Artificial Intelligence (AI) And The Board:

Distinguish Good & Bad Strategies

There’s increasing pressure on boards for more cyber risk oversight. Taking action on these fundamentals will help build a solid foundation for sustained and effective cyber risk oversight

“… For Whatever A Man Sows, That He Will Also Reap…” - Galatians 6:7

“Each day, approximately 1 in 31 US patients contracts at least one infection in association with their healthcare..” This statement, on November 25, 2024, from the CDC website quantifies the prevalence of healthcare associated infections (HAI). In 2002, research from the NIH estimated fatalities from HAIs at about 99,000 annually. That is 99,000 deaths from hospital-acquired infections (aka HAIs). Could these be prevented if clinicians and care givers properly washed their hands or paid more attention to their patients? Ambient Intelligence or Ambient AI can help

The most significant influencers of truck fleet expenses are driver wages and fuel expense and its no wonder fleet operational leaders are always asking the question “Are my trucks the most fuel-efficient they can be given my delivery freight profile?” The answer to this question can offer significant cost savings (millions of dollars for 500-truck fleet) for the business. AI-powered Digital twins of physical trucks, can help answer this question by simulating the effect of different circumstances based on real data from the physical trucks. Of course, AI-powered digital twins have other applications including manufacturing, etc.

In the digital twin example above, Gen AI is used to create and/or supplement the software code for the digital twin and thereby accelerate the development of digital twins. Here’s the really interesting part, Gen AI can also create synthetic data to augment/supplement data from the physical twin to simulate specific conditions and circumstances that haven’t occurred in the physical world yet. And ultimately, there is a mutually reinforcing loop between the digital twin and GenAI when it comes to real-time data being used to train models.

Have you ever wanted to buy a product only to find out that it’s not in stock? Stockouts are a significant problem in the retail industry and the cost to retailers worldwide, can be as high as $1 trillion according to one estimate cited in this Harvard Business Review article. Stockouts also produce other undesirable effects such as poor customer experience and higher operational costs. One of the causes of stocks is poor inventory monitoring and Agentic AI promises to help reduce this problem with the ultimate goal of increasing sales.

These are only some of the many examples of how AI can create significant business value for organizations. Agentic AI has practical business use cases in customer service, finance, legal, IT, and more. So what does this have to do with you as a board director? And why should you care?

So, what to do? How can boards provide oversight for such an adaptive challenge as cyber. There is no one solution that fits all companies and/or situations. Having said that, there are three practical strategic steps that boards can take if they choose to exercise effective cyber oversight. They are:

Define and Diagnose cyber oversight needs and commitment. Optimal Cyber Oversight: Establish alignment on the level of optimal cyber oversight. Define Oversight Context
Assess effectiveness of current cyber oversight and governance. Cyber Governance Assessment: Assess the board’s cyber oversight practices, structure, expertise and guiding principles/policies.
Determine and Develop Board Cyber Competency: Develop the board’s strategic approach to gaining and maintaining access to cyber expertise.

Side Bar

One of the crucially important cyber oversight questions to ask is related to the strategic business impact of cyber risks on the organization. To learn more about how to distinguish a high quality from a low quality response, we encourage you to download this guide.

But effective oversight goes beyond just asking the right questions. It requires that directors have a clear understanding of the real problem and not just symptoms of the problem that show up as business impacts. Some examples of companies that have experienced these business impacts include Change Healthcare $872M according to Q1 earnings report and MGM data breach $100M in business disruptions according to a CBS 60-minute report)

The problem posed by cyber risks is very complex and it’s a moving target of sorts, there’s no easy button and there’s no two-day Amazon prime delivery option that will deliver impenetrable cyber security for all cyber risks.

And you can’t just throw more money at the problem either; United Health Group (UHG, the parent company of Change Healthcare) spends $300M on cyber security, because there are other dimensions to the problem including time, technology innovations, people, culture, leadership and governance. The governance dimension is especially relevant to board directors and proxy advisory firms. Indeed, at least one proxy advisory firms has included cyber risk oversight as a component of their policy guidelines.

Glass Lewis, the second largest proxy advisory firm in the US, has included cyber risk oversight in its 2024 US Benchmark policy guideline. A key phrase from their guideline’s document that’s worthy of attention is “..we may recommend against appropriate directors should we find the board’s oversight, response or disclosure concerning cybersecurity-related issues to be insufficient, or are not provided to shareholders.”

