Research

To Govern or Not to Govern

Cylab study highlights gaps in Board oversight of security and privacy

By Richard Power

December 02, 2008 — CSO — The millennial shift from the 20th Century to the 21st Century signifies the transition from the industrial age to the information age and from regional and national markets to global markets. It has brought profound new challenges to corporate board members and C-level executives in every economic sector.

Over the last two decades, a series of diverse and intense shocks—some economical, some political, some environmental, some technological, some related to the nature of crime, some related to energy security—have compelled business leaders to take a new look at how they govern.

Board members must assure not only the profitability of the corporation but also its survivability. And in the 21st Century, the twin forces of the global economy and cyberspace have come to dominate our lives, and the business risk matrix has changed, i.e., it has broadened and deepened, and the survivability of corporations is threatened in new ways.

The world in general, and its commerce and communications in particular, are integrated and interdependent in unprecedented ways that have led to both enticing new opportunities and daunting new challenges.

As I write this article, the headlines are dominated by a global economic crisis, a savage seven-pronged terrorist attack in Mumbai, and the wild success of the Somali pirates in seizing control of a $100 billion Saudi oil tanker in 15 minutes.

But this rash of extraordinary circumstances is not an anomaly that could be explained away by astrologers. No, it is not rare transit or an odd conjunction. It is just the acceleration of the trend line we have been on for two decades.

Consider some examples of the thousand and one natural shocks, to paraphrase Shakespeare, that corporate flesh is heir to in these challenging times:

Barings Bank
1990s Asian Financial Crisis
9/11 and Post-9/11 Terrorism
Enron, Arthur Andersen and World Com Scandals
Russian and Asian Organized Cyber Crime
Hurricane Katrina
Indian Ocean Earthquake and Tsunami (2004)
Corporate Spying Scandals, e.g., the Haephrati case and Hewlett-Packard affair
Societe Generale

Some of these "thousand and one natural shocks" involve activities and events over which the Board of Directors has some influence, such as those stemming from errors in judgment or ethical lapses on the part of employees or agents, while others, such as terrorist attacks and natural disasters, are the result of forces and circumstances utterly beyond the Board's control.

And yet, in regard to all of them, it is the responsibility of the Board to understand what must be done in order to avoid what can be avoided, and prepare for what can be prepared for as well as to oversee the implementation of such countermeasures. Any one of the events cited could cause a Board of Directors to review and revise its approach to governance of risk, security and privacy; but taken together, they constitute a call to arms for a comprehensive reorganization of how the Board conducts its oversight of risk, security and privacy.