Future Students, Alumni & Visitors

Archive for the ‘IT Governance’ Category

Technology-Ignorant Boards Are Costing Shareholders Billions: What Should Boards Do Differently?

Five years ago, social media was perceived by many to be a passing fad. Then came the introduction of tablets and mobile devices. Now, cyber security has emerged as one of the greatest threats facing Anglo-American corporations. It is front and centre in the minds of directors, or should be.

In the area of technology, are boards fulfilling their duty of care in overseeing management and protecting shareholders’ investment? Indicators are that many boards and directors may not be. Plaintiffs’ lawyers are suing companies and their boards over technology failure. Here are some recent statistics and trends:

  • “Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable”;


  • “Social media is the number one activity on the web,” according to Belle Beth Cooper in a Huffington Post article;


  • The average user picks up their device 1,500 times a week, and reaches for it at 7:31am each morning, according to MailOnline;


  • The average smartphone owner uses his or her smartphone for three hours, sixteen minutes, each day;


  • Cybercrime constitutes the “greatest transfer or wealth in history,” according to the National Security Agency’s General Keith Alexander;


  • Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies;


  • Only 13% of companies have BYOD (bring your own device) policies, according to a 2014 report by Ernst and Young;


  • Fewer than 50% of companies use encryption techniques for devices;


  • 38% of companies do not address cloud risks;


  • “Only 56% of companies conduct penetration tests, and 19% fail to test at all,” according to an Ernst and Young report;


  • Less than one-third of boards are addressing risk management in relation to IT operations or computer and information security, according to a 2012 report from Carnegie Mellon; and


  • “Most policies currently in place,” “are too weak to reasonably ensure that systems are not breached,” according to a 2014 NACD (National Association of Corporate Directors) report.

What should boards of directors be doing to exercise their duty of care over technology risk, including social media, BYOD, and cyber security?

  1. “You have to own this problem as a leader,” in the words of Admiral Michael Rogers, Director of the National Security Agency. You do not need to be an expert in technology as a director, but you now need to be literate and informed. If you are not, then get educated. Request a glossary of acronyms from management as a start. There are several leading standards and frameworks from which to learn, including the National Institute for Standards and Technology; ISO/IEC 27032 Guidelines for Cybersecurity; the SANS Institute for Critical Security Controls; and the IoD and NACD in London and Washington. If your board lacks information technology expertise, consider putting this on your competency matrix for director recruitment. If you are in a key industry such as financial services, retail, utilities, defense or health care, technology should be represented at the boardroom table. If much of your company’s business model resides on the Internet, consider having a separate technology and strategy committee.
  2. Examine your committee structure. If your audit committee oversees the substance of all risk oversight, you may be at risk if committee members lack recent and relevant information technology and risk expertise, or are overworked. All material business risks, financial and non-financial, should be covered off and mapped to one or more board committees, and these risks should be made explicit within committee charters and board guidelines, including technology, reputation, operations, and heath and security risk. The audit committee is not necessarily qualified to oversee non-financial risks, including terrorism.
  3. See technology risk as a broader enterprise risk, and as a strategic and business imperative, not a narrow technology issue. Regulators should be requiring your board to approve the risk appetite framework, which includes explicit internal controls, assurance, reporting, and limitations. Ask management to see the real-time, prospective internal controls over technology risk, in writing. This is where many companies are weak, and if you are, you should see this gap and ensure it is remedied as a director. This is not micromanagement, but good oversight.
  4. Understand and demand information on the internal controls over social media, BYOD and cyber crime. This will facilitate a learning curve to question management, including over training, education, acceptable use, mobile device management, risk and control assessment, situational awareness, threat and vulnerability risk management, and cyber security incident management and governance. Does management show you internal control results over each material risk, including their interactions, and how each risk is identified, controlled and assured? Are you satisfied? Do you have a good dashboard? Does risk culture support cyber security? (Human error and carelessness are big risks.) A recent NACD survey showed a quarter to a third of directors were unsatisfied with the quality and quantity of IT information.
  5. Obtain third party assurance if you have any doubt about how technology risk is being mitigated, or of the strength of the technology and assurance bench. Are you satisfied with the IT, risk management, and internal audit bench strength? These are your eyes and ears. You may need to direct changes and resources. Do you have the power, within your board and committee charters, to request an independent audit of technology risk? Do you exercise this responsibility? If you are blocked by management, this is a red flag. Do you meet separately with risk, compliance and audit to assure cyber security risk?
  6. Information technology risk, compliance and auditing should functionally report to you as a board or committee, not senior or operating management. Senior management should no longer own the risk function. The chief risk officer, the chief compliance officer, and the chief audit executive, should now be independent and report functionally to the board and its committees, not senior management such as the CEO or CFO. This means that the work-plan, independence, resources, reporting, compensation and succession of these three functions (risk, compliance and audit) are now recommended by committees and decided by directors, not management. Do you practice the foregoing? If not, you could be the last to know for a major technology breach and the resulting reputational and financial loss. Experts will scrutinize how you directed reporting and assurance.
  7. Management may be adverse to spending what is needed, and the imposition of internal controls over technology, including those that are reputation or behavour-based. This is why risk oversight rests with the board. Your job is to understand, identify, and oversee, not to manage. The budget, talent, resources, reporting, assurance and disclosure of enterprise risk mitigation, including technology, should rest with you. Information, documentation and informed, best practice and precise questions are your management influence and oversight touch-points.
  8. Become engaged. If you have one or more laggard directors who resist technology or keeping current, these intransigent directors are compromising the governance of the company and should be addressed or replaced, especially if they are on or chair key committees. Good boardrooms are now paperless, and good directors use devices and social media with acumen.
  9. Have technology stress testing. Do you direct management to implement and report on scenario testing and mock exercises over social media attacks and cyber breaches? When it happens, it is too late.
  10.  Most of all, protect your company’s crown jewels. Think like a hacker. Protect the perimeter, but once inside, are your company’s valuable assets still protected? How? Agree on a platform and framework and direct management to have an action plan and target date for full implementation.

