Cyber Risk and Changing Corporate Structure

With a growing list of CEOs losing their jobs because of cyber attacks and data breaches, it’s time for corporations to change how they operate. Escalating cyber risks necessitate two core corporate structural changes. First, the role of the CIO should be elevated, reporting directly into the CEO and gaining corporate board visibility. Secondly, corporate boards must form cyber risk audit committees. Today, boards maintain financial audit committees to monitor company financial risk, internal control processes, and oversight of financial reporting and disclosure processes. They must follow that model again in order to gain oversight for monitoring and disclosing relevant cyber threats.

The rise of cyber threats and attacks is a direct result of changing business environments. These changes are impacting every organization. As I wrote about in Digital Destiny, all businesses are digitizing and this changes business as usual. As Ginni Rometty, IBM’s Chairman, President and CEO, put it, “data is the phenomenon of our time. It is the world’s new natural resource. It is the new basis of competitive advantage, and it is transforming every profession and industry. If all of this is true – even inevitable – then cyber crime, by definition, is the greatest threat to every profession, every industry, every company in the world.” But despite this sea change, corporations have not changed the way they operate. While organizations are making investments to mitigate cyber threats, they have yet to make sufficient operational changes. Consider research from Ponemon Institute which found corporations have 62 percent of their potential lose from Property, Plant & Equipment (PP&E) assets covered by insurance while only insuring 16 percent of the potential lose of information assets. Organizations have yet to operationalize cyber risk like they have for other business risks.

The first structural change involves elevating the CIO to report to the CEO and gain direct visibility to the Board of Directors. CEOs are waking up to the fact that a major data breach will cost them their job and their reputation and they will increasingly want more direct oversight of the CIO.

Historically companies employed CIOs in one of two primary ways. They either focused on technology development and R&D initiatives within companies pursuing a product differentiation strategy OR they supported the CFO by helping to lower costs and gain efficiencies. This is the approach of companies seeking competitive advantage by lowering their cost structure. Management often has a dual mandate to find innovative ways to deliver value to customers AND to deliver value at a lower cost. But in almost all cases the later mandate is strongest. Companies benefit by delivering value at a lower cost and CIOs’ roles evolved to focus on corporate efficiency and productivity gains. Reporting to the CFO forces CIOs to have a narrower financial focus and quantify the success of technological investment. Having a CFO-CIO reporting relationship tempers IT investment decisions, controls costs, and makes the organization IT-conservative relative to its peers. This is not the corporate philosophy you want when cyber risks are operational risks too.

Research from Gartner and Financial Executives Research Foundation (FERF) estimates 42 percent of CIOs report to the CFO. For smaller corporations with revenue between $50 million and $250 million, the CIO or IT organization is reporting into the CFO 60 percent of the time. Past research finds CIOs are generally not included in strategic planning initiatives. In many cases, CIOs were brought on to implement and manage enterprise software solutions that most directly benefited the CFO and as a result the CIO’s primary strategic role developed as support for other departments within the organization.

Mounting cyber risks introduce new challenges for organizations. They must now maintain focus on risks outside of their core business. As a result, corporations need to operationalize cyber threats because of the direct impact they can have on the business and the management team. Morever, cyber threats are outside the domain knowledge and professional interests of most CFOs. The role of the CIO is to support the strategic focus of the organization. The growing prevalence of cyber risks alters the strategic focus of every corporation and the CIO will increasingly be tasked with oversight of this now strategically important silo. As companies digitize, cyber risks are viable threats to every business even through they are not direct operational risks. CIOs will need board visibility to request funding and outline strategic initiatives. Overtime the CIO report will become a standard component of quarterly conference calls that have historically focused on financial reporting and operational information. Managing cyber threats and risks will become a core business competency for every corporation. Few CIOs become CEOs, but the path to CEO will change in the future as a result of these new operational realities.

The second major structural change organizations must undertake is to institutionalize cyber threat monitoring at the corporate board level. Similar to today’s audit committees, boards need to gain ongoing visibility and oversight for measuring and monitoring the company’s cyber risk profile, internal cyber control processes, and oversight for cyber reporting and disclosure processes. This change will drive additional focus and funding. In the coming years the board of directors will gain greater oversight and have great influence.

Rising cyber risks necessitates changing corporate structures. Elevating risks make it time to elevate the CIO as well as direct monitoring and oversight by the board of directors. These are simple corporate hacks that will improve corporation management as we press further into new digital directions.