The Cyber Infrastructure and Security Agency (CISA) director Jen Easterly also recognizes the governance dimension of the cyber problem as evidenced by her comments in her opening statement post “ These steps, however, are only achievable if CEOs, Boards, and every single business leader of a critical infrastructure organization treats cyber risks as core business risks and recognize that managing them is a matter of both good governance and fundamental national security”

What’s our point? The governance dimension of the problem is crucial and effective oversight is the key. Effective oversight begins with a new and refined appreciation of the problem as an adaptive challenge and not just a technical problem. Cyber is really an adaptive leadership challenge that can’t be solved along a single dimension and can’t be treated it as a technical problem (one that has an easy button). It’s a moving target not a stationary object that requires directors to get the fundamentals right.

Define and Diagnose cyber oversight needs and commitment. Optimal Cyber Oversight: Establish alignment on the level of optimal cyber oversight. Define Oversight Context
Assess effectiveness of current cyber oversight and governance. Cyber Governance Assessment: Assess the board’s cyber oversight practices, structure, expertise and guiding principles/policies.
Determine and Develop Board Cyber Competency: Develop the board’s strategic approach to gaining and maintaining access to cyber expertise.

1. What Strategy Is & Is Not

My strategy for a healthy lifestyle or body weight is to lose 15 pounds in the next 3 months and keep it off. Well that’s an ambition but not a strategy. Sounds obvious and overly simplistic but organizations often do the same thing and make the same assumptions. Our business strategy is to grow revenue and profits by 15% in the next 3 years or to reduce expenses by 10% or to improve our NPS scores by 5%. All good things and they sound like strategy but they are not strategy .

Strategy is not ambition. Richard Rumelt ( a giant in the filed of Strategy) says it this way “Many companies treat strategy as a way of presenting to the board and to the investing public their ambitions for performance, and they confuse that with having a strategy”

Board director perspective. The principal question to ask is how. How am I going to lose 15 pounds in the next 3 months and what are the strategic challenges I am going to face on that journey.

We want to be a unicorn $1B valuation or AI-first company. Our strategy is to achieve unicorn status in the next 2 years and be an AI-first company by 2026.

James Dyson’s strategy was not to make a better vacuum cleaner, that may have been his ambition, but his strategy was different.

When I was in my 20s, for some reason, I wanted to have six-pack abs and well defined biceps. Those were supposedly good ambitions, things I wanted to achieve.

Is not:

Ambition - reduce expenses by 10%, grow revenue and profits by 15%, have #1 market share, be #1 or #2 in the market, grow by acquistion, move into new line of business, etc.

https://hbr.org/2024/03/is-your-ai-first-strategy-causing-more-problems-than-its-solving

https://www.mayoclinic.org/giving-to-mayo-clinic/our-priorities

Strategic Planning - It’s not planning.

Is:

An approach to overcoming an overwhelming challenge or obstacle to future forward progress.

Is a way to design, coordinate and concentrate efforts and resources on the vital few - that is the critical factors that determine where to play and how to win

is in service of a High stakes future direction

The Strategic Challenge - An organization’s strategic challenge may not be obvious or easily observable but before we explain what a strategic challenge is, it’s helpful to describe or offer some examples of what it is NOT. Fair warning, some of these examples may come as a surprise. A strategic challenge is NOT:

It’s not under-performance of an organization or business unit. Under-performance is a result or outcome and reflects a deeper underlying problem. That underlying problem may end up becoming a strategic challenge but that is not necessarily the case.

It’s not an active operational problem such as high employee turn over this year or higher than normal customer service wait times. To be sure, these can be challenges but they’re not strategic challenges. A strategic challenge is about a future anticipated problem, that a strategic bet is designed to solve.

It’s not a problem that can be solved along one dimension such as hiring more people or implementing a new technology. These without an integrated set of capabilities working together

There’s only one problem, the board rarely, if ever, includes cyber-related topics on their board meeting agendas. Or they may allocate 15-20 minutes of a board meeting to cyber once a year. It sounds simple but we’ve seen this time and again. This is similar to getting an expert personal fitness trainer without making the time to meet with him/her. If you don’t make the time, you can’t possibly get the benefit. And it’s not just time, there are other dimensions to the oversight needs that can get overlooked without taking a step back to clearly define the cyber oversight needs of the board.

So What is strategy if it’s not all these things outlined above

In an accelerating digital economy, there’s an urgent need for directors to ask the right cyber oversight questions and adequately evaluate the responses they get. It can be tempting, very tempting to jump right in and start asking the right questions and forget to take a step back to also address the fundamentals. However, to sustain effective board cyber oversight, it’s important to get the fundamentals right. Defining the cyber oversight needs is one of those fundamentals that you don’t have the time not to get right.

A definition of cyber oversight needs helps boards identify a complete set of needs that when addressed, work together to improve or enhance their cyber oversight effectiveness. More importantly, it facilitates board alignment on the following principal dimensions of cyber oversight needs:

Commitment - Are directors aligned on the right amount and level of cyber oversight?
Time - how much time, both board time and committee time, are needed?
Expertise/Competency - what does ongoing development of cyber competency look like for the board?
Practices and principles - what cyber governance practices should be adopted?

