November/December 2023
Chris Clark conducts interviews with leading corporate directors and subject matter experts for Stuart Levine & Associates, a global consulting and leadership development company. The Planet Governance™ interview series features the views of corporate directors, chief executives, and governance experts on timely issues from succession planning to stakeholder activism to cyber resiliency.
This well-respected corporate director has a new appreciation for agenda setting…
Ms. Linda Medler is a retired USAF Brigadier General with more than 30 years of experience developing and executing cyber and technology strategies. She served for 27 years in the Air Force, retiring in 2014 as a Director of United States Cyber Command. She is the former CISO for Raytheon Missile Systems and is the Founder, President and CEO of L A Medler & Associates, LLC, a cybersecurity consulting firm. She also serves as an independent director for several public and private companies including PNC Financial Services, Common Spirit Health, TransAmerica, and Target Hospitality.
Linda R. Medler
Chris: Linda, the relationship between the board and the C-suite is critically important and subject to mounting internal and external pressures. Why do management teams need to show up differently in the coming years?
Linda: I think part of what is different is that they need to understand that today’s board is not yesterday’s board. What I mean by that is that the breadth of issues that are on the board’s mind today is vast. The range goes from is this a viable business model to what is our risk in cybersecurity and everything in between.
If a management team can come in and be looking around the next corner and does not count on the board to be asking all of the probing questions about systemic risk, emerging opportunities, financial health, among many other topics, then it’s a win-win. Today’s environmental risk, inflation risk, interest rate risk, and digital risk permeates all companies regardless of the industry that you’re in – and all of that should be top of mind for senior management.
Additionally, management teams need to look at their risk appetite and risk framework to make sure they are presenting a refreshed strategic plan for this year and the next five. The world is vastly different from pre-COVID to post-COVID. What are we doing not only to keep pace but to lead the way? That type of perspective and engagement would be helpful in the boardroom.
Chris: You actually want to be constructively challenged and elevated to a higher level of thinking not the other way around.
Linda: I think so. It would help my level of confidence if they brought things I hadn’t already thought about. That’s a broad definition. How do you know what your board is thinking? I get that, but I always learn something in every committee meeting and board meeting I’m in, regardless of the company. Sometimes it’s a tactical thing, sometimes it’s strategic insight. You’ve got to be thinking about the long-term sustainability of that company and what does the future look like in today’s environment and tomorrow’s environment.
Chris: Your comments bring to bear the importance of agenda setting, whether it’s by the chair, the board, there’s got to be the time and focus for that type of substantive discussion.
Linda: Yes, I have a new appreciation for agenda setting because I tend to look at the issue of the day and now, I have to force myself, as a Risk Committee chair, to be doing what I just said and looking around the next corner and helping management do that.
Chris: What does cyber risk quantification in the real world mean to you?
Linda: We’re talking more and more about this topic as we mature in our thought process about cybersecurity risk. I would expand that to digital risk, but for now let’s just keep it as cybersecurity risk. What I really value is if an organization can tell me how much revenue is at risk of an event, and are we spending adequate resources that buys down that risk, and by how much is that risk bought down? How much do we have in cyber insurance? Then how much is self-insured? Self-insured means revenue at risk. It’s important to understand cyber risk quantification, but it’s also critical to comprehend what are you measuring yourself against? Do you have an acceptable framework for your industry? What does that framework say about your risk profile and your maturity level? You’ve got to peel back the onion. It isn’t just, “Okay, we’ve met these NIST controls.”
In that light, I was at a Domino conference this past summer hosted by the Digital Directors Network (DDN). One of the leading NIST architects discussed how she was looking at cybersecurity governance — and why that should be part of the framework because so many boards are not talking about it adequately. Ultimately, I think for risk quantification, you’ve got to be able to map it back to dollars and cents. That’s easily said, but hard to do.
The other thing is to make sure that one event is not evaluated as being exactly the same as another. A ransomware attack is not the same as a DDoS (Distributed Denial of Service) attack. What are you looking at in your risk profile? What are the five big risks that you think you face in the digital space? Can you put dollars against that risk? Do you have the information to say, “Okay, a ransomware event could potentially cost us X amount based on our profile. A DDoS attack could potentially cost us X based on our profile.” And based on that, ensure management is applying the company’s limited resources to the right areas. As a director you need to know how management is thinking about cybersecurity risk quantification in order to provide the right oversight in this critical area.
Chris: Most directors do not have a cyber and technology background like you. How do you get them somewhat comfortable and more knowledgeable? In other words, how can the full board better address cybersecurity and digital risk?
Linda: When I joined a financial institution board, other than having a bank account, I didn’t know anything about running a bank. Same when I joined my insurance board. I didn’t know anything about that type of business and the complexities of that industry other than having an insurance policy. That didn’t absolve me of my responsibility to learn that business and learn the risks to that business. I would challenge all my other directors who maybe don’t have a cyber background. It’s not that hard. I think we make it a lot more complex than it needs to be. Ultimately, some of the best questions I think come from the non-cyber experts on my boards because they step back and look at things from a business angle. Let’s just go back to the question you asked about risk quantification.” They will ask a question, “Well, what does this mean for us? What does this mean that we maybe don’t have this control? If we’re not adequately addressing this control. What could that result in?”
