Board members are becoming increasingly aware of their own accountability and risk in the event of a cybersecurity breach. By 2020, 100% of large companies will be asked by the Board to report on cybersecurity, an increase of 60% in four years.
What boards are not asking for is a lot of detail they will not understand and that will just cloud their ability to make good decisions on your behalf. Instead, I recommend shaping the board around three important mindsets which I treat as building blocks.
Building Block 1: Cybersecurity is about Risk
The risk is no longer just an IT issue, but an enterprise issue with costs and penalties at every level, from company mission and profit, to employment, and to financial and legal consequences.
Risks are proportionate to threats, vulnerabilities and consequences.
Therefore, boards need to be informed about
Building Block 2: Cybersecurity is about Risk Mitigation
Mitigation is about reducing the threats, vulnerabilities and consequences your company faces.
And it starts with the Board. Often overlooked is their own vulnerability. The Board is privy to a lot of information, much of it confidential, and much of it being communicated on their own devices. Security measures need to be in place for them that reflect the policies and procedures of the company.
By extension the Board needs to be aware of how training and education is implemented and practiced among all employees.
Building Block 3: Cybersecurity is about Risk Mitigation Strategy
A number of boards are now discussing the value of having a cybersecurity specialist on the board in order to bridge the gap between the board’s lack of knowledge and the increasing expertise they must have in front of them. In the least, they must address who in the company reports to them. Ideally, it is the same person each time. Boards are increasingly aware of the time they must now give to cybersecurity issues in their meetings, and to being able to understand these essentials:
The CIO that builds these into the working knowledge of the Board will find a Board and CEO ready to build back into them and the IT needs the CIO represents.
Which of these has been most critical in your own work with boards? Tell us below.
“Take away my people, but leave my factories, and soon grass will grow on the factory floors. Take away my factories, but leave my people, and soon we will have a new and better factory.” – Andrew Carnegie
We suffer a deficit in IT and cybersecurity professionals. The projections are in the millions of vacant positions. That means the competition for good staff is tough. It also means the temptation for desperate hires are great.
But a bad hire can devastate your company.
So what are the guardrails you need in place to ensure that you are hiring a quality person who will move your company forward?
Let’s look at four: Character, Commitment, Cultural Fit and Competence.
One professional football coach, prior to each draft, would put these initials next to the names of potential players: DNDC – Do Not Draft, Character. Coach understood that character detrimental to the team was not easily corrected or coached.
But how do you explore character and avoid legal entanglements?
Behavioral assessments are based on the belief that past actions are the best predictor of future actions. The key is to identify the character essentials you are looking for, translate them into behaviors, and then ask about past experiences with each.
For example, let’s say you are looking for the following essential character traits:
Disciplined. Compatible. Positive. Compassionate.
Those traits have certain behaviors, such as:
Being on time. Resolving Conflict. Handling criticism well. Partnering in a company’s community service.
Those behaviors translate into important, demonstrable and perfectly legal questions:
When was a time that you had to go to extra lengths to make sure you finished a project on time?
Tell me about a person you had a difference of opinion with and how it was resolved in a manner satisfactory to you both.
When did you receive a criticism, and how did you turn it into a learning opportunity for yourself?
What did you do in the last community service project you volunteered for?
Resumes can be deceptive. Both a long time at a company, or frequent changes in work, can demonstrate strength or weakness. Longevity may signal insecurity as much as tenacity. Short stays may point to lack of commitment or promotion or life circumstances.
I prefer a different formula to determine a candidate’s commitment:
Shared Conviction + Rich Participation = Bedrock Commitment
Shared conviction exists when an employee agrees that why a company does what it does matters. Rich participation exists when an employee buys into how a company does what it does matters. “Rich” indicates that they invest in the values that are important to you, and find new ways that best express those values.
How do you know if they possess shared conviction and will bring rich participation?
Let’s say that you own a chain of fitness clubs and your big Why is “to promote health to persons of all body types so that they feel good about themselves and put a smile on the doctor’s face.” How you accomplish your mission is through customized training at affordable prices in well-kept facilities filled with accepting persons. The four qualities found in that last sentence each have strategies and processes behind them.
Here are some sample questions I would ask a prospective IT person working in my company:
“When was a time you recognized that someone was making an effort to improve their health? How did you encourage them? What did you feel inside yourself as you watched them work at it?
“When was a time you adapted to a company’s process? Along the way, as you discovered how a process could be improved or done differently, how did you communicate that?
The key is to ensure that the person you are hiring isn’t just filling a spot. Instead, they are investing who they are into what you do.
Culture transcends character and commitment. You can hire a person of great character who is fully committed, but if they are straight-laced and paired with a team of practical jokers, the lack of chemistry will blow up morale and productivity.
Personalities can learn how to work together, but culture is more than personality. Culture is the way things are done that personality must bend itself to. Culture can be disciplined, loose, competitive, confrontational, non-confrontational, professional, artistic and so forth.
Know the culture of the team your hire will be working with. Assign behaviors to it. Ask questions about how the candidate has demonstrated those behaviors. One example: The culture is confrontational, and it’s confrontational because one mistake can cost the team valuable time and money. A behavior is the need to be able to defend an idea or position. The question: “Tell me about a time you put forth an idea that was challenged. How did you defend it, and how did you fight off any discouragement because you were challenged?”