Tis the Season to Prevent Cyber-Hacking

What are best practices individuals can employ to lessen the chance of hacking of their computer or device?

Here is a quick “top 20 list,” based on part of an education session I have been providing to directors of company boards on cyber security.

  1. Never click on unknown or non-credible emails, attachments or downloads.
  2. Never click “save password.”
  3. Never use the same password across multiple devices or accounts.
  4. Use smart, strong passwords, and regularly update and change your passwords.
  5. Have a second credit card that you use online, with a low limit.
  6. Use two-step authentication whenever possible.
  7. Install firewalls on all your computers and devices.
  8. Always update your software.
  9. Always logout at the end of your work-time.
  10. Always install anti-virus, anti-spam and anti-spyware or adware programs.
  11. Use only your own computers and devices.
  12. Never leave your device or desktop computer unattended or accessible.
  13. Have a professional validate all of the above and never give your password out.
  14. Cover any cameras that are not in use.
  15. Browse anonymously whenever possible.
  16. Use secure, encrypted connections: https where “s” means “secure.”
  17. Resist unencrypted, public wifi hotspots.
  18. Back up your data in real time, twice as a fall-back.
  19. Be careful what you store or send (crown jewels).
  20. Always use a document shredder.

“Our entire lives are on the internet,” according to FBI Director, James Comey, adding “The internet is the most dangerous parking lot imaginable.”

Russian hackers initiated almost 2.5M attacks in a month, followed by Germany and Taiwan, in the Province of China, according to a 2013 report by the Centre for European Policy Studies.

The greater individuals are aware of steps that can be proactively taken, the less the chance that your property or data can be breached.

Social media trends and listening for boards

I was asked to give brief talks on social media trends and the board’s role in “listening” at an NACD conference. Here are my notes, as well as a reading list, if group members are interested:



I am pleased to be asked to assist the National Association of Corporate Directors in a social media pod at their annual Board Leadership Conference, October 11-13, to expose directors in a more in-depth and hands on way to social media (forthcoming).

I am asssiting the NACD by gathering potential readings for issue identification, etc., from my library and online, and specifically seeing things from a governance and board perspective.

Here is a listing:

July 21, 2013, updated July 29, 2013

Richard Leblanc

Associate Professor, Law, Governance & Ethics, York University

Prof Dr Richard W Leblanc

York University

4700 Keele Street

Toronto, CANADA M6S 1P3

Webpage: http://www.yorku.ca/rleblanc

Dr. Leblanc prepared this list of readings and potential issues/trends below, on IT related topics

Board’s role in Social Media “listening”

Lead or be left behind: A chairman’s perspective on social media


What Do Corporate Directors and Senior Managers Know about Social Media?


50 Top Tools for Social Media Monitoring, Analytics, and Management


Social Media and the Board: Why #Hashtags Matter to Directors


Seven Steps for Board Success in the Facebook Age


Cameras May Open Up the Board Room to Hackers


Nonprofit Boards and the iPad: a Good Fit?


