Cybersecurity needs to be front and center in business decisions, not just an ancillary assignment given to the IT department, said a panel of business executives recently at the Naveen Jindal School of Management.
The panel delivered their remarks on “Questions Every Board Member Should be Asking About Cybersecurity,” at a Feb. 25 breakfast presented by the Institute for Excellence in Corporate Governance in partnership with Richardson-based technology trade association Tech Titans.
Institute members and guests comprised a majority of the larger-than-usual audience of nearly 160 people. Tech Titans brought in about a third of the attendees.
Dennis McCuistion, a clinical professor in accounting and executive director of the institute, emceed the event.
Christopher Denton, principal security engineer at Intuit ProConnect, moderated the discussion, and the panelists were:
- Mark King, an IECG member as well as chairman, CEO and president of Micropac Industries, Inc.;
- Cynthia Pharr Lee, chairman of Dala Communications;
- Chad Pinson, executive vice president and president of engagement management at Stroz Friedberg, an Aon Company; and
- Wayne Reynolds, advisory CISO at Kudelski Security.
Tech Expertise Is Essential
The panelists agreed that having at least one board member with technical expertise is essential to understanding and addressing cybersecurity challenges — data breaches, phishing, malware and ransomware and the like — that can shut down a business. Pharr Lee explained that she had obtained a certification specifically related to cybersecurity oversight because she had been on boards that lacked technology expertise.
“I am by no means an expert,” she said. “I couldn’t build a thing or program anything, but I do believe it has given me a baseline in the boardroom to be able to exercise the oversight — the certification was in director oversight — so that I can ask the questions. I can almost understand the answers, and it’s made me attuned to what’s going on in cyber that affects the companies that I’m supposed to be helping along with my board leadership.”
Addressing Cybersecurity Threats — Principles To Put Into Action
When asked what he considered to be the most important principles a board needs to address potential cybersecurity threats, King identified five put forth by the National Association of Corporate Directors. Those principles are having an enterprise-wide approach, understanding the legal ramifications of a breach, integrating expertise in in both the board and management and making sure the team has the resources to fund and budget resources.
Also, he said, a board should have a deep understanding of what risks can be mitigated and what risks they are willing to take. He also added a principle of his own.
“The one I’d like to add is number six, which is to be proactive,” he said. “You really have to be ahead of this game. You can’t be reactive. To go from reactive to a proactive role means that you’re prepared for the certain scenarios — and that means organizationally you’re prepared.”
Cross-pollinating Tech and Business
Jeff Sandene, a certified financial planner who owns Sandene Strategies, put the event together. As a member of both the institute and Tech Titans, he saw an “easy and natural” opportunity for collaboration between members of both groups.
“Tech Titans has a long history and obvious connection with the Erik Jonsson School of Engineering and Computer Science,” Sandene said. “Since today’s cybersecurity program is at the intersection where technology and business decisions collide, it made sense to deal with cybersecurity as a business problem and to address it using resources of the Jindal School of Management.
Sandene said the institute delivered the perfect audience of board members and C-suite executives to discuss cybersecurity at a high, strategic level.
It was great to see the cross-pollination between technologists and business leaders who wouldn’t normally get a chance to interact,” he said.
Call to Action
According to McCuistion, the purpose of events such as the breakfast is to make the institute’s members better governance professionals. He said the program did just that.
“I think everybody in the institute is aware of the subject of cybersecurity,” McCuistion said. “I think what the speakers said today will give them some absolute specifics as to what they should go back and do.
Those specifics, McCuistion said, include understanding that cybersecurity should be integrated into the overall strategy of the organization’s operations.
“It can’t be just an assignment given to the chief information security officer,” McCuistion said. “The board has to take its part, as does management. Communication throughout the organization has to be continual, and at a very high level. They have to know what the big risks are, not just in terms of opportunity and impact, but also velocity.”
he next Tech Titans Industry Lunch, “Transforming Engineering: Industry’s Role in Improving the Landscape,” will be held March 6 at the Prestonwood Country Club. It features Dr. Stephanie G. Adams, Dean of the Erik Jonsson School of Engineering and Computer Science at UT Dallas.