Below is a synopsis of points I covered this week during a webinar held for the Cybersecurity Collaborative, run by my friend Stuart Cohen. Stuart and his founding partners have put together a wonderful collaborative that I encourage you to consider joining. The title of this article was also the title of my webinar. I hope you find the discussion here to be both provocative and actionable – and I hope that you will engage with Stuart’s collaborative.
Back in the late 1980’s, I attended a meeting where everyone kept referencing something called “Excess Seven.” I had absolutely no idea what they were talking about, and I prayed for the meeting to end so that my ignorance would not be exposed. Things got worse as someone jumped to the board and began chalking boxes mysteriously labeled STP and SCP. Once the meeting ended, I literally ran to the Bell Labs Library and discovered “SS7” for the first time.
I’m willing to bet that everyone reading these words has experienced some version of this situation. Perhaps it happened in college, or at work, or even in your personal life – but each of us has had the experience of not understanding something that we know we should. And we know that the best way to deal with such lack of understanding involves personal initiative and immediate action. This is how we grow, and we should be grateful when the opportunity arises.
Now, let’s shift our emphasis for a moment to the wonderful experience of being elected to any significant Board of Directors, perhaps for a Fortune 500 company. To be considered for such an important post, you will have already demonstrated meaningful achievement in some field relevant to the company. You might have been a CEO or CFO of some organization, or perhaps you were a distinguished member of the clergy, or maybe you ran a government agency.
But the common denominator is that you are expected to be ready to serve on Day One. That is, any independent director is expected to have a reasonable working knowledge of corporate finance, basic marketing, human resource management, business operations, competitive strategy, and on and on. Woe to the board member who shows ignorance in any of these basic fields: There will be clear social consequences during coffee breaks for such lack of knowledge.
Which brings us to technology, in general, and cyber security, specifically. The sad situation for most corporate boards is that there are no social consequences to having an utter lack of understanding in the technology-based aspects of business. Any director sitting down for a board meeting who jokingly laments needing a ten-year-old to help turn on their confounded iPad is met with zero raised eyebrows. In fact, other directors will probably chuckle and agree.
Of course, CIOs know that such ignorance on boards cannot be permitted – and the typical response has been to schedule remedial training in both technology and cyber security. The topic of cyber risk is thus a popular request from board principals who nervously watch their shamed executive peers raising their right hands on CSPAN after a serious data breach. It should come as no surprise that training would be considered both appropriate and necessary.
And yet, such training sessions are dangerous when they dumb down technical concepts into comfort-zone terms for board members. It is all too common for the tech to be made simple, so that executives can follow basic concepts and not feel any unease or confusion. I’ve been asked to do this sort of training dozens of times, and I’m generally asked to tailor the cyber security presentation toward a minimal level of understanding. Make it easy for them, I’m told.
Here is why this is a bad idea: By offering training wheels for board members in the basics of cyber security, we rob them of that critically important discomfort I felt when confused about “Excess Seven.” By making things too easy, we rob them of the urgency that comes from not understanding something they know they should. By dumbing things down, we mislead them into thinking that cyber security is simple. And we all know this is not the case.
If you are involved in board-related meeting planning: I’d request that you do the following: From this day on, please agree to no longer support, provide, or condone overly basic, super-simplified training for your members in cyber security. Instead, let’s demand that directors be briefed on issues as capable, experienced, and knowledgeable peers. Let them experience our field in our language and let them self-assess whether they understand what is going on.
Look, I fully understand that this will take some courage and resolve. Early reviewers of my thesis have chuckled at the impracticality of going against the grain. Boards will not go for this, I am told. Our CEO will be furious, I am told. We already have someone on our board who understands technology, I am told. Our board secretary simply will not allow this, and on and on. I fully hear your valid claims and it only pushes me more to urge you to action.
If you are a board member reading this – well, I suspect that you might be upset with my comments. But please take a moment to reflect on the grave fiduciary responsibility you’ve accepted as a director. This comes with the implicit understanding that you have the requisite skills to govern. And just as you would never expect to be briefed on corporate finance 101 or basic marketing, you should similarly not demand to be briefed on elemental cyber security.
No – instead, it is your personal responsibility to rush to your own version of the Bell Labs Library. And if you must even ask here how to proceed with such a self-learning process for cyber security (hint: check out my Coursera lectures on the topic at https://www.coursera.org/specializations/intro-cyber-security), then I’d recommend that you initiate that introspective self-evaluation process that served you well in your career. That is, you must ask yourself if you are still fit to serve. (Gulp.)
So, please – let’s all agree right here and now that as security experts, we will stop agreeing to offer 101-type training for corporate boards in cyber security. Instead, let’s agree to briefthese wonderfully capable executives on security issues as professional and experienced peers in our language. And if you sense during your briefing that there is slight discomfort amongst the participants in the board room, then you will know that you are doing this correctly.
Sorry for the tough love here. Let me know what you think. (I’ll duck.)