Potential Issues/Trends

  • Lack of direct digital media management experience for some/many directors, even incumbent CEOs / SMT (senior management team);
  • Psychological / comfort issues as well, but this is changing as boards are going paperless (tablets, portals, etc.) and there is pressure on laggarts;
  • Concerns with Reg FD and equal treatment of investors: directors more comfortable listening;
  • Directors are listening and reading, and this should not be misunderstood for lack of appreciation or passivity: there is high awareness among good boards and directors, which usage statistics above may not reflect;


Social Media and Reputational Risk

Reputation Risk: A Corporate Governance Perspective


Director: Reputations at Risk


Ten Keys to Manage Reputation Risk


Virtual world, real risks: When social media becomes a liability


Reputational Risks & The Role Of Social Media


Social Media Said to Present Significant Reputational Risks


Three Steps Towards Managing Reputational Risk


The Board, Social Media and Liabilities


Reputation risk management on the rise


Social media reputation damage high on risk managers’ list of concerns


The Risks of Social Media: Self-Inflicted Reputation Damage


Potential Issues/Trends

  • Speed, inter-connectedness and unpredictability of transmission;
  • Personal vs executive vs corporate reputations now merging;
  • Design and implementation of internal controls, balanced with communication and opportunity;
  • SM was junior position at outset, but now best practice is senior management oversight or member ownership;
  • Crisis planning involves digital stress testing and response plans in advance; mock runs also;
  • Reputation online background checks for directors, management, employees now; good firms will do regular reviews of current members;
  • Online analytics part of information flow to good SMTs and boards;


Integrating Social Media into overall strategy/questions the board should be asking management

Why boards need to adopt social media


What Directors Think About Social Media


Boards remain uneasy about social media, says women’s directors group


Directors and IT: What works best?™


Social Media – questions for directors to ask


20 Questions Directors Should Ask about Information Technology Security


SOCIAL MEDIA: What Boards Need to Know


Elevating technology on the boardroom agenda


10 Questions You Should Ask Your Social Media Expert, Guru or Wizard


52 Questions To Ask When Hiring A Social Media Company


The Key to Social Media Success Within Organizations


The Board’s Responsibility for Information Technology Governance




Privacy and Boards of Directors:; What You Don’t Know Can Hurt You


Execs Not Using Social Media At Board Level Strategy


Social Media — The New Business Reality for Board Directors


Too Many Top Executives Aren’t Taking Social Media Seriously


Why 1700 CEOs Are Wrong about Social Media


How Kodak Squandered Every Single Digital Opportunity It Had


Potential Issues/Trends

  • SM seen in the main as a risk (: defensive, liability), versus being seen opportunistically and strategically;
  • CIOs/CTOs may lack broad P&L experience for board membership; this may not change;
  • Technology / reputation risk may need board committee oversight, depending on sector and opportunity/threat;
  • SM advocates may have self interest (e.g., vendors, service providers): assurance and analytics are immature but evolving;


Big Data/ Analytics

Big data: The next frontier for innovation, competition, and productivity


Big data



Guide to big data analytics tools, trends and best practices

Experts share perspectives and identify best practices for big data analytics projects in this Essential Guide.


Severe Consequences Face Big Data Analytics Without Governance, Experts Say




New research suggests using big data, particularly social media data, can lead to a biased representation of the data based on societal factors.


Potential Issues/Trends

  • Big Data is somewhat tangential to my area of expertise, so I will not comment; however; big data / analytics are an important area, with significant capacity and opportunity, and it is correct for this item to be on this list;


Social Media & CRM

Three Out of Four Social Networkers are Logging in on Company Time, Ethics Resource Center Reports


How the Voice of the People Is Driving Corporate Social Responsibility


Social Media in Corporate Social Responsibility (CSR)


Tying Together Social Media and Corporate Social Responsibility


Mashable: Corporate Social Responsibility


Why Social Media Is Vital to Corporate Social Responsibility


A Guide To Social Media For CSR Professionals


Telus Corporate Social Responsibility Report 2012


Tying Together Social Media and Corporate Social Responsibility


Potential Issues/Trends

  • Digital media is the new stakeholder communication platform;
  • CSR lacks rigor of reporting that US GAPP / IFRS have; this is changing, but regulators are waiting for maturity; GRI has made good efforts, as have others (e.g., integrated reporting);
  • CSR (including Climate change/environmental) may lag because of austerity and jobs concerns since 2008;
  • Exemplary companies (see above) are communicating CSR through social media, communicating directly with stakeholders;
  • Opportunity to affect messaging and communication: needs to be genuine and two way; listening and acting; stakeholder groups are sophisticated, even activist;


Trends/Emerging Topics

What Do Corporate Directors and Senior Managers Know about Social Media?


