Posted on

The Adaptable Definition of the Life Work Balance Debate

A very good friend and associate, Colin Smith and I were having our monthly catch up, Colin had just received a birthday present from a loved one, a Tibetan bowl. A Tibetan singing bowl is a type of bell that vibrates and produces a rich, deep tone when played. Also known as singing bowls or Himalayan bowls, Tibetan singing bowls are said to promote relaxation and offer powerful healing properties. When we moved our discussion to life-work balance.

The term “work-life balance” has yet to lose its buzz in the last few years. This is partially due to the dominating presence of millennials in the workforce. Employers have been putting in a tremendous effort trying to determine the best way to appeal to millennial workers. Brookings Education research predicts that the millennial generation of workers is projected to take up 75% of the workforce by 2025, many leaders think it’s time to redefine what work-life balance looks like.

In short, they want to be highly engaged by what they do and smart leaders will harness their sense of mission or risk losing these employees to more purpose-driven companies.

Work-life balance is an important aspect of a healthy work environment. Maintaining a work-life balance helps reduce stress and helps prevent burnout in the workplace. Chronic stress is one of the most common health issues in the workplace. It can lead to physical consequences such as hypertension, digestive troubles, chronic aches and pains, and heart problems. Chronic stress can also negatively impact mental health because it’s linked to a higher risk of depression, anxiety, and insomnia.

There are significant and horrific trends that show employee illness, mental health issues that directly correlate within the business, not to mention Zoom fatigue. Too much stress over a long period of time leads to workplace burnout. Employees who work tons of overtime hours are at a high risk of burnout. Burnout can cause fatigue, mood swings, irritability, and a decrease in work performance.

This is bad news for employers because according to Harvard Business Review, the psychological and physical problems of burned-out employees cost an estimated $125 to $190 billion a year in healthcare spending in the United States.

It’s important for employers to realize that work-life balance is about more than just hours. Besides promoting flexibility, employers should also strive to improve the overall workplace experience for their employees. Prioritizing a healthy culture and cultivating a happy workplace environment promotes work-life balance. When employees are happy in their roles, work will feel more like a second home, and less like working for a paycheck. Employers should prioritize competitive compensation, comfortable office conditions, opportunities for professional growth, and opportunities for social connections.

Attitudes on work-life balance will continue to evolve with cultural, generational, and economic changes. Flexible leaders can update or reinvent their workplace culture to try something new if employees report poor work-life balance.

While maximizing employee productivity will always remain a constant goal, ensuring employees have the time they desire away from the office and enjoy their time spent in the office is the best way to retain talented employees and make them lifers, regardless of perceived generational differences.

Think about a bell out of sequence or even a change ringing, change ringing is the art of ringing a set of tuned bells in a tightly controlled manner to produce precise variations in their successive striking sequences, known as “changes”. This can be by method ringing in which the ringers commit to memory the rules for generating each change, or by call changes, where the ringers are instructed how to generate each change by instructions from a conductor. This creates a form of bell music that cannot be discerned as a conventional melody but is a series of mathematical sequences.

To ring quickly, the bell must not complete the full 360 degrees before swinging back in the opposite direction; while ringing slowly, the ringer waits with the bell held at the balance, before allowing it to swing back. To achieve this, the ringer must work with the bell’s momentum, applying just the right amount of effort during the pull that the bell swings as far as required and no further.

Despite this colossal weight, it can be safely rung by one (experienced) ringer, but in the wrong hands of expertise at the helm, the bell will be imbalanced.

Just like at a theatre, the maestro is on the podium is one of classical music’s most recognisable figures, long before Toscanini or Furtwängler, Bernstein or Dudamel, there was Pherekydes of Patrae, known in ancient Greece as the ‘Giver of Rhythm’.

A report from 709 BC describes him leading a group of eight hundred musicians by beating a golden staff “up and down in equal movements” so that the musicians “began in one and the same time” and “all might keep together”. A music conductor can be responsible for much more than just how a concert turns out. The balanced conductor has the ability to influence the entire system of music education, which can be emulated all over the world.

This is why the importance of wellbeing, life balance and mental health has never been more important.
Research from Mind confirms that a culture of fear and silence around mental health is costly to employers:
• More than one in five (21%) agreed that they had called in sick to avoid work when asked how workplace stress had affected them.
• 14% agreed that they had resigned and 42% had considered resigning when asked how workplace stress had affected them.
• 30% of staff disagreed with the statement ‘I would feel able to talk openly with my line manager if I was feeling stressed’.
• 56% of employers said they would like to do more to improve staff wellbeing but don’t feel they have the right training or guidance.

Employers have a duty to protect the health, safety and welfare of their employees. This includes mental health and wellbeing. You can find out more about health and safety at work in our health and safety factsheet.

Employees who have a mental health condition may be disabled as defined by the Equality Act 2010, and will therefore be protected from discrimination during employment.

One of the greatest challenges for employers and workers in 2020 was finding ways to work to keep companies afloat and to support people, people managers and their psychological wellbeing.

This trend will not disappear in 2021, and it will be necessary to bolster and cultivate employee wellbeing while people continue to work remotely or in partial return to offices. There was a growing awareness of mental health and wellbeing throughout 2020, but the challenges are not over.

In 2021 and beyond, all organisations should be:
• Assessing overall levels of wellbeing of staff on an ongoing basis; and
• Ensuring frontline managers and teams are still sensitive to individual wellbeing.

At the leadership level, there is a sizable disconnect between how important purpose is claimed to be for business and how central purpose actually is to business decisions. This gap demonstrates the optimism and promise that leaders see in being purpose-driven to elevate business, but a hesitation to “walk the walk” and actively embed it into foundational elements of the company, such as organizational decision architecture.

In my mind, the purpose of a company is defined as the reason for being beyond profit. Or to cite EY, it’s the organization’s single, underlying objective that unifies all stakeholders. Purpose should embody the company’s ultimate role in the broader economic, societal, and environmental context for 100 or more years.

A clear purpose goes beyond products or services and instead describes what impact or change the company can make in the largest context possible. Some examples of good purpose statements are:
• Merck: “Our purpose is to preserve and improve human life.”
• Southwest Airlines: “We connect people to what’s important in their lives.”
• Zappos: “Our purpose is to inspire the world by showing it’s possible to simultaneously deliver happiness to customers, employees, community, vendors and shareholders in a long-term sustainable way.”

