Two industry experts from F5 Networks discuss the importance of fine-tuning the boardroom to keep pace with modern cyberthreats and offer advice on how to mitigate merger and acquisition cyber-risks.
Fine-tuning the boardroom
Tabrez Surve, Regional Head of Security, Middle East, Turkey and Africa, F5 Networks, examines why the c-suite needs to stay agile and keep pace with the times
Most major strategic shifts tend to happen at board level but does that necessarily result in optimal outcomes? Are the right people always present to help make, or at least guide, the big calls?
Involving the right people at the right time seems logical but it doesn’t always happen. The right questions aren’t always asked. Nuance and long-term operational impact can get ignored.
Cybersecurity is essential to any credible business strategy. Unfortunately, too many boards overlook its importance. Budgets are assigned without context or insight and overall performance suffers accordingly. Today, the voices of security experts should be heard loud and proud at the top table. There are many ways this could happen, but one obvious tactic is to elevate the importance of the Chief Information and Security Officer (CISO).
For many, this still represents a journey. CISOs, though growing in prominence, still struggle to wield influence at board-level. According to recent F5-sponsored research by the Ponemon Institute, only 19% of CISOs reported all data breaches to their board of directors. Furthermore, 46% admitted CEO and board-level communications only happen in the event of material data breaches and cyberattacks. This is a serious strategic disconnect. CISOs need to be an active and respected contributory presence at board level.
Gender and inclusivity
Though exceptions exist, global boardrooms tend to be male dominated. This is a mistake on a multitude of levels.
Diversity of talent, background and opinion can only lead to more rounded, contemporary business strategies. A narrowing of perspective will always hit profit margins and innovation capacity.
Fortunately, the tide is starting to change. In 2011, 152 FTSE 350 companies had an all-male board. Today, it is just five. Recent reports also suggest that FTSE 100 companies are on track to have 30% of board positions occupied by women by 2020. In 2011, only 12.5% of FTSE 100 boardroom positions were held by women. While this doesn’t quite capture the big picture, or the specifics of a range of lingering inequalities, it is indicative of more progressive attitudes at the top.
Policies setting appropriate behavioural and cultural standards are now pivotal. It is all about shaping a company’s identity and configuring it for optimal performance. To fuel this process at F5, we recently hired a senior director of diversity and inclusion to help safeguard our future at every level of the organisation.
We also appointed our first ever Chief Human Resources Officer to ensure our organisation isn’t assembled in a lopsided manner. Both positions are held by females and they have considerable influence at board level. The same structure may not work at all organisations but plans to continually and appropriately enhance a workforces’ breadth and depth are unavoidable in the context of enduring competitiveness.
In general, decision-making should be encouraged and occur across the organisation. Disassociated working is a thing of the past. The future is a fluid, rapid and collaborative model of engagement and strategy.
For example, some departments are responsible for game-changing insights and talent. Are they being adequately consulted and heard? Are they equipped to make decisions that matter? Organisational theorist Geoffrey Moore suggests the balance can be readdressed by ‘zoning off’ business departments with the most transformative impact. This, he argues, can increase productive decision-making options for boardroom consideration.
Ultimately, there is no one-size-fits-all solution to optimise communication, staff empowerment and innovation capacity. The main thing is for boardrooms to continually improve their access to differentiating intellectual capital, data and insight. The c-suite is always at its most powerful and influential when it stays informed, accessible and curious.
Mitigating merger and acquisition risks
David Warburton, Senior Threat Research Evangelist, F5 Networks, discusses how businesses and organisations can mitigate cyber-risks connected to the processes of mergers and acquisitions.
Bringing together two organisations is rarely a straightforward task. There are so many factors to consider from structure and staff to tools, cultural idiosyncrasies and beyond. Lengthy and in-depth due diligence is required to understand how all the pieces work or fit together.
Sadly, the same rigour isn’t always applied to cybersecurity. According to recent reports, it is estimated that four in 10 acquiring companies engaged in a merger or acquisition will discover a cybersecurity problem during the integration of the acquired company.
With the first nine months of 2018 alone resulting in a record US$3.3 trillion in merger activity (Financial Times figures), we can expect trouble ahead.
This is a massive oversight. Cyberattacks are now the biggest concern for businesses in Europe, Asia and North America, according to a recent study by the World Economic Forum. Drawing on responses from more than 12,000 business leaders across 140 countries, the report found that companies explicitly fear the potential for hackers to threaten their operations over the next decade.
Business-related cybersecurity risks are not helped by the many and varied IT complexities organisations face, such as the integration of legacy infrastructures, the rush to embrace Digital Transformation, the challenges surrounding shadow IT, as well as poor employee data management practices. All too often, these factors are overlooked when two organisations become one.
Risks specific to each party aren’t properly interrogated or understood in isolation, let alone how they will interact post-merger or acquisition. Here are some key considerations to avoid getting caught out:
Ensure technology is part of the negotiations. Technology must be on the agenda for any talks. Details to consider should include the industry quirks, geographic footprints and the nature of products and services provided. It is vital for companies to investigate all relevant cybersecurity and data privacy risks, accurately charting their future evolution and cross-organisational impact.
Transparency is key. Acquisition targets should be evaluated with the same rigour as any external supplier to the business. What security policies do they have in place? How are staff certified or vetted? What industry standards do they comply with? Always dig deep and work through all prior cybersecurity incidents, including successful and attempted data breaches.
Understand how such incidents were responded to. Only then can all parties be sure they are adequately covered for a safe and secure union. Not knowing about or understanding previous and extant security compromises is a major risk.
Consider information use in a post-GDPR world. It is more important than ever to fully grasp the extent to which a selling company gathers and uses personal information. This is especially true for customer-focused and highly sensitive proprietary data. Make sure all commitments and representations made by the selling company to customers in relation to privacy and the handling of personal are reviewed. Depending on the residency of the customer, there is a strong probability that business security policies must be aligned with the EU General Data Protection Regulation (GDPR), as well as the laws of the country the data is held in. It is particularly important to determine if additional consents are needed after merger or acquisition activity. Past failings or a poor network management history can now result in significant fines.
Appoint someone to oversee IT infrastructure alignment. Waste no time in ascertaining the reach and limitations of both parties’ existing security programs. Once the deal has been concluded and the relevant documentation signed, it is crucial to appoint someone to oversee IT infrastructure alignment. Understanding the network, system architecture and data flows of both companies is key to avoiding headaches further down the line. The process should entail considering what sensitive data is being held, where it exists and ensuring adequate measures are in place to protect it. At every juncture, it is essential to remind all staff to exercise caution when it comes to data privacy and cybersecurity.
There is no getting around it. Hackers typically view mergers and acquisitions as a prime opportunity for exploits. A lot of variables are at play and in transition. Attack surfaces instantly widen, and oversights become blurred as organisations suddenly sprawl off in new directions.
Cybersecurity should always be prioritised from the outset. A long-term plan with buy in from both businesses is vital. It is important to act quickly, and pressure will be on for business to commence. It is all too easy to become apathetic to, for example, the complexities of reviewing and consolidating security tools and practises across entire application portfolios. Getting buy-in for thorough cybersecurity reviews across both businesses from day one can be tough but it is the only safe way ahead.