Over the course of 2023, we posted a series of post on the issues and risks which Boards of Directors should consider related to emerging technology and cybersecurity. Global polycrises, exponential technological disruption, and unprecedented historical uncertainty aside: From OpenAI to FTX, the market and the media narrative have proven that fiduciary responsibility and corporate governance still matter. Find the 2023 series of posts here. We plan to continue this series in 2024.
Technology and Cybersecurity Risk Management and Strategy for Board Members
Cyber Defense Insights and Resources for the Corporate Board (Human Risk Management, Social and Human Engineering)
In the shadow of the recent MGM Cyberattack (and other recent ransomware attacks in U.S. and in the Pacific Islands), cyber defense is in the spotlight. Specifically, what role should corporate boards play in human risk management, as well social and human engineering defenses? Following are OODA Loop resources on these cyber threats, addressing the question of whether “the human factor” is properly addressed at the company culture level – or is it purely an IT operational concern?
The MGM Cyberattack Should be a Wakeup Call for Corporate Boards: Will they hit the snooze alarm again?
Our research and tracking of the global information war and the dramatic increase in ransomware attacks over the last three years have been indicating, for some time, that more attacks were coming and that corporate boards and their directors should prepare. The MGM ransomware attack makes this point well. Details here.
As cyberattacks intensify, more and more organizations recognize the need to have a strong security culture for all employees. This cyber-aware workforce is a necessary addition to a skilled and knowledgeable security team and the use of advanced cybersecurity solutions. Employees who know how to practice good cyber hygiene are increasingly seen as a crucial line of defense.
What The Board of Directors Need to Know about Quantum Science and the U.S. National Cybersecurity Strategy
Quantum Cyber Breakfast at RSAC 2023 was a fundraiser for the International Cybersecurity Championship. This Quantum community event included industry leaders and professionals—including our own OODA CTO Bob Gourley and Katzcy CEO Jessica Gulick. Following is a Panel Description, Panelist Bios, and a compilation of resources from the companies represented on the panel and/or the panelists themselves. All of the links here are related to the questions (which were addressed by the panel).
Bob Zukis is a man on a mission to improve the ability of corporate America to succeed in a complex digital world, even when under constant cyber attack. Bob is the CEO and founder of the Digital Directors Network, the global pioneer in helping corporate directors advance their understanding of systemic risk. We consider Bob to be the world’s leading advocate for improving cybersecurity governance. His many articles published in major business journals and impactful books on the topic make this case well. Bob has worked with, studied, and been on corporate boards for years and now teaches corporate governance as an Adjunct Professor of Management at the USC Marshall School of Business. He is co-author of the book The Great Reboot. We examine the book and Bob’s approach to helping corporate directors mitigate cyber risk in this OODAcast.
This report provides insights for corporate directors and the C-Suite including CISOs on the new SEC rules on cybersecurity.
Corporate Directors should not wait for final rules from the SEC to start gap analysis on how the corporation is managing cyber risk. Some steps that can be taken right away:
Odds are very high that any publicly traded company has institutional investors. That is just the way the world works these days. Among America’s largest companies, 72% of their ownership is by institutional investors (the big ones being BlackRock, Vanguard, UBS Group, Fidelity, Statestreet, Morgan Stanley). These and many other institutional investors also invest in smaller publicly traded companies. Since by law and court precedent Boards work for their shareholders, every director in every publicly traded firm should care about what these big institutional investors think. The biggest and most influential of all is BlackRock with $9.5 trillion under management. So when BlackRock CEO Larry Fink takes time to put his views into writing, we should all pay attention.
What Executives Need To Know About The Annual Threat Assessment from the U.S. Intelligence Community
The Annual Threat Assessment of the U.S. Intelligence Community is an unclassified report released each year concurrent with Congressional testimony to Congress by the Director of National Intelligence. The report focuses on what the ODNI believes are the most direct, serious threats to the U.S. during the next year. OODA leverages the details of this report in our research and reporting, every year we use this as a foundation for updates on our threat assessments and our C-Suite report. We read the report looking for surprises or changes to assessments that need to be immediately highlighted to business leaders. This year we found several interesting nuances to bring to your attention.
Editor’s note:Rod Hackman is an experienced business leader whose early career included managing US Navy shipboard nuclear reactors, a position which required him to interview with and work under the famous Admiral Rickover. We found Rod’s insights on how the board of directors should approach cybersecurity to be insightful and in some ways reminiscent of leadership lessons from Admiral Rickover, who long taught that responsibility for critical issues can never truly be delegated. – bg
Additional OODA Loop Resources
For further OODA Loop News Briefs and Original Analysis on these topics, go to:
Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk
Computer Chip Supply Chain Vulnerabilities: Chip shortages have already disrupted various industries. The geopolitical aspect of the chip supply chain necessitates comprehensive strategic planning and risk mitigation. See: Chip Stratigame
Proactive Mitigation of Cyber Threats: The relentless nature of cyber adversaries, whether they are criminals or nation-states, necessitates proactive measures. It’s crucial to remember that cybersecurity isn’t solely the responsibility of the IT department or the CISO – it’s a collective effort that involves the entire leadership. Relying solely on governmental actions isn’t advised given its inconsistent approach towards aiding industries in risk reduction. See: Cyber Defenses
The Necessity of Continuous Vigilance in Cybersecurity: The consistent warnings from the FBI and CISA concerning cybersecurity signal potential large-scale threats. Cybersecurity demands 24/7 attention, even on holidays. Ensuring team endurance and preventing burnout by allocating rest periods are imperative. See: Continuous Vigilance
Embracing Corporate Intelligence and Scenario Planning in an Uncertain Age: Apart from traditional competitive challenges, businesses also confront external threats, many of which are unpredictable. This environment amplifies the significance of Scenario Planning. It enables leaders to envision varied futures, thereby identifying potential risks and opportunities. All organizations, regardless of their size, should allocate time to refine their understanding of the current risk landscape and adapt their strategies. See: Scenario Planning