Clearly defining and articulating purpose can truly propel a company forward. Purpose helps set a long-term business strategy, creates a bigger competitive advantage and differentiation in the marketplace, inspires innovation, increases brand trust and loyalty, and ultimately, helps the company stand the test of time. EY and Harvard Business Review co-authored a research project which revealed that 58% of companies that are truly purpose-driven report 10% growth or more over the past three years, versus 42% of companies that don’t have a fully embedded purpose reporting a lack or even decline of growth in the same period.

Purpose also has the power to positively impact employees. In order for that to happen, the purpose needs to be relevant, aspirational, and actively embedded in the whole company. If that’s the case, a multitude of benefits materializes for employees.

Finally, we are living in a time of increasingly intelligent technologies, when an organization’s ability to be trusted really matters. But the way data and intelligent technologies such as AI are being used is creating significant trust gaps. For example, the public feels that intelligent technology is moving too fast and that regulators can’t keep up, as documented in the 2020 Edelman Trust Barometer.

There are plenty of high-profile examples of data misuse and unintended outcomes from AI usage that have contributed to these gaps.

In short form:
• We need trust as an essential ingredient for wellbeing, life balance, mental health.
• Unless organizations anticipate and close the potential trust gaps, companies and regulators need to create policies to work with each other and with wider society to identify practicable, actionable steps that businesses can take to shape a new relationship with wider society: a new ‘settlement’ based on mutual understanding and a shared recognition of the positive role that business plays in people’s lives.

• To close trust gaps, organizations must embed a people-first strategy with purpose.
• Trust within and across this ecosystem is key to its long-term sustainability and survival. That’s why trust needs to be restored to the heart of the business world.

As Stephen M.R. Covey – American Educator, once said:

“Contrary to what most people believe, trust is not some soft, illusive quality that you either have or you don’t; rather, trust is a pragmatic, tangible, actionable asset that you can create.”

Posted on

What is the state of the global economy, are we recovering?

I was invited recently to a meeting at one of the Central European Embassy’s to discuss some of the events across the pandemic and the state of the global economy.

These discussions are always a debate and subjective to one’s individual analysis, will all the global economists there were public health pandemic playbooks that were being followed with varying degrees of adherence, there was no economic playbook for this either.

The worst day of the covid-19 pandemic, at least from an economic perspective, was Good Friday. On April 10th, 2020 lockdowns in many countries were at their most severe, confining people to their homes and crushing activity. Global GDP that day was 20% lower than it would otherwise have been.

Since then, governments have lifted lockdowns. Economies have begun to recover. Analysts are penciling in global GDP growth of 7% or more in the third quarter of this year, compared with the second.

That may all sound remarkably v-shaped, but the world is still a long way from normal. Governments still continue to enforce social-distancing measures to keep the virus at bay. These reduce output—by allowing fewer diners in restaurants at a time, say, or banning spectators from sports arenas. People remain nervous about being infected. Economic uncertainty among both consumers and firms is near record highs—and this very probably explains companies’ reluctance to invest.

Calculations by Goldman Sachs, a bank, suggest that social-distancing measures continue to reduce global GDP by 7-8%—roughly in line with what The Economist argued in April, when we coined the term “90% economy” to describe what would happen once lockdowns began to be lifted. Yet although the global economy is operating at about nine-tenths capacity, there is a lot of variation between industries and countries. Some are doing relatively—and surprisingly—well, others dreadfully.

Take the respective performance of goods and services. Goods have bounced back fast. Global retail sales had recovered their pre-pandemic level by July, according to research by JPMorgan Chase, another bank. Armed with $2trn-worth of cash handouts from governments since the virus struck, consumers across the world have stocked up on things to make it bearable to be at home more often, from laptops to dumbbells, which partly explains why world trade has held up better than economists had expected. Global factory output has made up nearly all the ground it lost during the lockdowns.

And with all these considerations PwC has recently published a report that sets out their latest long-term global growth projections to 2050 for 32 of the largest economies in the world, accounting for around 85% of world GDP.

The key results state that the world economy could more than double in size by 2050, far outstripping population growth, due to continued technology-driven productivity improvements.
One of the most promising and commonly evoked vistas of the future centers on the dazzling potential of new technologies.

From that perspective, many of today’s profound problems, such as unemployment, malnutrition, disease, and global warming could be solved through the clever application of breakthroughs in computer science, genetic engineering, nano-device construction, and new materials creation. These hopes are not unlike those of a century ago when the development and diffusion of technologies such as electricity, the radio, and the internal combustion engine promised a new era of human well-being. With the benefit of hindsight, however, it is clear that realizing the potential of late 19th century new technologies required major economic and social transformations.

Extending breakthroughs beyond the inventor’s lab, imagining new applications, realizing broad diffusion of initially unfamiliar technology, and achieving deep integration of cutting-edge techniques – all of these processes were both protracted and difficult. In the end, many landmarks had to be changed, from where and how people lived to what and how firms produced. This in turn entailed the overthrow of old patterns, entrenched expectations, and accepted “common sense” notions – not to mention established management theories and hardened political realities.

What is striking is that similarly dramatic transformations, economy- and society-wide, seem once again to be a realistic prospect. Although there have certainly been other periods in recent history when the outlook for humankind was filled with promise, the current conjuncture constitutes one of those rare moments when a confluence of diverse and numerous developments generates new, potentially radical opportunities.

These are not a foregone conclusion, for the necessary policies are highly ambitious and only just on the horizon for decision-makers. But The Future of the Global Economy: Towards a Long Boom? the fact remains that humanity could reap huge rewards if it is ready to undertake equally significant changes. Two factors largely account for that unconventionally strong conclusion – one is methodological, the other conjunctural.

First, the analytical method adopted here for exploring long-term possibilities is neither partial nor linear, characteristics common and justified for shorter-term forecasting. A systemic and interdisciplinary approach is what enables the identification of opportunities for more radical evolutionary and intentional transformations.

Secondly, on the basis of this methodology, it becomes apparent that the current historical conjuncture – with its specific technological, economic and social developments – holds the seeds that could blossom into a period of above-average growth. Some may attribute the sense of exceptional opportunity to end-of-century jitters and obligatory optimism by governments at the launch of a new millennium.

Such skepticism is only natural. However, the assessment offered over the following pages tends to confirm the view that the historical door is now open to both a dramatic wave of socio-technical dynamism and the rapid pace of expansion that characterizes a long boom.

In the shorter term, the global economy is set to expand 5.6 percent in 2021—its strongest post-recession pace in 80 years. This recovery is uneven and largely reflects sharp rebounds in some major economies—most notably the United States, owing to substantial fiscal support—amid highly unequal vaccine access.

