Dear reader,

Welcome to The Director's Dilemma May 2023

Each month this newsletter looks at a real-life board scenario and considers a range of responses. The scenarios are de-identified to protect the individuals concerned. This month we join a not for profit board that is struggling to comprehend, let alone discharge, its duty around cyber security.

Of course, scenarios in this newsletter are general, I work with boards and directors as a confidential mentor and help them beat challenges and seize opportunities. If you would like personalised service, please call me.

To read this email in a web browser, go to www.mclellan.com.au/newsletter.html and click on 'read the latest issue'.  I hope you will enjoy the latest dilemma:

 

Chloe is a teacher and recently joined the board of a not-for-profit that provides education and sporting opportunities to adults with disabilities.

She is enthusiastic and has been reading some old Company Director magazines that were given to her by a friend.

The board members are predominantly teaching and fitness professionals although the treasurer is an accountant.

None of them have business backgrounds and none are particularly into IT.

The magazines have a lot of articles about cyber security and Chloe is intrigued; she hadn't realised that she could be liable if the organisation got hacked or that there were standards of cyber security that the company should reach and maintain.

Chloe asked the Chair if they could perhaps have a short discussion of cyber security at the next meeting as she thinks it could be important.

The Chair said it wasn't worth an agenda item but that she would ask the CEO to cover it in her report.

When the board papers arrived, Chloe was underwhelmed to read that the IT was provided by a contractor, all staff had signed the ethical use of IT policy, and there was little likelihood of any hacker targeting the company because it was only small.

The CEO noted that all activities were funded with government grants and there wasn't any money to conduct cyber-awareness training or to investigate matters further.

Now the board is worried, and Chloe feels that they are blaming her for making them feel uncomfortable.

Given the lack of skills or funds, how can Chloe help her board to discharge their duties?

James' Answer

Chloe's organisation misunderstands that cyber risk is a business risk, not just an IT problem for larger entities. Small organisations can be more vulnerable to cybercrime due to limited resources. Directors have a fiduciary duty to act with care and diligence to guard against business risks.

Cyber security is crucial for service delivery in most organisations. Websites, emails, back-office functions like finance, and sensitive stakeholder information on staff, service beneficiaries and supporters, all need protecting.

A successful cyber-attack can leave an organisation unable to fulfil its commitments, leading to financial and reputational damage. In Chloe's case, this could leave the organisation in breach of the terms of its government grants.

Given the board's lack of cyber nous, I recommend that Chloe, as the one demonstrating the initiative, does the following:

  • Promotes board education. Share free resources online, such as those from the Australian Cyber Security Centre, National Cyber Security Centre (UK), and Australian Institute of Company Directors to build awareness, knowledge, and skills.
  • Pushes for a volunteer-based working group to establish a cyber risk management plan, identifying potential risks, assessing how to address them, and establishing appropriate mitigations. This can inform other directors of the specific risks faced by Chloe's organisation.
  • Advocates for resource allocation by empowering the CEO to dedicate staff time to cyber education (there are some free/cost effective options online) and exploring cyber and business resilience grants.

James Caws is a former director of Better Hearing Australia (Victoria), and Founder of Assessity. His current venture, Cyblee, helps organisations establish and maintain strong cyber security governance practices and cultures. He is based in Melbourne, Australia.

Julie's Answer

No director ever likes to be reminded of the risks attached to their board or company or the possibility of an unplanned-for adverse outcome. Professional company directors have been reading about cyber-security for years and we are getting used to the idea that it is up to us to show leadership and help management to protect the company. A board of people who have had no preparation for this responsibility, and who suddenly have it thrust into their consciousness, will almost inevitably react with denial and then anger.

Chloe's job, as a director, is to positively influence the way her board thinks and acts to serve the best interests of the company. She needs to communicate with skill and consistency. This is an important area for her board and also for the government that provides much of their funding.

The CEO is now aware of a risk that the company has no funding to address. Chloe should continue to discuss the topic with the CEO. She can suggest that the CEO start by asking their contracted IT provider to explain what level of cyber protection the company has and how that compares to the protections at other similar companies. Understanding what current good practice is, and what it might cost, are useful steps for the CEO in moving to a better level of preparedness. Then the CEO can start to talk with the funding government and find out what help is available.

Chloe should keep up with the task of focusing the board on cyber issues and helping them to move from denial and anger into exploration and, hopefully, a well-protected future.

Julie Garland McLellan is an experienced non-executive director and board advisor based in Sydney, Australia.

Ralf's Answer

When I was a board member for European telecom companies, security was always a top priority due to the critical nature of telecom infrastructure.

However, some may question whether cyber security is also relevant for non-profit organizations. In reality cyber security is a significant threat to any organization, and small companies are often targets as their security systems may be more vulnerable; any personal and business information needs to be protected, both offline and online.

Ensuring the health and continuity of any business, regardless of size, income, or number of clients, is of the highest importance.

In this case study, Chloe did the right thing in mentioning the topic of cybersecurity to the board - all board members need to understand their roles and responsibilities.