I saved this for last, because you have any number of ways that you test for competencies, whether it’s their understanding of technologies, designing technical architecture, systems integration or project management.
The insight you need is the complement of a candidate’s competencies with the team (s)he will be working with.
Though a wrong hire can devastate a company, the right hire may accelerate what you are all about.
Which of these have proven most important in your hiring? Help us to learn from you in the comments below.
Your body is amazing.
It is comprised of six major systems in which all functions interact with each other. Not one survives without the other. Remove one from your body? You die.
(Just in case you were wondering: Skeletal, Muscular, Nervous, Digestive, Respiratory and Circulatory).
IT management also consists of six major functions that interact with each other. Failure to develop and maintain health in these, and you invite serious dysfunction; weak in one weakens all.
How does your IT leader communicate with peers and executives?
How do you coordinate when IT cannot make a decision alone?
How does IT partner with senior managers in strategic development and complementary focal points?
How does the Board understand IT issues and what must they know to make appropriate decisions?
How do you ensure that you hire, develop and retain the best talent?
How do you manage the gap of knowledge between managers and tech specialists?
How do you navigate leadership of highly smart and variously motivated employees?
How do you know what your talented people can or cannot do?
Cost and Accounting
How do you get the right people in decisions and safeguard what is in the interest of the company and not just a particular department?
What determines value for IT and where to invest for maximum return?
How do you know what projects to invest in and what determines there priority?
When do you know to expand the scope of a project or not?
How will you budget while allowing for uncertainty in project time and cost?
What budget considerations do you make for the need to learn during the course of a project?
What is the chain of communication for when problems arise?
Partner and Services
What is essential in the agreements you structure with outside partners and vendors?
What is the selection process?
How do you know what must stay within the company’s walls and what need not be?
Who will we use for outside eyes?
How much do you invest in maintenance versus new capabilities, and how do you know when new is needed?
What is your Business Continuity and Disaster Recovery Plan?
How much will you invest in redundancy?
How do you identify emerging threats and opportunities?
How does emerging technology integrate into your strategic plans?
In coming weeks, I will address each of these. But a major takeaway for today is, every company needs to bring in outside eyes to evaluate each of these functions: We don’t ignore our body’s systems, and we don’t ignore our company’s IT systems. The last thing you want is an IT emergency that could have been avoided.
Last week, I wrote “Disaster Recovery is about the information or technology systems that support business functions. It is a component of Business Continuity (BC), which plans to keep all aspects of business functioning during disruptive events.” We also learned together the critical need for DR.
But what really needs to be in the plan? Twelve questions begging to be answered:
1. What are the potential interruptions?
The key is to list all the ways in which business function could lose support, prioritize the likeliest, and address each with a plan. Today, cyber-attack is an increasing threat, and should be in the top of your list.
2. What are all the possible impacts?
A Business Impact Analysis (BIA) evaluates financial, safety, legal and public relations effects, and addresses to ensure the maintenance of confidentiality, integrity and availability.
3. Who calls for the DR to be enacted, and who is called when it is enacted?
A DR Plan spells out expectations of the roles and responsibilities for C-Suite Executives and the employee chain in the event of disruption. The chain of communication must be established as to who calls for DR enactment, and then who is called: What employees must come in and how they are to be contacted, with all contact information at hand.
4. Who updates the DR Plan?
Technology change, systems change and application changes, which are frequent, may all affect the effectiveness of the DR Plan. Who communicates the updates? Who adjusts the DR Plan and communicates the changes?
5. How often will you test the DR Plan and run drills?
Data breaches happen. It’s rare that a job will be lost over it, or a company’s reputation hurt over it. The damage is done on how well the company responded to it. Failure to respond properly leads to loss of employment and reputation. The only way to respond professionally is to have an exhaustive plan and to ensure that it works!
6. Who is responsible for hardware and software inventory?
Make sure the vendor technical support, contract and contact information is readily accessible in the event of a disruption.
7. What is your Recovery Point Objective (RPO) and your Recovery Time Objective (RTO)?
RPO is the maximum period in which data might be lost from an IT service. It answers the question, “How much time can we tolerate having to recover or rewrite lost content?” That determines your backup frequency. RTO addresses the target time to recover IT and business activity.
Prioritize plans based on what needs immediate recovery, what is acceptable to be recovered within a business day and what can be recovered within a few days.
8. What is your communication plan?
In the event of a disruption, Who needs to know What by When and by Whom? This also includes a statement prepared that will be accessible on your public platforms, and a plan on how and when customers receive initial communications and updates.
9. Where do you go if you can’t go to the office (or usual place of business)?
The DR Plan should address alternative worksite options, including telecommuting. Employees will need to know how to access systems from the alternative sites, and IT will need to ensure that compliance requirements are being observed.
10. Are all your vendors and contractors prepared to help?
The DR Plan must ensure that Service Level Agreements are in place, addressing how vendors and contractors are to help and the timeliness by which they are committed to respond.
11. Do you have operations and procedures in place to protect and access sensitive information?
12. Who is in Second Chair?
If a key employee is not available during a disruption, who knows what they do in order to perform their responsibilities in a crisis?
I hope you never have to enact your DR Plan. But I am available to make sure you have addressed all the key components for your business, and that you not only have a plan, but that it works and that you know how to use it.
What other questions do you have about DR Plans that I can help you with? Please comment below so that others can learn with you.