In many emerging markets and developing economies (EMDEs), elevated COVID-19 caseloads, obstacles to vaccination, and a partial withdrawal of macroeconomic support are offsetting some of the benefits of strengthening external demand and elevated commodity prices. By 2022, global output will remain about 2 percent below pre-pandemic projections, and per capita income losses incurred last year will not be fully unwound in about two-thirds of EMDEs.

The global outlook remains subject to significant downside risks, which include the possibility of large COVID-19 waves in the context of new virus variants and financial stress amid high EMDE debt levels. Controlling the pandemic at the global level will require more equitable vaccine distribution, especially for low-income countries.

The legacies of the pandemic exacerbate the challenges facing policymakers as they balance the need to support the recovery while safeguarding price stability and fiscal sustainability. As the recovery becomes more entrenched, policymakers also need to continue efforts toward promoting growth-enhancing reforms and steering their economies onto a green, resilient, and inclusive development path.

The recovery is envisioned to continue into 2022, with global growth moderating to 4.3 percent. Still, by 2022, global GDP is expected to remain 1.8 percent below pre-pandemic projections.

Compared to recoveries from previous global recessions, the current cycle is notably uneven, with per capita GDP in many EMDEs remaining below pre-pandemic peaks for an extended period.

In advanced economies, the rebound is expected to accelerate in the second half of 2021 as a broader set of economies pursue widespread vaccination and gradually reopen, with growth forecast to reach 5.4 percent this year—its fastest pace in nearly five decades. Growth is projected to moderate to 4 percent in 2022, partly as fiscal support in the United States begins to recede absent additional legislation.

The global recovery could prove more robust and broad-based than expected and sustain a long boom. For instance, the policy-supported surge in global growth in 2021, coupled with faster and more equitable global vaccination, could catalyze a self-sustaining period of rapid growth in which the private sector becomes a powerful engine of growth starting in 2022. In effect, strong pro-cyclical policy support would trigger a process of “reverse hysteresis” in which a robust cyclical upturn lifts long-run growth prospects.

In particular, this scenario envisages that technological adoption would accelerate, along with rising investment and labor force participation, causing the potential output to strengthen.

Starting in the first quarter of 2022, total factor productivity growth in advanced economies would accelerate to levels similar to those seen during previous episodes of productivity surges, as corporations deepen their use of digital technologies and work from home policies adopted during the pandemic.

Knowledge spillovers and faster installation of new productive capital would also raise productivity in other countries. h At the same time, this scenario assumes that EMDE policymakers, faced with high levels of sovereign debt and slowing long-run growth prospects, implement growth-enhancing reforms, including reforms to strengthen economic governance, diversify economies reliant on commodities or tourism, and facilitate the reallocation of resources towards more productive activities.

This comprehensive package of reforms would raise EMDE’s potential output growth gradually starting in 2022. Consumer confidence would surge, anchoring strong private consumption growth as consumers rapidly draw down their savings.

At the same time, rising potential output and well-anchored inflation expectations would help keep inflationary pressures in check, allowing advanced economy central banks to keep monetary policy accommodative for a prolonged period. In turn, continued monetary accommodation would support investment and consumption by alleviating debt service burdens and supporting asset prices.

Growth in advanced economies would remain near 5 percent in 2022 before slowing to a still-strong 3.1 percent in 2023. The investment- and productivity-driven growth in advanced economy growth would have greater spillovers to EMDEs, boosting export demand while ensuring that global financial conditions remain benign. As a result, EMDEs would experience a robust expansion, with growth averaging over 5 percent in 2022 and 2023—0.6 percentage points higher on average than in the baseline scenario. Overall, global growth would be notably stronger, averaging 4.4 percent over 2022-23 compared to 3.7 percent in the baseline scenario.

One further consideration is ESG investing with an emphasis on private finance and investment towards long-term value creation. There are forward priorities and actions for market participants and policymakers to address such shortcomings, particularly around the urgent need for consistent, comparable, and verifiable ESG data.

Current market practices, from ratings to disclosures and individual metrics, present a fragmented and inconsistent view of ESG risks and performance. ESG ratings and investment approaches are constructive in concept and potentially useful in driving the disclosure of valuable information on how companies are managed and operated in reference to long-term value creation. To this end, investors looking to manage ESG factors, particularly large diversified institutions, typically rely on external service providers of indices and ratings as a cost-effective means to guide the composition of ESG portfolios.

However, the lack of standardized reporting practices and low transparency in ESG rating methodologies limit comparability and the integration of sustainability factors into the investment decision process. The link between ESG performance and financial materiality is also ill-defined, with little evidence of superior risk-adjusted returns of ESG investments over the past decade.

This fragmentation and incomparability may not serve investors in assessing performance against general ESG goals, or targeted objectives such as enhanced management of climate risks. The relationship between Environmental (“E”) scores and carbon emission exposures is highly variable within and between ratings. In some cases, high “E” scores correlate positively with high carbon emissions, due to the multitude of diverse metrics on different environmental factors and the weighting of those factors.

This illustrates the broad challenges in ESG investing, but also the specific difficulties facing investors looking to consider both financial and environmental materiality. It also underlines how current ESG tools cannot be relied on to manage various climate risks, or to green the financial system, at a time when these are rising priorities for investors and policymakers alike.

Fiduciaries such as asset managers and boards should be managing material ESG risks in a way that supports long-term value creation – but are not necessarily getting the data and information they need to do so.

The OECD’s global survey of pension funds and insurers reveals the growing consideration of ESG risk factors in portfolios, the extent to which such institutional investors rely on external ESG data and service providers, and reiterates the challenges mentioned above in reference to investor experiences. These challenges extend to infrastructure financing, where the investment horizons of institutional investors and the nature of the assets increase exposure to longer-term sustainability risks.

For corporations, managing and disclosing ESG performance and related risks are no different from their interest in managing and disclosing other material information as a key function of corporate governance.

Effective disclosures are important to the communication of forward-looking, financially material information, but practices remain at an early stage. Inconsistent disclosure requirements and fragmented ESG frameworks mean both institutional investors and corporates encounter difficulties when communicating ESG-related decisions, strategies, and performance criteria to beneficiaries and shareholders respectively.

This in turn makes it hard for beneficiaries to assess how their savings are used, and for companies to attract financing at a competitive cost that fully considers ESG factors. There is also an implicit ESG scoring bias in favor of larger companies and larger, advanced markets, which could affect the relative cost of capital and corporate reputation of companies outside of these groups, which is due in part to the high cost of ESG disclosure.