Determining the right amount and level of cyber oversight is a vital and foundational dimension to all of the other needs, because it facilitates board alignment on the commitment required. It informs how much time, expertise and the practices needed to be effective. If directors are not aligned on any of these, then there’s a high probability that cyber oversight will be ineffective.

The above can be viewed as core ingredients for effective cyber oversight but how much of each (in what quantities). Ingredients for the effective oversight recipe.

But how does a board actually determine the right amount and level of cyber oversight?

2. Board Oversight Of Strategy

How to evaluate good and bad strategies or even more interesting is how to evaluate half strategies

Questions to ask

Run The business, grow the business and transform the business

Business environment alignment/fit to the strategy

Risk elements of the strategy

Framework for oversight

Ambition - reduce expenses by 10%, grow revenue and profits by 15%, have #1 market share, be #1 or #2 in the market, grow by acquistion,

Determine The Right Amount/Level of Cyber Oversight

The principal strategic step for determining the right amount/level of cyber oversight is to evaluate the organizational/business factors that influence the degree of cyber oversight. These factors include:

Regulatory compliance requirements

Degree of technology dependence
Scope of impact
Strategic direction

Regulatory Compliance Requirements: greatly influences the amount of board cyber oversight required by organizations. The risk of non-compliance with cyber-related industry regulatory standards can result in significant consequences including actions from regulators (e.g. legal penalties, settlement fines, etc.) The Equifax Inc. settlement of $575M-$700M to the FTC and CFPB is a good practical example. An additional consequence was the CEO’s resignation. The potential for such consequences requires board oversight and effective cyber oversight by the board can help minimize or avoid such consequences. This is why regulatory compliance is such an important factor that influences oversight needs in the boardroom and the higher the complexity and number of the regulatory requirements, the greater the oversight needs. Conversely, organizations with lower regulatory requirements or whose operations are not subject to cyber-related regulation may have minimal oversight needs

Degree Of Technology Dependence: There was one American Cleaners store that I frequently took my dry-clean only clothes to. This was before the covid pandemic and for years I always had to pay with cash. John, the owner didn’t accept credit cards, had no computers and the only information technology he had was an old school telephone. I asked why and he said, “well, I don’t want to pay the merchant fees but more importantly, I don’t have to worry about computer hacking”

I believe John’s (American Cleaners) broader point about hacking is that the greater the dependence on technology, the higher the cyber risk. And the higher the cyber risk, the better cyber security and oversight is needed. This seems deceptively obvious but it is not. Most organizations and their leaders do not scale their cyber security capabilities in alignment/accordance with their digital technology dependence. For instance, If 90% of your customer orders come from the internet, then your cyber security should be better than average. But most leaders don’t come to this realization until after a significant cyber incident. Former board chair of Maersk, Jim Hagemann Snabe, was one of those leaders. As he shares about Maersk’s $250M-$300M cyber attack during this World Economic Forum session (min 6:37), more than 90% of all Maersk’s orders come through the internet but their cyber security was average at the time of the attack. One of his conclusions was that the incident was a wake-up call to be better than average, to be the best they can be.

The role and adoption of technology in the future is only going to increase as new innovations such as Generative AI continue to evolve. Additionally, more and more third-party providers, suppliers and vendors as well as their own reliance on digital technology will increase the complexity in determining the level of technology dependence for businesses. Either way, most organizations’ dependence on technology will continue to increase and will influence the amount of effective cyber oversight needed by the board. Most boards should therefore prioritize cyber oversight elements accordingly.

Cyber Oversight Elements - The Vital Few

Prioritizing a few oversight elements is the key to optimizing effective cyber risk oversight. These priority elements, the vital few, deliver significant leverage for the action of board directors. The first of these, is incident preparedness and should be priority #1. For the rest of the top 6 vital few, download the guide

Download The Guide

3. Culture & Strategy

Alignment with culture

David and Goliath

Will culture support and positively reinforce strategy or will it derail it. Going upstream or against the flow

Remember culture eats strategy for breakfast

Amason spin out lab.

Implications of culutre on strategy and vice versa

Strategy that calls for speed and agility to be successful may fail in a culture of slow bureaucratic processes

Unintended consequences of strategy and culture

Once boards get alignment on the strategy for the organization, there’s a tendency to believe that the strategy will be executed effectively even if the strategy doesn’t produce the outcome it was designed to produce. The thinking is we decided to try to get David to use a sling and stones instead of putting on a full armor with sword and shield. Now, whether that strategy actually works is a different story but the expectation is that the sling and stone approach will be given a good heart-felt try and half-hearted attempts. However, that’s not often the case. Most times, the strategy is overpowered by cultural norms and how people are used to doing things. However, this may not necessarily happen. Why? Culture does eat strategy for lunch/breakfast?

