While advising the board of directors of a company to pay close attention to data security issues is akin to your dentist telling you to floss, the stakes are too high for a board to ignore. The board of any company must constantly monitor and assess its company’s data security procedures and potential risks. Although there is no strategy to prevent a security breach, each member of a board must exercise its fiduciary duty to consider the risks to a company. To the credit of many companies in the last several years, the assessment of data security risks has achieved a more pronounced position.
Although it does not make me particularly popular at cocktail parties, I enjoy following the trends that are reflected in surveys of board members on governance issues. Please suspend your disbelief of lies, darned lies, and statistics. Broad surveys of directors for many major companies provide a pulse for American companies. PwC’s 2015 Annual Corporate Directors Survey, which was released on Oct. 22, 2015, provides an interesting snapshot of the views of corporate America.
Among other topics, PwC correctly asks the question, “Is every company now a tech company?” The survey responses highlight an interesting dichotomy of views among directors.
For example, the following percentages of directors claim that their board is at least “moderately” engaged in the following issues:
- The risk of cyberattacks – 83%
- The company’s annual IT budget – 67%
- How the company uses social media and other emerging technologies – 49%
Now, as you consider those results, consider the following results:
- 37% of directors say IT strategy expertise is a “very important” director attribute, while 65% of directors say they should spend at least “some increase in time and focus” on these issues
- 33% of directors say cyber risk expertise is a “very important” director attribute, while 46% of directors say should spend at least “some increase in time and focus” on IT risks (including cybersecurity)
Please forgive the pun, but something does not compute in those numbers. I believe that we are seeing corporate America come to grips with the importance of addressing data security, information governance, and “big data” issues. Eventually, one should expect to see the “director attribute” figures for IT strategy and cyber risk expertise rise among corporate directors.
Survey results do not reflect board governance concerns for every company, but the PwC survey results offer an interesting view of reality for companies that do not have the appropriate attention or appropriate expertise regarding cyber security and IT concerns. When a board member receives the phone call or email alerting her to a major security breach, that board member can rest easier if she knows the board did all it could to minimize the risks and have a plan to respond quickly.