Banks are also looking to scale up ESG integration in lending transactions but also face capacity, competition, and data challenges. Given the scale and significance of lending and underwriting activities globally, stronger due diligence in reference to ESG risks would help align global capital with activities that avoid negative impacts on society and the environment and enhance resilience in the financial sector, including climate-related risks. To this end, banks would benefit from enhanced ESG risk management practices and sustainability reporting in their lending activities, and the development of metrics and methodologies to facilitate meaningful measurement of ESG risk.

Governments have levers available to drive better ESG outcomes as both enterprise owners and as investors. Around one-fourth of the largest global companies are entirely or largely state-owned enterprises (SOEs), and these companies can and should serve not only long-term value but also the fulfillment of widely held public policy priorities, including sustainability measures. SOEs tend to have higher ESG scores than private companies, but this is not a given and depends in part on state ownership policy. A case study into the energy sector demonstrates how state ownership has sometimes been an obstacle to sustainability goals, such as the low-carbon transition, because of political concerns over the value of energy assets.

If left unaddressed, challenges in ESG investing could undermine investor confidence in ESG scores, indices, and portfolios. Developments and progress in ESG practices to date are promising, and they have the potential to be valuable, mainstream tools to manage risk, to align incentives and prices with long-term value, and to lessen the impact of future shocks like climate impacts or future pandemics. They can also be a valuable input into policymaking, by better articulating what the market can and should deliver in terms of public outcomes, and what kind of further government intervention is needed to meet stated policy objectives. Taken together, the chapters of this Outlook conclude more needs to be done to fully harness this potential.

There are clear priority areas for policy action in facilitating fit-for-purpose data and disclosures in ESG investing. Greater attention and efforts are needed by regulators and authorities – including through guidance and regulatory requirements – to improve transparency, international consistency, alignment with materiality, and clarity in strategies as they relate to sustainable finance. This extends to the appropriate labeling of ESG products, with information that delineates the financial and social investing aspects of ESG investing.

At the same time, existing frameworks and policy instruments can drive better ESG outcomes and provide a solid foundation for reform. Closer adherence to, and wider implementation of, OECD standards, policy guidance, and international best practices can already address some of the challenges described in this Outlook, especially around the assessment of risk and disclosure of material information. Key examples include the G20/OECD Principles of Corporate Governance, the OECD Guidelines on Corporate Governance of State-Owned Enterprises, and the Guidelines for Multinational Enterprises and accompanying guidance, with specific guidance on Responsible Business Conduct for Institutional Investors and Due Diligence for Responsible Corporate Lending and Securities Underwriting.

Close engagement and cooperation between jurisdictions and with the financial industry are needed to strengthen the policy environment and drive better outcomes in ESG investing. Regulators of large jurisdictions with developed financial markets are already engaging on these very topics, and making good progress. However, capital markets are global in reach, as are many of the environmental, social, and governance factors ESG practices seek to assess and manage. Therefore, global principles are needed to help establish good practices that acknowledge regional and national differences, while ensuring a constructive level of consistency, transparency, and trust.

Final thought; businesses have spent much of the past nine months scrambling to adapt to extraordinary circumstances. While the fight against the COVID-19 pandemic is not yet won, with a vaccine implementation in sight, there is at least a faint light at the end of the tunnel—along with the hope that another train isn’t heading our way.

2021 will be the year of transition. Barring any unexpected catastrophes, individuals, businesses, and society can start to look forward to shaping their futures rather than just grinding through the present. The next normal is going to be different. It will not mean going back to the conditions that prevailed in 2019. Indeed, just as the terms “prewar” and “postwar” are commonly used to describe the 20th century, generations to come will likely discuss the pre-COVID-19 and post-COVID-19 eras.

For business leaders, this is an urgent call to action, too. It’s now that strategic moves will be made to propel companies ahead of these megatrends; it’s now that the direction will be set for years to come; and it’s now that many organizations, “unfrozen” by the pandemic, are ready to adapt to the new requirements for future success. Plenty of business leaders are already eagerly stepping up to help shape our societies and build a new age of health and prosperity for all. Many more will have to join the fight.

This is a true strategy moment for governments and businesses alike, a chance to set the switches for the next decade, there really is no playbook, and for some, this could be a long boom, for others it could well be failure. Depending on their choices, the outcomes could not be more different.

The trauma of this pandemic will be with us for a long time to come. The big question for humanity is whether we can now turn this crisis into a pivotal moment, where we harness the innovations, the new insights, and the crisis-fortified determination to improve the world. The time for these choices is now. It’s up to all of us whether we will move into the 2020s with a new paradigm for safeguarding lives and livelihoods: a new age of health and prosperity for all.

As Jimmy Dean once said: “I can’t change the direction of the wind, but I can adjust my sails to always reach my destination.”

Sources:
https://www.worldbank.org/en/publication/global-economic-prospects
https://www.oecd.org/finance/oecd-business-and-finance-outlook-26172577.htm

Posted on

Guest blog: Mike P James discusses ‘How trustworthy are you, your employees, your board and organisation, are you ready for the new digital world?

Covid-19 is a crucible within which resilient leadership has been refined. Acting without perfect information and no playbook, often with only a few hours or days to spare, CEOs have to guide their organisations through myriad decisions and challenges, with significant implications for their company’s whole system; employees, customers, clients, financial partners, suppliers, investors, and other stakeholders, as well as for society as a whole.

Almost everywhere we turn, trust is on the decline. Trust in our culture at large, in our institutions, and in our companies is significantly lower than a generation ago. Research from Datapad when my company International Business and Executive management commissioned the trust report found that only 69% of employees did not trust senior management or their CEO. Consider the loss of trust and confidence in the financial markets today. Indeed, “trust makes the world go-’round,” and right now we’re experiencing a crisis of trust.

In the words of Tom Peters – American writer on business practices ‘TRUST, not technology, is the issue of the decade.’

In any normality trust is paramount, but with world events never has there been a need for increased trust. This simple formula emphasises the key elements of trust for individuals and for organisations:

Trust = Transparency + Relationship + Experience

Trust starts with transparency: telling what you know and admitting what you don’t. Trust is also a function of relationships: some level of ‘knowing’ each other among you and your employees, your customers, and your ecosystem. And it also depends on experience: Do you reliably do what you say?

In times of growing uncertainty, trust is increasingly built by demonstrating an ability to address unanticipated situations and a steady commitment to address the needs of all stakeholders in the best way possible.

