© anyaberkut/iStock/Getty Images Plus
FEI Daily spoke with Dennis Whalen, Leader, Board Leadership Center at KPMG US, about how boards can address the increasing risks around cyber security and data governance.
FEI Daily: Do you believe cyber risk and data governance requires a dedicated committee?
Dennis Whalen: I know there are lots of people who have strong views on this. What I tell directors is, you have to have it somewhere, and everybody on the board and the management team needs to know where that is. The place you put it has to have the time to deal with it professionally and the skills to be able to understand how to deal with it.
I think a lot of companies still have it in the audit committee, and for a number of companies, that could be the right place. But some audit committee agendas are overloaded.
We think the puck has moved a lot. Cyber is really, really important. But this whole notion of data privacy, data governance, is the next frontier. Europe has rules, California has rules. The complexity is high around data governance. And so, what we're telling people is, as a board, if you haven't been engaging with management, you've got to find a way to bring that into the conversation. It would not surprise me if, as companies start thinking about that, they wind up saying, ‘Maybe it is time to put a special committee around cyber and data governance,’ because it's bigger than just the cyber question, it runs across the business. That might be the straw that breaks the camel's back.
When you look at technology companies, cyber and data governance is their business, so they don't necessarily have to have a separate committee because it's so critical to the company itself. But then a lot of companies that have a lot of consumer data, whether they're banks or health care organizations, have different and unique needs. Then you have everybody else: the industrial companies that don't necessarily have consumer data. They probably don't need to have that separate structure.
Our message is, bring data privacy into the conversation. Think about how you're managing data from a governance perspective, and whether the model you had yesterday still is good for tomorrow.
FEI Daily: Who specifically does the board need to engage? What types of roles should they be connecting with when it comes to data governance?
Whalen: Finance sometimes gets in the mix there, but I think it really starts with the business when you bring this broader data governance conversation into the discussion.
And then, you've got to figure out how the company is managing it, right? Just because the boards haven't necessarily been focusing on this topic for the last couple of years, doesn't mean management hasn't been. So, what has management been doing, and is it enough? Do the employees understand their responsibilities in terms of managing data? Everybody's still doing phishing experiments at the companies, and I think the average company has 15 to 20% of its people who will still click on that thing, despite all the education. So, how do you make sure the day-to-day employee knows their responsibilities, too?
FEI Daily: Beyond training, what can really be done about that?
Whalen: Lots of companies have been doing some really good things to try to educate their workforces. It’s made an impact, but it hasn't gotten anybody down to zero or low single digits. At some companies, if you click on one of those phishing emails, you're automatically enrolled in a one-hour training program. To turn back on your Outlook email system, you have to complete the training.
The negative to that is, from time to time, I see emails that come into my inbox and I don't know if they're suspicious or not, so I just delete them because they don't look like the normal ones.
A couple of my clients have done some similar things and it creates that cause and effect. If you click on the wrong things, you're going to special training.
FEI Daily: Do you think boards are including data governance in their agendas for this year?
Whalen Companies like Facebook, Google and Microsoft, do. Because that's their business. But outside of a short list of companies, we don't think enough have it, and that's why we're signaling to boards: this is a continuous evolution. The bar's always moving. We think it's something you ought to, as a board with your management team, have a conversation and say, ‘If we don't have it, is that the right answer? If we conclude that's not the right answer, how do we pull the board into the process? And where in the board construct do we put accountability for it?’