In his latest article, author and professor Tony Gerth writes that while board directors have become more tech savvy, there is still a way to go.
A hot topic today is Board of Directors (BoD) oversight of digital technology investments and cybersecurity. Should the BoD have oversight? If so, how much? How do they do it? These and other questions are on the minds of board directors, CEOs, CIOs and CISOs, not to mention consultants and academics.
It is useful to review the responsibilities of a Board of Directors, especially those of a publicly traded company. Boards are primarily responsible for looking after the interests of shareholders. They accomplish this by providing oversight in three key areas:
- Strategic direction and advice
- Financial oversight
- Risk management
The BoD does not manage the organization. That is the responsibility of the CEO and top management team, although the board hires and compensates the top management team, especially the CEO. The BoD cannot dive into the details of every facet of the organization and at some level must trust, but verify, what the top management team reports to them. This is a common condition across all three key areas of oversight.
BoD oversight of technology is not a new management issue. In their 2005 HBR article, Richard Nolan and F. Warren McFarlan wrote that, “A lack of Board oversight for IT activities is dangerous; it puts the firm at risk in the same way that failing to audit its books would.”
In a 2006 study, board members unanimously reported spending time on IT risk, but only half of them said they discussed IT vision, strategy, and competitive advantage.
While these two articles are more than 15 years old, the insights they contain could very well be from a contemporary study. The only change might be to replace “IT” with “Digital”. It might be easy to conclude that we have not come very far in solving this dilemma in the past 15+ years. That conclusion would ignore the many ways that things have changed. While practices are still insufficient there has been progress that suggests some optimism is warranted.
Progress has been made
A lot has changed in the world of technology since the early 2000s, which is shining a brighter spotlight on the issue of BoD oversight of digital investments and risk.
Increased focus on the issue from executives versus academics and consultants. More executives are recognizing the issue of board oversight. In most studies by academics and consultants (which there are many!), board members list digital technology and cybersecurity as top issues.
Digital technology is much more embedded in organization’s processes and strategies. A driver of the increased visibility is a recognition that digital technology is embedded in every organization’s processes and business strategy. Investments in technology need to be linked to strategy and strategy requires technology to be successful.
Executives are more digitally savvy today. This is a positive development, but still insufficient. Many still confuse familiarity with consumer technology with understanding the strategic use of digital technology and overestimate their knowledge. Board members’ demographics indicate that most do not have experience leading business technology transformations.
CIOs are more likely to come from a non-technical background. This suggests CIOs are more business savvy than in previous decades. A business-savvy CIO can communicate technology issues in business language more effectively to the BoD.
By Tony Gerth
The “crisis du jour” of needing cybersecurity expertise on the BoD is an example of the confusion around what is needed. Cybersecurity is clearly an area where the BoD needs to pay some attention, but it is defensive in perspective. No company will achieve competitive advantage by being good at cybersecurity. The more important issue is the lack of digital transformation experience on boards. This shortcoming impacts all three key areas of BoD responsibilities.
Strategic direction and advice: Digital technology is a competitive advantage and is required to execute any business strategy. Technology cannot be separated from strategy as simply “plumbing”. Many times the innovative use of digital technology will drive business strategy.
Financial oversight: Digital transformation requires extensive investment, and failure to execute effectively can result in large financial losses, staff burnout and attrition, and missed market opportunities.
Risk management: This is coupled with strategy and financial performance. It is also where cybersecurity strategy is so important. Raised awareness has prompted federal and state legislatures to propose hundreds of new bills focused on cybersecurity.
How to improve BoD digital literacy
- CIOs must partner with operating executives to clearly communicate the business impact of technology investments to the Board. Focus communication on the three areas that Boards care about the most; strategy, finances, and risk. Communicate how technology creates value through stories, not IT jargon. This is one way to educate the BoD on the important role digital technology plays in the organization’s success.
- Add two types of experience to the BoD. I differentiate experience from expertise. Expertise would be a cybersecurity expert or ERP expert. That is not needed on boards. The scope of BoD activities is too broad to absorb a technical expert. The first addition should be a seasoned CIO who has led digital transformations and been responsible for cybersecurity in a similar size organization and industry. The second addition is a business leader who has been an operating executive with experience partnering with a CIO on a successfully completed digital transformation. Merger and acquisition experience in each role would be preferred. In each case, the need is for a business executive with technology experience, not a technical expert. There are now courses for CIOs to learn to be effective board members, such as the Digital Directors Network.
- Allocate time on the board agenda for technology and cybersecurity that is commensurate with the importance of these topics to the health of the organization. This will be different for every organization based on their strategy and cyber risk profile. Studies suggest that all organizations should spend more time on these topics. It is just a matter of degrees.
No modern Board of Directors can adequately provide oversight to the organization in terms of strategy, finances and risk without some knowledge of digital transformation and cybersecurity risk. If a BoD cannot hire the two archetype directors described above – a seasoned CIO and a business leader with digital transformation experience –they should hire a retired CIO or CISO to educate them on the risks, strategic opportunities and what questions to ask. While digital knowledge in business executives continues to grow, there is still a significant gap between what board directors know and what they need to know.