The best leaders begin by framing trust in economic terms for their companies. When an organization recognizes that it has low trust, huge economic consequences can be expected. Everything will take longer and everything will cost more because of the steps organizations will need to take to compensate for their lack of trust. These costs can be quantified and, when they are, suddenly leaders recognize how low trust is not merely a social issue, but that it is an economic matter. The dividends of high trust can be similarly quantified, enabling leaders to make a compelling business case for trust.

The best leaders then focus on making the creation of trust an explicit objective. It must become like any other goal that is focused on, measured, and improved. It must be communicated that trust matters to management and leadership. It must be expressed that it is the right thing to do and it is the economic thing to do. One of the best ways to do this is to make an initial baseline measurement of organizational trust and then to track improvements over time.

Moral and ethical leadership is the key to a successful business, yet it’s clear from the news that the leaders of some of our most influential governments and corporations are making morally questionable decisions. These decisions will lose the trust of society, customers and employees. Trust is the foundation of high-functioning relationships and can only be achieved by meaningful dialogue. It is clear that this is not happening. Instead, we’re using electronic communication, where it should never be used.

The true transformation starts with building credibility at the personal level. The foundation of trust is your own credibility, and it can be a real differentiator for any leader. A person’s reputation is a direct reflection of their credibility, and it precedes them in any interactions or negotiations they might have. When a leader’s credibility and reputation are high, it enables them to establish trust fast speed goes up, the cost goes down.

In the words of Stephen Covey “If I make deposits into an Emotional Bank Account with you through courtesy, kindness, honesty, and keeping my commitments to you, I build up a reserve. Your trust toward me becomes higher, and I can call upon that trust many times if I need to. I can even make mistakes and that trust level, that emotional reserve, will compensate for it. My communication may not be clear, but you’ll get my meaning anyway. You won’t make me “an offender for a word.” When the trust account is high, communication is easy, instant, and effective.”

Today I have the distinct pleasure of introducing another Guest Blogger, Mike P James, who is a leadership mentor and aspiring ‘Good Guy’ – enabling managers on a leadership growth journey to create an ethical, trust-based, learning culture that empowers and engages all stakeholders via the RIGHT kept commitments.

Leadership and people development have gone hand-in-hand throughout Mike’s career. A quote, of his, that epitomises his view of relationships and the people he leads or trains is: “The strength of an organisation is not just in its people but in the relationships and interactions that are created and sustained.”

A few of Mike’s high points are simplifying the art of desert navigation for the Special Air Service during the first Gulf War. Managing, leading, and turning around a once failing department of 40 soldier/technicians. Leading a 120-strong organisation through severe and almost debilitating financial restrictions whilst still developing and maintaining an organisational identity and operational capability. Together with the privilege of passing on his diverse knowledge and experience to potential young Officers in concert with likely corporate Captains of Industry.

Mike specialises in leadership, team development and coaching with an emphasis on facilitating/coaching towards relevant and personalised outcomes in a solution-focused manner – more of what’s working as opposed to delving into the problem. His practical, common-sense approach together with a technical background enhances his ability to relate to individuals and groups across a variety of business sectors.

He has worked with individuals and organisations via one-to-one coaching to the design, delivery, and management of large (200+) multi-module programmes. His forte is enabling leaders and managers to realise the vital importance of the ‘emotional intangibles’ between good management and great leadership, whilst still enhancing strategic abilities and focus.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject of trustworthiness.

Are you ready for the future? A future that is here now! How trustworthy are you, your employees, your organisation?

Wherever you are now, leaders and employees will need to evolve to ‘navigate the transformed digital and physical worlds of work…’ (The Digital Renaissance of Work – Miller and Marsh) a good start would be for business leaders to actually trust their employees and work towards creating a collaborative, trust-based culture.

‘The trust of the people in the leaders reflects the confidence of the leaders in the people.’ Paulo Freire.

It has to start somewhere…

A New-Normal?
No one can deny that our world, and particularly the world of work, is entering a New-Normal – a totally different way of life that has been accelerated and totally reshaped by the pandemic we have all been living through.

This New-Normal world is not defined by just more remote-working and greater reliance on tech and AI, etc, it throws up many other questions:

How does it affect the quality of our relationships?
How does it affect how we work as a ‘team?’
How do we maintain accountability for our work?
How are responsibilities taken on?
How are ethical boundaries not transgressed?
How do we trust one another when we have only just been thrown together in an ad-hoc ‘team’ and the individuals are in multiple locations?
How do we promote our brand and values so that customers continue to work with us?
How do we take advantage of the ever-developing capabilities of AI to enhance the quality of our relationships – our Relationship Capital – so that it can be used alongside Financial Capital as a measure/predictor of organisational value in real-time? After all, estimated ‘Goodwill’ or brand value could be a thing of the past.

The Future of Work
Remote working, better use of digital technology, more supportive AI, etc, have all been talked about in a number of publications, including What’s the future of business? by Brian Solis; The Digital Renaissance of Work by Paul Miller and Elizabeth Marsh; and A World Without Work by Daniel Susskind. In fact, Miller and Marsh highlight that ‘team and teamworking is a relic of the Industrial Age and needs to be reinvented…’ and ‘The skills needed are those to build trust rapidly… manage reputation constantly… be visible to your organisation; and to expand your network of connections.

These, combined with ethical and moral issues of the past/present and the greater control of big business, are all pointers to a different way of working; a different way to use the ‘all-encompassing’ internet. A more user-centric way of use, where the user is in control and ‘… localized internet value increases exponentially through trust.’ In control of their data, their security, their reputation, responsible for their own work, and accountable for its outcomes. And where fundamental relationship principles inform and guide everything that is done, both in the ‘real’ and digital worlds.

‘Digital Collaboration’ is the term Miller and Marsh use for what they believe is the primary skill needed by all workers as they learn how to maintain more relationships.

Trust
Trust and trustworthiness will be key in this ‘new’ digital era. To move from being a good manager, doing things right, to being an inspirational leader and doing the right thing, you need to be able to coach and create a trust-based culture. Paul Keijzer puts it well: ‘A business will never be successful unless you learn how to build positive relationships and put people first.’ A culture where the trustworthiness of the relationships between all stakeholders is obvious, quantifiable, and promotable, i.e. the Relationship Capital.

More than ever, leaders need to personalise their connections and relationships across the business environment, to understand, consider, and respond to the emotional ‘below the surface’ intangible needs of their people.