Use of board portals and social media


2012 CEO, social media & leadership survey


Taming Information Technology Risk:

A New Framework for Boards of Directors


IBM CEO Predicts Three Ways Technology Will Transform The Future Of Business


The Next Digital Paradigm


Make Social Media an Organizational Asset – Right Now!




Ten Technology Trends that Will Change the World in the Next Ten Years


Technology, Strategy and Shareholder Engagement Driving Corporate Governance


Potential Issues/Trends

  • Rapid change and transformation occurring: a few have said ‘revolution’, e.g., cloud, meta data, digital payment, social platforms, ease of use, direct contact with users;
  • Intermediaries in any value chain may need to transform because of technology;
  • Board should be in position to predict, press and stretch management if / when SMT is off-course or in denial;
  • Some industries/sectors will need to transform or die / be replaced: opportunities here; we are seeing transformation and complacent vs strong boards;
  • Boards should not be in denial if SMT (day to day) may be, and see up and out (what is coming) to fullest extent possible;



Cyber Risk Management – A Board Level Responsibility:

10 Steps to Cyber Security – Executive Companion:



Cyber risk, Guidance note


Cyber security: Considerations for the audit committee


Cyber Security and the UK’s Critical National Infrastructure


Cost of cyber attacks triples in a year


Cyber threats and security breaches forcing companies to re-evaluate risk management


The Art of Cyber War


U.S. Outgunned in Hacker War


Cybersecurity and Internet Governance


Time to get real over cyber security


Cyber crime is now a booming industry


Potential Issues/Trends

  • Rogue players beyond domestic enforcement, sanctions (e.g., Al Qaeda, China, Russia, Ukraine, other);
  • Lack of full understanding of precise vulnerabilities by some/many directors;
  • Under-reporting by companies who have been hacked, and industry specific (e.g., defense, utilities, banking);
  • Government action increasing (e.g., NSA): privacy concerns;
  • Literature is still very general (some exceptions, e.g., NACD above (The Art of Cyber War), others), suggesting lack of knowledge, immaturity;
  • Multi/bi-lateral agreement to enforce within rogue states needed;
  • Good industry-specific boards will do (have done) thorough cyber review and strengthen defective controls, with expert input;
  • Some boards have IT as a desired board competency, and IT as material business risk;


BYOD- Security

Good Governance Guide: Issues to consider in the use of tablets for accessing board papers


10 steps for writing a secure BYOD policy


For BYOD Best Practices, Secure Data, Not Devices


Security Think Tank: BYOD – key tenets and best practices


Bring Your Own Devices Best Practices Guide – Dell


Learn BYOD policy best practices from templates


Best practices to make BYOD simple and secure

A guide to selecting technologies and developing policies for BYOD


Dell Outlines The Death Of The PC


Potential Issues/Trends

  • Usage may have overtaken internal controls and policies in some companies;
  • Demographic and talent issues (e.g. education sector, younger students may: bring only a smartphone to class; not have used pen and paper);
  • Theft, loss: purging of data, passwords, signatures, controls to mitigate: policies all progressing, at differential speed;
  • Better policies available (see above); Whitehouse example: http://www.whitehouse.gov/digitalgov/bring-your-own-device
  • Devices may be opportunities, e.g., over 100K online course registrants in Harvard-MIT course: devices may be (or already are) the main channel of communication to customers, other stakeholders;


Executive Security

Corporate Theft? Build a barrier with access governance


Global Status Report
on the
Governance of Enterprise It (GEIt)—2011


Cobit: An information security survival kit


Potential Issues/Trends

  • See cyber;
  • There should be rigorous controls, and third party validation if possible, e.g., separation of duties, prevention of management over-ride, treatment of passwords, restricted digital areas, separation of development and approval, record retention, etc.;
  • Assume IT and executive management self interest: control environment and board oversight/reporting important to deter fraud schemes, internal cyber;


Social Media & Investor Relations

A Virtual Annual Meeting Approach


Call to move huge annual reports online


Twitter Speaks, Markets Listen and Fears Rise


Dress rehearsal for disaster shows why Twitter has no place on Wall Street


SEC Says Social Media OK for Company Announcements if Investors Are Alerted http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171513574#.Uer4KFMpcvQ

