Why Your Company Board Needs a Digital Committee

Based on the outcomes of a survey conducted by them in 2015, McKinsey published an article in mid-2016 outlining how companies could adapt their Boards to the digital age. And despite the article being two years old already, it is still relevant since many companies have not made sufficient – if any – strides in adapting. As highlighted by McKinsey:

The solution isn’t simply to recruit one or two directors from an influential technology company. For one thing, there aren’t enough of them to go around. More to the point, digital is so far-reaching—think e-commerce, mobile, security, the Internet of Things (IoT), and big data—that the knowledge and experience needed goes beyond one or two tech-savvy people. […] Special subcommittees and advisory councils can also narrow the insights gap. Today, only about 5 percent of corporate Boards in North America have technology committees.

That same low figure would apply to the Boards of companies in other countries too, including Australia, and while it was expected to increase, there isn’t much evidence to suggest it has changed significantly in the last two years. And the longer companies take to introduce a digital committee to their Board structure, the longer it takes before the subcommittee is able to bring about meaningful change in how the company responds to technological and digital shifts.

Any Board would follow their own established process in setting up a new subcommittee, but it is essential that members of a Digital Committee should have the necessary experience and specialised skills within the digital realm. The role of the Digital Committee would be to investigate and recommend digital strategies that would help the company adapt to technological changes and continue to compete in a rapidly changing market. And at a minimum, their responsibilities and quarterly or annual reports to the Board should include the points outlined below.

The success of brands such as Uber, AirBnB, Stripe, Netflix, and Wish suggest that there is more than one startup poised to disrupt every industry, no matter how old and well-established it is. Five years after launching their video streaming service Netflix had 26-million subscribers. Two years later they had almost doubled to 50-million, and by mid-2018 that number had grown to over 120-million.

The 2017 Next Billion Startups List produced by Forbes and TrueBridge Capital had 70 percent of the startups concentrated in just five categories:

• Fintech
• Biotech & Healthcare
• New Space (the use of satellites to collate and analyse data for unique insights)
• Data & Analytics
• Logistics

But that only accounts for up and coming disruptors, not those that are already having an impact on established businesses. Mitigating the effect startups have on your company means the members of your Digital Committee needs to constantly be looking for ways to future proof your business, adapting to new technology and trends, while also looking forward to how things may change in the next few years. They should:

• Look at global challenges and trends – without losing focus on the challenges and trends within the markets you operate in, pay attention too to global challenges and trends. How will these impact your business, and what opportunities are there for your company to contribute in solving them?
• Pay attention to cultural, lifestyle, and value changes – Millennials specifically have values that are completely different to those of Baby Boomers and Gen X, and these are reflected in their lifestyles, the products they buy, and how they respond to marketing. How successful has your company been in responding to these, and how will you respond as the generations that follow Millennials start coming of age?
• What risks are there to your company’s core revenue streams – look at where your company was 10 or 20-years ago, and where it is now. What has changed in terms of technology, your products, and your revenue streams. Now assess what changes are currently taking place within your industry and how these could affect your company in the next 10 to 20-years. Consider the impact of automation, machine learning, remote work, and mobile devices, many of which will have some impact on every industry.

Penetration testing is the use of an authorised simulated attack on a company’s computer system, network, or web app, with the intended purpose of identifying – and attempting to exploit – vulnerabilities that would allow unauthorised access to the company’s systems, data and intellectual property, or malicious attacks on the network. However, penetration testing should also identify strengths, which together with the identified weaknesses allow for a full risk assessment, and corrective measures to be put in place.

Penetration testing isn’t a legal requirement in all industries, which is why many companies are either unaware of it or choose not to perform them. The Payment Card Industry, however, requires penetration testing to be performed quarterly and after every significant change to the network. Computer systems, networks, and web apps are all made up of a number of different software components, some proprietary and some licensed, and regular risk assessments and penetration testing can help identify vulnerabilities that exist as a result of bad coding, or a security patch that wasn’t applied when released. The Equifax data breach in 2017 wasn’t only the result of weak security, but also because of a security patch that was released in March 2017, but Equifax did not apply it until after the breach was detected.

Your Digital Committee will not only ensure that regular penetration testing happens, along with a full risk assessment, but also that the recommended measures are presented to the Board for approval, and then implemented.

Cybersecurity is somewhat related to penetration testing, but goes beyond identifying and eliminating system and network vulnerabilities. Cybersecurity is made up of the following elements:

• Application security, which is the use of various software, hardware, and procedural methods to protect applications from external threats. This includes the use of firewalls, data encryption, and authentication systems. Potential threats or risks include denial-of-service (DoS) attacks, intentional or accidental introduction of spyware or viruses to the system, and even the failure of storage devices.
• Information security, which can be summarised as CIA, with the following objectives:
  • Confidentiality, with sensitive information only ever accessible or disclosed to authorised parties
  • Integrity, by preventing unauthorised modification of data, and
  • Availability, by ensuring the data can be accessed by authorised parties when requested
• Network and operational security, falling under the framework of penetration testing and risk assessments.
• Disaster recovery/business continuity planning, while not the sole responsibility of the Digital Committee, the elements of the business continuity plan relating to the company’s systems and data would have to be compiled by the Digital Committee.
• End-user education, which includes educating all employees who work with or on the company network how to prevent attacks and the introduction of threats, and the process to follow in reporting anything suspicious.

It is not uncommon for large corporations to now have a chief information security officer (CISO) as part of their C-suite, and the chief information security officer would be an excellent addition to any Digital Committee.

Once something that only the largest of corporations needed to worry about, reputation management is – thanks to the internet and social media – something that all companies need to pay attention to. Where companies previously had to concern themselves with large scandals and mishaps becoming public knowledge, now a single, seemingly insignificant incident can cause considerable harm to a company’s image through a single Tweet. As noted by Merrie Spaeth, President of Spaeth Communications, Inc.:

Technology has democratized dissent. Anyone with a cell phone can complain and rally others.

Today reputation management means monitoring a variety of sources for mentions of your company or brand, and taking corrective action when any mention poses a risk of having a negative impact on your brand’s public image. From social media, through to review sites, forums, and personal blogs, your Digital Committee will need to ensure processes are in place for monitoring all possible channels, along with compiling a strategy detailing how to respond to any negative mentions. It’s impossible to predict what might trigger a negative response to your company, but often what matters most isn’t what went wrong, but rather how your company responds. And since technology has democratised dissent, reputation management is no longer just the responsibility of your communications or PR department, it is also the responsibility of your search engine optimisation (SEO) team – whether managed in-house or by a digital agency.

Having a subcommittee that addresses all things digital is not a requirement for any Board, but it has become a necessity that many Boards are slow to address. Traditional print newspapers and magazines that failed to respond to digital transformation soon enough are now either shuttered, or struggling to survive, and the same can be said for traditional broadcasters, satellite and cable TV, many of whom are now fretting about cord-cuttings impact on their audience numbers and revenue.