Now is the time to reinvent trust and trustworthiness within relationships via the commitments that we make and fulfill between each other. And by that, I include all stakeholders – individuals, teams, customers, and organisations.

A lot of work has been written about trust. (Most notably Stephen Covey’s The Speed of Trust.) but how does ‘trust’ fit in with our current situations? How will it contribute to the New-Normal that is now upon us?

In his influential book, Team of Teams, General Stanley McChrystal talks of developing ‘ “a shared consciousness” which comes from transparency and extensive information sharing – which requires assuming risk by trusting others, way beyond what most leaders and organisations are willing to do. Teams are effective because they trust each other and they have a shared purpose.’

Commitments
I suggest that we look and learn from the past, i.e. Dr. Fernando Flores in the 1980/90s – Management and Communication in the Office of the Future, Conversation for Action and Commitment-based Management. On the subject of trust, in Conversations for Action and Collected Essays – Instilling a Culture of Commitment in Working Relations, Flores said, ‘Trust is crucial, not only for internal relationships but for customer relationships as well. This is because we invent the future in the commitments and promises we make to each other about actions we’re going to perform.’

‘Invent the future in the commitments and promises we make…’ is an interesting statement, and to me, this highlights our own responsibility for the co-creation of our future – something that was perhaps devolved to the familiar ‘team’ in your previously ‘normal’ office.

Combine this with Stephen Covey’s pivotal book, The Speed of Trust (2006). Keeping commitments is the ‘Big Kahuna’ of all behaviours, according to him. He described it as the ‘quickest way to build trust in any relationship’ and, when violated, the ‘quickest way to destroy trust’.

‘When you make a commitment, you build hope; when you keep it, you build trust.’ Roger Merrill.

The importance of commitments and keeping them is obvious. At the same time, a vague or ‘loose’ commitment that is not defined is worse than none at all. To the uninitiated, it may be better to follow Napoleon Bonaparte’s reasoning: ‘The best way to keep one’s word is not to give it.’ (Again, from Covey.) That will certainly not work now!

Both Flores and Covey have been widely quoted as the standards in promoting the effectiveness of keeping commitments via a process, and how trust-based relationships are key to strong and effective organisations. At the same time, the whole concept has been ‘principled’ and made timelier by considering seven fundamental principles at each stage of the commitment-making process. These principles add to and enforce the moral component: accountability; boundaries; honesty; respect; responsibility; trust; and support. The original attribution of these principles to the Commitment Process is unclear, but Norman Myers and Rob Peters were certainly involved in the 90s. Peters also mentions them in his 2014 book, Standard of Trust Leadership.

My combined interpretation has evolved over the years and is summarised by this formula (because we all need a solid formula to give an air of credibility!). At the same time, following Einstein’s mantra: ‘Everything should be as simple as it can be, but not simpler.’

Trustworthiness, Relationship Capital, Relationship Principles, Commitments

Summary
The ‘future of work’ is here now! It was on the ‘never reaching’ horizon, but the COVID-19 crisis has changed all that. ‘Yesterday’s business models won’t solve today’s problems.’ Flack[iii] (June 2020).

Combine this with the technical advances of the apparent ‘Fifth Industrial Revolution’ alluded to by Gauri & Eerden[iv], who highlighted the importance of ‘humanity’ where ‘humans and machines will dance together, metaphorically.’ They also cautioned the need for ‘intentionality and moral clarity’.

So, what needs to change for organisations to survive and thrive?

‘Adaptability, not efficiency, must become our new central competency.’ McChrystal

Perhaps it’s as simple as taking a conscious account of the commitments that we make between each other.

Certainly, the intangible needs of a more dispersed workforce – such as trust, trustworthiness, reputation, valued relationships, keeping the right commitments, and a sense of belonging, etc – are all going to be key.

Not just the ‘shiny new tech.’

Basic Concepts to bear in mind – Takeaways:
* Keep things simple
* Back to first-principles of what worked, i.e. make and keep the right (principled) commitments
* Back to taking a moral view of relationships
* Make the best use of the available technology to integrate the real and digital worlds

Sources:

  • Wired Article – ‘The Internet Needs a New Architecture that puts users first’ by Berninger & Pulver.
  • Business2Community Article – ‘Is It Better to Lead with Your Heart or Your Head?’ by Paul Keijzer.
  • HRZone.com Article – ‘Why it’s time to say farewell to that “future of work” trope forever’ by Barry Flack.
  • World Economic Forum Article – ‘What the Fifth Industrial Revolution is and why it matters…’ by Pratik Gauri, India President, 5th Element Group PBC & Jim Van Eerden, President, 5th Element Group PBC.
  • Team of Teams – General Stanley McChrystal.
Mike P James

You can contact Mike P James via the following websites and social links:

Email:
mike @ wayfindersolutions . com (remove spaces)
LinkedIn:
linkedin.com/in/mikepjames
Website:
www.mikepjames.com/

Posted on

Stop Band-aiding your Cyber risk strategy with training

It wasn’t too long ago that sophisticated executives could have long, thoughtful discussions on technology strategy without even mentioning security. Today, companies have substantial assets and value manifested in digital form, and they are deeply connected to global technology networks – even as cyber attackers become ever more sophisticated and adaptable to defenses.

At most companies, boards and senior executives acknowledge the serious threats that cyberattacks pose to their business. What they are not sure of is how to create a strategy that helps them understand and address the threats, in all their forms, today and in the years ahead. And they’re asking for such a strategy every day.

Increasingly, the online world has grown complex and threatening. Many organizations are finding it hard to reconcile the level of their cybersecurity innovation investments with the cyber resilience outcomes for their business. Even worse, choosing the wrong strategy to invest in cybersecurity technologies can cost the organization far more than wasted cash; it can damage an organization’s brand, reputation, and future prosperity.

Both C-suite and security professionals should feel encouraged. Investment in innovation is increasing and managing the basics appears to be better. But scratch below the surface and there are hidden threats. Organizations face unsustainable costs, and security investments are often failing for the majority. With low detection rates and slow recovery times, it is important to find out what the leading organizations are doing differently to achieve cyber resilience. The good news is that most organizations, on average, spend 10.9 percent of their IT budgets on cybersecurity programs.