New SEC Guidance on Social Media Levels Playing Field for Investors


How to Use Social Media for Regulation FD Compliance


SEC Blesses Social Media Disclosures


The Push and Pull of Social Media for Investor Relations


The Greatest Social Media for Investor Relations Panel Ever*


Social Media’s Place in Investor Relations


Social Media for Investor Relations


Survey finds social media gap between investors, companies


Crisis investor relations in the age of social media


SEC’s social media guidance has devil in details


Social Media Strategy for Investor Relations


Potential Issues/Trends

  • SEC permits investor contact using SM: significant;
  • Accuracy and fair disclosure concerns by companies and investors;
  • Regulators are reviewing proxy plumbing (shareholders) and will inevitably address SM, perhaps even (eventually) digital investor voting, fora, collaboration, communication using digital platform [think of a LI or FB group within a company investor section of a website];
  • Investor relations will use (are using) SM, including digital communication, hybrid annual meetings, Q and A, outreach, etc.: this will mature and eventually be regulated to provide structure, expectations;
  • Paper, in person meetings, email, even voting may/will be replaced with digital (text, visual, audio – multi media): the changes are starting;



Director skills

Recruiting the Digital Director


Wanted: More Directors With Digital Savvy


CIOs Say Corporate Directors Are Clueless About IT


Risk and IT intersection

Observations on Developments in Risk Appetite Frameworks and IT Infrastructure


Recruiting a Nonprofit Digital Board Director: Limitations & Alternatives


Nonprofit Board Responsibility Social Media – What Needs To Be Done? Revised & Updated



Management suite:

Digital diaspora in the enterprise: Arrival of the CDO and CCO


CIOs Can Strengthen Your Board of Directors


KPMG brochure:

Risk management in an evolving world

Making the case for social media governance


IT Skills Needed Around the Board Table

In a speech I gave this week to a large room of directors in Montreal, I asked for a show of hands as to how many directors use iPads. About 80% of the hands went up. When I asked the question a year ago, the figure was only about 20%. If you are a director who does not own an iPad, request management purchase iPads for all your directors, or better yet buy your own. Request that your board have a board portal installed. Within a year, most boards will be paperless. Good boards are now paperless. If a laggard director blocks technology or refuses to up-skill, the director should be asked to step down. Technology has gotten a lot easier to use in the last year.

Information technology literacy at the board table is rapidly becoming a must-have for boards, ranking up there with international, risk management and executive experience as necessary boardroom conditions on director skills matrixes. Termed an information technology “revolution” by some directors, technology is rapidly changing how boardrooms and companies operate and compete. IT skills are necessary not only for prudent risk mitigation, but more importantly, for strategic opportunity, innovation and the way companies communicate with a new generation of investors, consumers and employees. Virtual meetings, electronic reporting and social networks are now becoming the new communications platforms. Mailed proxy statements, in-person meetings, and even email may be a relic of the past.

If your board of directors does not have a solid understanding of IT-drivers, such as cloud computing, big data, consumerization, mobile computing, cyber-crime, e-corruption and social media, which are increasingly pervasive / possible throughout all industries and B2B and B2C companies alike, it will not have the clout with senior management to operate. It will not recognize deficiencies, weak benches, red flags, product/service distribution channels, or even basic opportunities or relationships to exploit (such as fundraising for not for profits). Management –and the competition for executive and employee talent– will perceive the board as dated. Management and investors can now go online and find out whether a director is IT literate or not.

IT literacy can no longer be learned on the job or though educational primers for older directors, as the turnover and learning curves are too great. The world is changing and the notion that a 65 or 70-year-old former executive possesses IT competency is a myth. Generational shifts and emerging demographics need to be embraced by boards, including recruiting IT subject matter experts and mentoring first time directors. Women, younger directors and other directors with IT expertise must be at the board table to have the credibility and experience with management to drive change and ensure that boardroom discussion contains multiple informed perspectives.

How does your board fare on the above? Specifically,

  • Does your board have enough strategic IT experience to advise management credibly?
  • Do you have a full understanding of IT opportunities and threats facing your company and industry?
  • Does the board have a committee that oversees IT risks, internal controls and reporting?
  • Do the company and your investor relations department use social media and other emerging technologies (such as shareholder forums) for engagement with institutional and individual investors?
  • Do directors use social media to listen and learn?
  • Are you satisfied with the quality of IT management?

These are some of the questions that need to be asked at the board table. Boards likely won’t get past the second question or the wrong answer by management if they themselves are not IT literate.


text cloud