Specifically, they don’t need to become a CISO, they don’t need to become a CIO, they don’t need to learn how to code on a keyboard, but they need to understand it in the bigger business risk perspective. All it takes is a little bit of dedicated effort, just like dedicated board members do for our other continuing education activities.
Chris: Small to mid-cap company boards still seem to struggle to have a well-defined cyber risk ownership at the board level. How can these boards better develop a resilient contingency plan in dealing with everything from cyber breaches to the changing digital risk landscape?
Linda: I used to think every public company needed as a minimum a risk committee, if not a technology/cyber committee. Then I joined a small cap board and I realized, it doesn’t really fit for this business and this board. I am not a fan of cyber being talked about in audit, but for some organizations, that’s where you must put it. I think if that’s the decision to put this type of discussion in audit, put it in the front of the agenda, not the back. Give it adequate time and discussion because so frequently you’ll see it at the back of a three-hour audit committee and the agenda will run over so you never get to it.
The worst thing you can do is put it as part of the consent agenda. Please, don’t ever put your cyber discussion as part of the consent agenda because that just shows the board thinks it’s not an important enough topic. For highly regulated industries that tells the regulators the board thinks it is not that important, and that reading it over is good enough. The other thing, there’s a view that there’s not enough of us to go around, and by us, I mean digital and cybersecurity people, and I think there are. There’s a bevy of folks just waiting for their first chance. I know where to find these people – as do you.
Chris: How do you identify the strongest director contributors?
Linda: First, strong directors come prepared. I don’t really appreciate people on a board who don’t have the bandwidth to do the requisite homework. Yes, that means doing the board book reading well in advance. There’s no industry that builds a denser board book than financial institutions. It’s legendary because the regulators think you must cover everything. I always read everything.
Part of it is my quest for knowledge. You must be a continuous learner. But in the end, how am I going to fulfill my duty of care, for example, how am I going to vote on a policy if I don’t even take the time to read it?
Further, I think it’s not the loudest or the person who asks the most questions. It’s the thoughtful leader in the boardroom who engages when they have something valuable to say that makes a difference. The more comfortable I get in the boardroom, the more I engage. Sometimes I have to step back. For every one question I ask, I could probably ask ten. You need to be a little judicious about that. What I try and do is to make sure that I don’t ask a question that’s been answered in the board book, or if I do ask a question in the board book, it’s because it wasn’t explained well enough for my liking.
Additionally, do you have directors who are game on? When you come, it’s game on, and not sitting there watching the clock and wondering when your flight departs or checking your phone.
Then the last thing I’d say is, are your directors willing to engage in between board meetings? It is a critical element. I think you build rapport, not just in the boardroom, but outside the boardroom, whether it be a phone call on another topic or asking for help on something. That means engaging management outside of regularly scheduled meetings, but not beating them up because they don’t need to be responding to directors all the time. And I’d caution to make sure the CEO is aware of your engagements with the management team if outside of the boardroom.
Chris: Who is responsible for creating the board’s skills matrix and keeping it accurate? If the skills matrix is a little bit off, then board succession and board refreshment will be amiss.
Linda: Typically, for my boards, the board secretary puts it together, and the Nominating and Governance Committee is responsible for the vetting. On some of my boards, audit also vets it because it goes in your disclosures. Sometimes your skills matrix goes in your proxy. You want to make sure that it’s accurate because it’s publicly disclosable. As you’re talking about your director candidates up for vote, some companies put the skills matrix right there front and center for your shareholders to review.
How do you validate it as a board member? Again, it’s the trust, but verify formula. If you’re trying to fill a specific gap. For example, for some of my boards, they may zero in on my cyber expertise, but then they’re also interested in my government experience, or they’re interested in an ability to take a general idea and form a plan out of it, or the ability to think strategically. If we’re looking for somebody with a current type of skill set, once you believe they have the right skills, then I think the most important thing is to ensure the person is a good fit culturally. Do they have the requisite integrity? Do they have the requisite work ethic? What does this person bring to the boardroom that we do not currently have that is truly additive? It could be based on background, geographical location, age, and a variety of diversity factors.
Chris: Linda, thank you for your time, insights, and for your service.
Ms. Linda Medler is a retired USAF Brigadier General with more than 30 years of experience developing and executing cyber and technology strategies. She served for 27 years in the Air Force, retiring in 2014 as a Director of United States Cyber Command. She is the former CISO for Raytheon Missile Systems. Linda also serves as an independent director for several public and private companies including PNC, Common Spirit Health, TransAmerica, and Target Hospitality.
Chris Clark joined Stuart Levine & Associates as a senior consultant after a distinguished career at the National Association of Corporate Directors. His expertise ranges across a variety of disciplines including corporate governance (with data-driven board assessments, cyber risk diagnostics, and strategic communication audits as cornerstones), conference management, and digital content creation.