Leaders spend slightly more at 11.2 percent which is insufficient to account for their dramatically higher levels of performance. And their investments in advanced technologies, such as artificial intelligence, machine learning or robotic process automation, are rising substantially. Today, 84 percent of organizations spend more than 20 percent of their cybersecurity budgets on tools that use these three technologies as fundamental components. The finding represents a good step up from the 67 percent being spent three years ago. The increase is even more impressive with respect to the leaders. Three years ago, only 41 percent of leaders were spending more than 20 percent of their cybersecurity budgets on advanced technologies. Today, that has doubled, to 82 percent.

At first glance, the basics of cybersecurity are improving and cyber resilience is on the rise. The latest research in the market shows that most organizations are getting better at preventing direct cyberattacks. But in the shape-shifting world of cybersecurity, attackers have already moved on to indirect targets, such as vendors and other third parties in the supply chain. It is a situation that creates new battlegrounds even before they have mastered the fight in their own backyard.

At the same time, cybersecurity cost increases are reaching unsustainable levels and, despite the hefty price tags, security investments often fail to deliver. As a result, many organizations face a tipping point. There is good news for organizations wondering if they will ever move beyond simply gaining ground on the cyber attacker. Analysis by Accenture reveals there is a group of standout organizations that appear to have cracked the cybersecurity code for innovation.

The BBC recently reported that researchers have discovered major security flaws—which affect flood defenses, radiation detection, and traffic monitoring—in the infrastructure for major cities in the United States and Europe. Of those flaws, nearly ten are deemed “critical,” meaning that a cyberattack on these systems would have a debilitating impact on essential infrastructure, including power grids, water treatment facilities, and other large-scale systems. It seems like the stuff of disaster films: A major city loses power. Huge amounts of the population panic. The roads clog. Planes are grounded. Coordinating a rescue effort— even communicating with the public—would be a colossal task.

Detailed modeling of cybersecurity performance has identified two distinct groups: the first an elite group—17 percent—that achieve significantly higher levels of performance compared to the rest. These organizations set the bar for innovation and achieve high-performing cyber resilience. The second is the group forming the vast majority of our sample—74 percent—who are average performers, but far from being laggards in cyber resilience. This second group has lessons to learn from leaders while leaders, too, have further room for improvement.

Being innovative in security is different from any other aspect of the business. Caution is necessary. After all, a fail-fast approach is not an option for security where attack vulnerabilities could be catastrophic. Growing investments in innovation illustrate organizations’ commitment to prevention and damage limitation. And it is here that leaders excel. By focusing on the technologies that provide the greatest benefit and sustaining what they have, they are finding themselves moving fast and first in the race to cyber resilience.

What is one key to secure innovation?

Companies are using all kinds of sophisticated technologies and techniques to protect critical business assets. But the most important factor in any cybersecurity program is trust. It undergirds all the decisions executives make about tools, talent, and processes. Senior business leaders and the board may see cybersecurity as a priority only when an intrusion occurs, for instance, while the chief security officer and his team view security as an everyday priority, as even the most routine website transactions present potential holes to be exploited.

Leaders now show us that they scale, train and collaborate more. So, while non-leaders measure their success by focusing on the destination— improved cyber resilience—the leaders focus on how to get there using warp speed to detect, mobilize and remediate.

IBM Survey: Pandemic-Induced Digital Reliance Creates Lingering Security Side Effects” – IBM, 15 June 2021.
Individuals created 15 new accounts on average during the pandemic, with 82% reusing passwords across accounts. According to the report, user behavior showed strong preferences for convenience outweighing security and privacy concerns, leading to poor choices around passwords and other cybersecurity behaviors. This lax user approach to security, combined with rapid digital transformation by businesses during the pandemic poses a big risk to companies and provides attackers with further opportunities to propagate cyberattacks across industries. These poor personal security habits carry over to the workplace.

RockYou 2021: largest password compilation of all time leaked online with 8.4 billion entries” – Cybernews, 7 June 2021.
A massive 100 gigabyte text file containing 8.4 billion entries and passwords that was combined from previous data leaks and breaches was published on a popular hacker forum.

Hackers Breached Colonial Pipeline Using Compromised Password”Bloomberg – June 4, 2021.
Investigators suspect hackers got the password from a dark web leak. Hackers gained entry into the Colonial Pipeline networks through a dormant virtual private network account that was no longer in use at the time of the attack but could be used to access their network. This account’s passwords have been leaked with a batch of other passwords on the dark web. This account also used a simple username and password without any other means for authentication. The hackers also stole nearly 100 gigabytes of data which they threatened to leak if the ransom wasn’t paid. This hack caused a shutdown of the pipeline causing a fuel crisis on the East Coast. This shutdown lasted more than a week.

“SolarWinds hack was ‘largest and most sophisticated attack’ ever: Microsoft president” – Reuters, 14 Feb 2021.
The SolarWinds attack Hackers compromised a routine software update that gave them access to potentially up to 18,000 companies and government institutions globally. The hackers roamed around the networks of these companies for nine months before they were finally discovered. It will take months to identify the compromised systems and shut down the breaches. The breach of customer systems came through a small software vendor in the supply chain.

The above is just a couple of the recent examples of cyber breaches, from very sophisticated breaches such as the SolarWinds breach to less sophisticated breaches causing weeklong shutdowns in the Colonial Pipeline example. The hacks and breaches are becoming more frequent and more costly as attach surfaces are growing across the full supply and value chains of companies.

52% of email users failed to detect an actual phishing email. GreatHorn survey, September 2020.

Looking at these large-scale breaches, and trends that the attack surfaces are now extended throughout a companies’ supply and value chains, this puts companies at increased risk and it is clear that there is still a lot more work to be done when it comes to Cyber Risk management.

Yet, most companies still rely on the basis of employee training on phishing, basic pen testing, updating and creating more policies, more training on the policies, and some aspects of multi-factor authentication and VPN’s to try and secure the companies’ information systems.

Why do most companies still think this approach is enough and the responsibility of the IT and the Risk teams in the organization?

THIS IS NO LONGER A SUSTAINABLE APPROACH!

With the increased risk of the business being shut down for days and weeks on end due to ransomware attacks, stricter data privacy legislation and resulting fines, the cost to the business when an attack happens can potentially cripple the business for years to come or potentially shut the business down.

So, what do companies need to look at or change?

Let’s look at this question based on the current top trends around Cyber Risk to companies.