And if/when that happens, it’s almost impossible to know if the strategy would have produced the desired outcome. Few boards and organizations ask how/if the organization’s culture will derail or reinforce the strategy or integrate this dimension into their strategy. Cohesion is important here with culture also.

So what can boards do to add value here and what questions can get to the heart of this challenge

Ask for factors/items that can derail strategy and execution

Ask about specific risks to strategy and not just ERM risk registers, etc.

What culture changes are required for the strategy to be implemented purposefully?

What’s the likelihood that culture will override the strategy.

What’s the effect of strategy on operations (the lower level employees and how they work

Scope Of Impact: When considering scope and criticality of impact in the context of cyber oversight needed, it is helpful to evaluate the cascading effects and criticality of impact of a material cyber attack. The cascading effect is a particularly important factor because it provides a more holistic/strategic view that encompasses second-order effects of a cyber incident . The Change Healthcare is a good example of this cascading ripple effect because the impact of the data breach was at least two levels deep. First, insurance companies and payers couldn’t process patient claims for Doctors’ services rendered. Second, Doctor’s offices couldn’t get paid for several weeks which put a significant financial/payroll burden on Doctors’ offices. Additionally, patients couldn’t get their prescriptions filled as a result of the incident. It affected the healthcare supply chain and not just Change Healthcare.

Unlike a typical data breach that affects just the company and direct individual customers, some cyber incidents affect customers of customers of customers, creating a massive domino effect. Often these cyber incidents and their resulting impacts are contained in the digital space but some times they extend to the physical space as with several critical infrastructure organizations. Additionally, identifying concentration risks will help determine the magnitude and scope of impact of cyber incidents. Two questions to ask and consider when evaluating cascading effects and concentration risks

Does your organization pose a concentration risk to your customers/clients along your value chain?
Does your organization have any concentration risks within, where there’s an over-reliance on one or two suppliers, partners or vendors?

The important point here is that boards should factor the scope of impact to their assessment of the amount of oversight needed. This is another one of those elements that is difficult to determine until an incident occurs but board directors can request a business impact analysis that accounts for the cascading effects from management to help understand the ongoing oversight needs.

Strategic Direction: The organization’s strategic direction is a factor that helps anticipate future cyber oversight needs that are likely to emerge. Boards can be more proactive rather than reactive, when they include the strategic direction of the organization in the cyber oversight needs evaluation. This proactive anticipation allows boards to skate to where the puck is going to be in the words of Wayne Gretski and allows the board to get ahead and stay ahead of oversight needs and governance practices.

Consider, for example, an organization with a long-term strategy that’s driven by a high volume of M&A activity as well as external collaborations and partnerships. What effect does this strategy have or should have on the cyber oversight needs? All things being equal, a different level of cyber oversight will be required when compared to strategy that doesn’t call for heavy M&A. This may include different board committee structures, expertise and governance practices to support the long-term strategy.

Without this consideration, boards concentrate on reacting to cyber oversight and governance gaps that could have been anticipated. They may fail the organization by not preparing it for the required rapid recovery and resilience

It may be a surprise to some that Change Healthcare was an acquisition made by UnitedHealth group in 2022. In 2024 Senate letter directed at CEO and the board occurs. A proactive approach would feel confident in expressing their robust oversight practices to show that they did all that could have been done to address the cyber risk.

As expected, a mis-match of oversight levels and organizational strategy will cause additional challenges. Similar to other oversight areas, cyber oversight (when little is required) becomes an unnecessary burden on management, when it’s too much and too little of it (when more is required) may result in preventable intrusions, poor incident response, compliance violations and legal penalties. Adopting the Goldilocks principle is the best approach here, as you want the level of cyber oversight to be just right

In summary, the new business environment that calls for an increased cyber oversight by directors isn’t likely to go away. Therefore boards must maintain a long-term view of exercising effective cyber oversight in service of all stakeholders of their organizations.

Effective oversight begins by proactively and correctly defining the cyber challenge and oversight needs (both type and degree of oversight). It’s about ensuring you have the right ingredients as well as the right quantities to create the recipe for effective oversight which in turn will produce effective cyber resilience and all the associated benefits

Cyber oversight is just about looking at cyber risks as problem for the CIO/CISO to navigate but it’s also about truly seeing all the other dimensions the challenge from a CEO and board level. As we stated at the beginning, it’s not what you look at but what you see and we sincerely hope that these fundamental actions will help you see for effective oversight and not just look or observe.