Ahead of her book launch, ‘Duty of Care: An Executive Guide for Corporate Boards in the Digital Era’, certified corporate director Alizabeth Calder is publishing a five-part blog series on IT World Canada examining 10 trends that will be shaping discussions in corporate boardrooms in 2020. Today is Part 2 of 5.
A trend is a movement; a shift in thinking or direction; a change in perspective. The key trends that will be impactful going into the next decade are not about technology – they are about what will be different for business.
Security – moving into genuine and knowledge-based oversight
According to Forrester, cyber security is the top concern for 54 per cent of companies surveyed in 2018. Ironically, while only 27 per cent of CIOs feel that they are prepared to identify and respond to an issue, close to 50 per cent of boards believe that they are properly secured, according to the 2018 – 2019 NACD Public Company Governance Survey. Security spending as a percent of budget is down, yet 58 per cent of boards feel that they are providing effective oversight.
As CIOs, we make decisions that effectively set policy around cyber security and controls every day. It is a challenge to get business engagement on cyber security decisions, so we tend to focus on the technology more than the governance, and on the tactical more than the strategic. We all have the high-risk examples: employees who are “to busy” to return the service desk call to complete a critical patch; salespeople who store customer PII data on their hard drive, and then leave their laptop to be stolen from the back seat of their car; executive pressure to open insecure channels to “make it easier”, enabling real events that can be traced back to the “make it easier” decision.
A fundamental shift is that regulatory changes are making the CEO and Board increasingly responsible. They may not understand the details, but they do need to care about the impacts. The trend is toward C-level executives more genuinely looking at their exposure to ensure that the necessary steps have been taken. We truly have moved into the age of “it’s not if, it’s when” a company will experience a breach, so the reputational and financial risks are coming to the forefront. What were previously technical incident investigations have become a business review of the actual impact of an incident and how the incident was allowed to happen in the first place.
Consider the 2014 customer data breach at Home Depot. The cost was in the hundreds of millions including payments to consumers, industry consortiums and bank partners. Home Depot directors and officers were named in derivative lawsuits. Although the suit was initially dismissed, it was recently settled to avoid an appeal. What tipped the litigation balance against the Home Depot board was the fact that the incident derived from the same known system gap as impacted Target in 2013. It was one of the first instances of senior officials being held accountable for their security infrastructure failure.
In an environment where 93 per cent of breaches are considered preventable, according to the Online Trust Alliance, the CIO really needs to move from reporting on key cyber metrics to enabling fulsome discussions of business risks and trade-offs. CEOs are starting to be held accountable, so CIOs must find a way to explain what is being done, and what is not being done, to protect the environment. We have the opportunity to be more of a critical trusted partner than at any previous time in cyber security history.
Data – The abundance theory is in play
Ninety percent of the data in the world was generated in the last two years, according to Forbes. At our current pace, there are 2.5 quintillion bytes of data created each day. The trend in data is toward an almost overwhelming abundance.
While the Law of Abundance is a social manifesto for the things to do in a period of wealth, it offers some relevant guidance in the realm of data:
- Focus on the merits of the abundance
- Reinforce sharing and inclusive behaviour
- Make it a competence
- Step back from the rat race and look at the bigger picture
- Give more to get more
To fully realize the merits of the data that we have, we need to move toward data as a truly horizontal asset. We would never silo Human Resources or accounting functions, but we continue to align data by functional verticals. The trend is toward a more inclusive model of sharing, enabling better insight and better decisions. Consider banks as an example – for years the retail bank and the wealth management groups were separated by a wall of purported privacy. For wealth clients that produced an unsatisfying experience where their millions invested did nothing to provide them better treatment in the bank branch. Most banks are now figuring out how to move data over the privacy wall to truly understand their customers.
Another interesting principle of the abundance theory would be the pressure to improve governance. Consider Facebook and the Cambridge Analytica scandal. Facebook deliberately set up some phone manufacturers as an extension of the business, rather than a third party, to circumvent customer permissions for data use. From the perspective of business value, the impact has been massive. The #DeleteFacebook movement impacted Facebook’s earnings reporting in July 2018, and the market responded. Facebook’s stock, trading at $217 on July 25, dropped to $176 on July 26 and even further to $124 on December 24, 2018, according to Yahoo Finance.
In the abundance of data, we as technology leaders assume some of that governance responsibility. If you are an officer of the company, you have a responsibility to ask the tough questions when ethical questions are at stake.
A final consideration as our sector moves into an abundance of data is that roles are fractured. Executives and boards are making decisions how to allocate resources and invest; business leaders are making decisions how to reduce expenses and enable growth; technology functions are left to unpack the issues related to the overwhelming growth in data. Abundance principles demand that we re-align the responsibility and governance frameworks to respect the bigger picture.