting overview of why corporate risk managers are being pushed to adopt a better cyber-risk posture and what role cyber-insurance can accurately play in mitigating cyber-risk. The key questions enterprises struggle with are of particular interest to board members as a basis of discussion with management: (a) What is at risk for our enterprise — is it business continuity? Will we experience denial of service or intellectual property theft? Do we hold consumer /financial /patient data?; (b) What is the probability of an event occurring?; and (c) What are the estimated damages?

http://techcrunch.com/2016/05/23/can-startups-disrupt-the-20-billion-cyber-insurance-market/

10 essential technology questions for boards

A good summary of how board should be discussing technology. Instead of seeing technology as a functional tool, the highest performing boards see technology as a strategic lever, on the same level as people, brand and capital. The board must ensure it has enough technology savviness to foster an understanding of what the technology can do for the business and where it fits in the overall strategy

https://www.linkedin.com/pulse/10-most-powerful-technology-questions-any-board-russell-yardley-faicd

Boards must have innovation on their radar

A very interesting read from Deloitte. The underlying theme is that the acceleration of disruption is occurring in all aspects of business, technology and products, HR, business models, compliance, activism, cybercrimes. To react to these disruptions and keep companies relevant, the board must ensure that innovation is also accelerating and that a culture of innovation is prevalent across the company

http://www2.deloitte.com/ca/en/pages/audit/articles/directors-alert-2016.html

Information Technology Association of Canada (ITAC) launches Women on Boards registry

I am proud to be part of the ITAC Women on Board registry, Canada’s first registry profiling 33 Board-ready, Technology experienced women who are qualified and interested in board of directors appointment. This will help Canadian companies find experienced, technology-savvy corporate directors to foster diversity on their boards

http://itac.ca/blog/itac-women-on-boards-registry-a-solution-to-lack-of-ict-board-diversity/

The type of CIO boards should look for

A great follow-up read on the type of CIO boards are looking for. CIO that can really become part of the C-suite, much closer to the business and strategy and that can drive digital transformation. In order to do so, they have to be able to run a cost effective, efficient IT-operation, drive down overhead spending in IT and across the business and make their operations more agile. Does this sound just like the job description of any top manager?

http://deloitte.wsj.com/cio/2016/04/28/how-cios-can-set-a-digital-mandate/