As the world races toward recovery, boards of directors across companies of all sizes are trying to figure out what’s next. And an increasing part of that “next” relates to security. As a result, many boards find their relationship to cybersecurity has been changing.
Today, fundamentally, I see two types of boards: those that take a defensive posture related to their security and those—to borrow a sports term—who play offense. The defensive boards still view cybersecurity as a cost center and as a tactical element that is about uptime and reliability. The offensive boards, on the other hand, look at IT as a strategic component and one that will help transform their business. Offensively minded boards are looking to transform the IT function from a cost function to a profit center. These progressive boards, which are becoming increasingly common, are always seeking out ways to increase revenue while simultaneously reducing risk.
Where Boards Focused During the Pandemic
During the pandemic, the role of IT was front and center for many boards. After all, it was IT that enabled work from home and supported ongoing business operations in a socially distanced world. While work from home is not a new phenomenon, prior to the pandemic, many CIOs did not have the mindset to have 90+% of their workforce connecting from home. Through necessity, executive management and boards came to realize that, in fact, employees can be productive when working from home. Once this remote work moved from being possible to being the needed reality, concerns during the early days of the pandemic shifted toward ensuring employees were connecting securely. Boards and executive management were also looking to learn about access patterns and whether it would be a better option to backhaul all of the traffic into corporate data centers versus using the cloud more often. Business resilience was the other issue that became top of mind for boards—and it’s one that remains critically important today.
Seeking Out Post-Pandemic Resilience and Innovation
Progressively minded boards are now looking to not just be resilient but also evolve the way they operate and innovate. Many boards are considering what their organizations should be doing differently— and better—now, than what they were doing prior to 2020. As a result, boards have been asking their executive management what steps can be taken to help ensure that when another unforeseeable incident happens, the organization has the right scale, capacity and strategy to weather the storm and come out stronger.
The Post-Pandemic Playbook for Boards
There are five key questions that boards will need to address, and will be asking leaders to address, in the post-pandemic period:
- How does IT make an impact on revenue? Boards will be asking IT leaders how the company’s technology strategy demonstrates an impact on revenue. To answer that question, IT will need to demonstrate a comprehensive digital transformation program that doesn’t just look at technology, but also looks at risk. When IT management presents to the board, there needs to be a full 360-degree picture of everything, versus simply the fact that they need to invest money into technology.
- Do you have command of the business risks to the company? The board will need to understand, not just from a technology perspective but also from a people and process perspective, all of the various impacts that cyber breaches have on the company. They will need to know that the company’s cybersecurity executive management has taken all the necessary steps to either mitigate or accept those risks.
- What are the business’s IT priorities? During the pandemic, priorities shifted. For many companies, this meant a large number of IT-related projects were put on hold. With the return to normalcy and more people returning to the office, the board needs to understand what the top IT priorities are for the business and the associated impacts of those projects on security.
- What is the path to innovation for the company? Boards, by their nature, are really concerned about the future. They want to know that their company is innovating, and that transformational programs are in place to help spur new growth. As the business looks to digitize and securely transition to the cloud for app development, storage, and compute resources, the board understands that there can be no digital transformation without cybersecurity.
- How is the IT organization improving itself? The board wants to know how the CIO and CSO are continuously improving both themselves and their IT teams in terms of skills and capabilities. That includes the ongoing challenge of talent management and attracting the right skills to the organization, as well as making sure existing staff have training and education programs as well. The board also needs to understand what the plans are for the IT leadership’s career development. Fundamentally, the board wants to know if and how the IT organization is developing new skills to cater to all the innovation that the business needs.
The pandemic period taught organizations what’s required to be resilient. The post-pandemic period will be the time when companies move beyond just resilience to focus on the things that drive successful outcomes and innovation as the global economy recovers—and from now on, managing risk will be a vital component of that.
For more expert advisory and insights on the issues shaping cybersecurity today, visit Palo Alto Networks CXO Perspectives.