They need to improve their cyber defence, designing, and implementing a cyber security governance and a technical concept.
The responsibility cannot be delegated to any IT support freelancer outside the company. Instead, the CEO needs to take ownership of the cyber security policy immediately, conduct an assessment with a specialist and provide recommendations for improvements back to the board.

The board must then approve the implementations of the new cyber security policies, continuously oversee cyber-risk management, and verify regulatory compliance: A robust governance for cyber security must be put in place, and competent individuals must be responsible for the ongoing cyber security management.

In summary: As a board member, it is essential to prioritize cyber security among other crucial topics like strategy, executive appointments, and finance to ensure business continuity. The board must approve cybersecurity governance and policies, oversee cyber-risk management, and verify regulatory compliance. But ultimately, the CEO must take ownership of cyber security.

Ralf Nejedl is a former Managing Director of T-Systems International GMbH, Vice President and  leader of B2B business for Deutsche Telekom AG Europe, is AltoPartners Deutschland's newest partner. He is based in Frankfurt, Rhine, Germany.

Video resources - I post short video insights on LinkedIn. They disappear after a few days. You might like to visit (and please subscribe to) my YouTube channel to see the videos whenever you want to watch them. Let me know if there are any topics you would like to see addressed.

Conflict of Interest training - Conflicts of interest can be devastating to a board. They can ruin a director reputation faster than you can say "no comment". And they can deter investors, members, business partners, clients, customers and staff from entering into any relationship with the company in future.

Unsurprisingly, they are one of the most requested topics for training and also one of the areas where practical experience as well as legal knowledge is highly valued. As you read this newsletter, I will be returning from a trip to Melbourne to deliver a half-day training session for a board there. If you would like to investigate the possibility of training for your board, please get in touch.

Book Review - Magic Words; What to Say to get your Way by Jonah Berger

I have always loved words and consider my vocabulary to be one of my most valuable assets. But, are some words demonstrably worth more than others? According to Jonah, the answer is "Yes".

This book is a quick and easy to digest run through some of the more useful words that help to build persuasion and rapport.

The eagle-eyed readers will notice that my dog also thought the book digestible. Fortunately, he only got the cover and the unprinted corner of some rear pages.

Talking of rear pages: there is a comprehensive index and some good references for those who wish to read more. Discussion and the building of shared meaning is key to doing your jobs as directors.

This book and the information it contains, might just make that job easier. Because we all need that.

Available at most online bookshops in print and soft copy editions.

Inspirational quote for May

Sometimes when your board is struggling to learn something or when your company results from a new initiative aren't what you had hoped they would be it is important to step back and ask "What am I learning and where is the value in this?" Remember that silver linings are usually cloud wrapped.

A note on names - A few readers have asked me where I find the names for the protagonists in each case study; I 'borrow' them from people I meet or things that I read. 'Chloe' means this name means "green shoot" in ancient Greek. Chloe was also the epithet for the Greek goddess Demeter who presided over agriculture and, hence, prosperity.

This newsletter - If you have any ideas for improving the newsletter please let me know. If you are reading a forwarded copy, please visit my website and sign up for your own subscription.

Let me help you - I would be delighted to speak for or train your board, staff, audience and/or group. If I can help, please contact me at julie@mclellan.com.au.

Suggestions for dilemmas - Thank you to all the readers who have suggested dilemmas. They are greatly appreciated. I will answer them all eventually. I could not write this newsletter without your help and without the generous help of all the experts who respond each month to the case studies.

Be a contributor - if you would like to attempt a response to the dilemmas for publication you will be most welcome. Simply reply to this email and let me know. I am always on the lookout for new talent from around the world so please reach out if that sounds like something you could do. I am also always grateful for the generous sharing of the current and past contributors. I couldn't create such an engaging newsletter without their help.

Let's connect - I use LinkedIn to share information about boards and directorship with my friends and acquaintances. If you use LinkedIn and we are not yet connected I will welcome a connection from you. You can find me at linkedin.com/in/juliegarlandmclellan.

Farewell until the next issue due 1 June. I look forward to greeting you again then.

Enjoy governing your companies, it is a privilege!

Best regards,
Julie



Main photo by David Garrison at Pexels.com

Quote illustration Keitchy Sanchez for Julie Garland Mclellan

Disclaimer: The opinions expressed above are general in nature and are designed to help you to develop your judgement as a director. They are not a definitive legal ruling and do not constitute legal advice. Names and some circumstances in the case study have been changed to ensure anonymity. Contributors to this newsletter comment in the context of their own jurisdiction; readers should check their local laws and regulations as they may be very different.

Privacy: I am privileged to have your contact details and keep them as safely as possible. I will alert you if they are ever accessed by any unauthorised person (the technical staff at ayuda help with publishing and issuing the Director's Dilemma and have access so they can send the newsletters to you). I do not sell your details to anyone; they are kept only for the intended purpose - sending you this newsletter and helping to build the judgement of company directors by providing a safe way to consider potential responses to real life events.