Sunday, March 22, 2015

Board Directors Perspective: Data Risk Business Process Reengineering...

The ranks of established Fortune 500 companies have been studied in the latest NYSE Corporate Board Member's Annual Directors Survey.  Spencer Stuart asked several telling questions in the Operational Risk Management (ORM) domain and the results may be enlightening:
Corporate Board Member's 12th Annual Director Survey Delves into How Directors Are Managing Some of Today's Most Pressing Issues for Public Companies While Keeping Their Boards Nimble:

This year we received nearly 500 responses from directors who didn’t mind sharing their opinions and comments on these issues. More than 70% came from those who identified themselves as outside directors, and another 20% said they serve as board chair or lead director. Forty-four percent have served on a board for more than 10 years, and another 33% have served five to 10 years. Just over 30% are at companies whose annual revenues are in the $1.1 billion to $5 billion range.

In fact, 55% of the directors we surveyed don’t believe it’s reasonable to expect that a public company board can ever fully get its arms around all the different aspects of risk in the current corporate environment (Figure 1), particularly the newer forms of technology risk like cyber risk and social media risk.
If you think "Social Media Risk" is NOT on the mind of the Board of Directors these days, then you would be correct:

Figure 2

Has Your Board Put Social Media on the Agenda?

Yes - 35%
No - 65%


The Social Media Risk to the enterprise has yet to be clearly defined to the majority of the Directors these days or they need more education on what the risks really are to the company.

If you think in 2015 a majority of the Board of Directors are still unsure about "Cyber Risk" you would also be correct:

Figure 6

How Confident Are You That Your Board Is Adequately Overseeing Cyber Risk?

Very -15%
Somewhat - 63%
Not Confident - 23%


The oversight of "Cyber Risk" to the enterprise is still in question by 85% of the Directors.  Why?

To quote Spencer Stuart's Report:
Boards must be ready to oversee a myriad of risks, especially those related to cyber security—and the social media realm—which is unfamiliar territory for some current directors (Figure 6). As a result, forward-thinking boards looking to refresh their ranks will want to add members who have technological and social media experience to guide the board in an arena where it is all too easy to make innocent but often damaging corporate blunders. Boards also value directors who have industry, financial, and regulatory experience, our results show.
Unfamiliar territory for Board Members?  Some current directors who are focused on corporate strategy or mergers and acquisitions would certainly not always have the knowledge or understanding of what the real "Operational Risks" are in the cyber and social media categories.  This makes sense.

What about adding new Board Members who have cyber and social media experience?  The enterprise must certainly pivot and adapt to this changing landscape of risks.  Will adding new Board Members make a difference?  Not likely.

There are some who are now advocating a "Presumption of Data Breach" strategy.  Simply put, what are we doing now, that our enterprise has been breached?  Instead of, what will we do if we ever have a data breach?  This subtle shift in thinking around the Board Room might move the percentage higher from only 15% who are "very confident" in overseeing their enterprise Cyber Risk today.

What if the Board of Directors had a discussion with management each meeting about what they were doing to contain the breach?  You see, the shift in mindset begins a whole new set of dialogue that is proactive and working on an existing business problem that requires remediation but also new thinking.  Unlike the reactive strategy of waiting until the legal and regulatory rules mandate the admission that a breach has actually occurred.

Finally, what if the enterprise were to embark on a Data Risk Business Process Reengineering (BPR) initiative?  You remember the BPR era from the 90's right?  Having a "Presumption of Data Breach" strategy should require the complete reengineering of our Data Enterprise Architecture itself.

Is end-to-end encryption the answer?  No.  Is segmentation of network design the answer?  No.  Are Next-Generation-Firewall's the answer?  No.  Is corporate end user education on cyber risks the answer?  No.  Are new rules and legislation the answer?  No.  Is a combination of all of these the answer?  Probably yes.

Data Risk Business Process Reengineering is a topic worthy of discussion at the next Board of Directors Meeting.  Include all the stakeholders.  Allocate the funds and the resources.  Next year the goal will be for 25% of directors to be very confident in the oversight of cyber risk in the Corporate Board Member survey.

In the mean time, the use of encrypted apps will become more pervasive:
Our Privacy Practices, in Brief:

Wickr has to collect some information from you in order to provide our Services to you, but we do so in a highly limited, highly secure way.


We use military-grade encryption. Our encryption is based on 256-bit symmetric AES encryption, RSA 4096 encryption, ECDH521 encryption, transport layer security, and our proprietary algorithm. 
We canʼt see information you give us. Your information is always disguised with multiple rounds of salted, cryptographic hashing before (if) it is transmitted to our servers. Because of this we donʼt know — and canʼt reveal — anything about you or how you use the Wickr App.

Deletion is forever. When you delete a message, or when a message expires, our “secure shredder” technology uses forensic deletion techniques to ensure that your data can never be recovered by us or anyone else.


You own your data. We do not share or sell any data about our users. Period.