  • Ransomware continues to be one of the top threats to companies. The predominant way hackers gain access is still through phishing and simple password access. Operational processes of on- and off-boarding of employees, vendors, contractors across the company’s business network become critical. This requires a review of all digital touchpoints of all users across all systems in the company and reviewing if the security technology in place addresses the risk sufficiently. The fewer manual processes to manage digital credentials across all these touchpoints, the better. Multi-factor and zero-trust-based authentication is a must and all simple username and passwords credentials usage need to be eradicated across all systems.
  • Supply Chain attacks are growing and increasing the risk of attacks through a vendor or partner’s system that is integrated into the company’s information systems. This requires a cyber approval plan and constant auditing of the vendor and partner systems as it relates to all the digital touchpoints of their software or systems into the company’s networks and information systems.
  • The way we work has changed with a larger remote work force whose home networks and systems are outside the “Secure” corporate environment creating a higher risk of hacker access through unsecured wireless networks. The user behavior changes of more lax approaches to security and data privacy require more training and awareness and the potential deployment of additional security technologies to provide better security to the remote worker’s home networks. This also will require a review of the company’s overall policies on bring-your-own-device, employee conduct and how to govern employee behaviors. Security has now also become an HR matter.
  • Stricter compliance. The SolarWinds attack prompted new US government legislation and requirements being drafted with stricter compliance and standards around investigations of cyber events and standards for software development for companies dealing with government institutions. Companies will require CMCC (Cybersecurity Maturity Model Certification) control standards for companies working with Government institutions in the US. This model encompasses multiple domains, processes for each of these domains, capabilities and practices that measure a contractor’s capabilities, readiness and sophistication in the area of cybersecurity. New compliance standards will drive up the cost of doing business in much bigger ways than what Sarbanes Oxley has done for corporate financial reporting.
  • Stricter data and privacy legislation with more punitive fines. This requires a full evaluation of data vulnerabilities throughout the company as well as the company’s supply chain and coming up with clear plans and strategies on how to mitigate these.

Cyber Security is no longer just a “nuisance” add-on or cost. It needs to form a clear part of a company’s strategy and has become a key cornerstone in the Digital strategy of the company.

With the dawning era of The Internet of Things (IOT), cybersecurity affects the entire business model. Adequately addressing the threat means bringing together several business perspectives – including the market, the customer, production, and IT. Most often, the CEO is the only leader with the authority to make cybersecurity a priority across all of these areas. We believe that the issue of cybersecurity in many cases will require senior executive or even CEO initiative.

It is time to re-draw plans based on zero trust security principles and establish clear frameworks from the top down throughout all groups of the organization for monitoring, controlling, detecting, mitigating and responding to the increasing cyber threat.

As we have discussed earlier, as soon as one breach avenue has been foiled, attackers are quick to find other means. With the growth in indirect attacks, the spotlight falls on protecting third parties and other partners. But there are enormous challenges in managing third-party cyber risks. Large volumes of data can overwhelm the teams responsible for managing compliance.

The complexities of global supply chains, including the regulatory demands of various regions or countries, add to the strain. In our experience, many CISOs feel that the sizable number of vendors outstrips their capacity to monitor them. Given finite security resources, there is value in a data-driven, business-focused, tiered-risk approach to secure the enterprise ecosystem. This may mean introducing managed services to help the organization tackle the wider scope and scale.

By collaborating more broadly with others with the common goal of securing the enterprise and its ecosystem, organizations can not only play a responsible role in helping their smaller partners to beat cybercrime, but also they can be sure they are not bolting the front door from attackers while leaving the back door wide open.

A core group of leaders has shown that cyber resilience is achievable and can be reproduced. By investing for operational speed, driving value from these investments, and sustaining what they have, they are well on the way to mastering cybersecurity execution. Leaders often take a more considered approach to their use of advanced technologies by choosing those which help deliver the speed of detection and response they need to reduce the impact of cyberattacks.

And once they do decide to invest, they scale fast—the number of leaders spending more than one-fifth of their budget in advanced technologies has doubled in the last three years. The combined result is a new level of confidence from leaders in their ability to extract more value from these investments— and by doing so, exceed the performance levels of the non-leaders.

With two out of five cyberattacks now indirect, organizations must look beyond their own four walls to their broader business ecosystems. They should become masters of cybersecurity execution by stopping more attacks, finding and fixing breaches faster and reducing breach impact. In this way, they can not only realize security innovation success but also achieve greater cyber resilience.

Finally, cybersecurity remains much talked about, yet underleveraged as a differentiating factor on the business side. With the advent of the IoT, there is a real opportunity to move ahead and designate the security of products, production process, and platforms as a strategic priority. The breadth of the challenge spans the entire supply chain and the whole product lifecycle and includes both the regulatory and the communication strategy. For CEOs in leading IoT and Digital organizations, we believe cybersecurity should be at the top of the agenda until rigorous processes are in place, resilience is established, and mindsets are transformed.

As Stephane Nappo, Global Head Information Security for Société Générale International once said:

“The Internet of Things (IoT) devoid of comprehensive security management is tantamount to the Internet of Threats. Apply open collaborative innovation, systems thinking & zero-trust security models to design IoT ecosystems that generate and capture value in value chains of the Internet of Things.”

 

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping the latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programs for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Posted on

Guest-blog: Alina-Georgiana Petcu discusses ‘When Insider Threat Turns Malicious – and How to Stop It from Happening to You’

Lockdown introduced new threat vectors for organisations in 2020, as cybercriminals redoubled their efforts to launch damaging cyber-attacks. Now that we are looking towards a post-lockdown future in 2021, it is worth exploring the cybersecurity landscape and assessing what steps we should take to protect ourselves from the pernicious threat of cyber-crime.

If there’s one thing you can say for cybercriminals, they rarely miss an opportunity. The coronavirus pandemic has offered cybercriminals a myriad of opportunities to exploit victims’ fears and uncertainties, sow seeds of false hope, and persistently cause disarray in the aid of compromising data and making money.

One year on from the first UK lockdown, we don’t expect this to change as we transition towards a post-lockdown world. The knock-on impact of lockdown is that many organisations are fighting to remain operational, and cybercriminals know this. They will continue to proactively target organisations that are struggling as a result of the coronavirus pandemic, as they recognise that budgets for IT and cybersecurity resources may well have been reduced – making them easier targets for phishing and ransomware attacks.

Today I have the distinct pleasure of introducing another Guest Blogger, Alina-Georgiana Petcu, who is a Communications and PR Officer at Heimdal Security.

Alina is a content connoisseur with a knack for everything tech, she occupies her spare time by trying to untangle the intricate narratives behind the world’s most infamous cyberattacks.

Alina is going to talk to us about the importance of when an insider threat turns malicious – and how to stop it from happening to you.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

The term insider threat refers to a certain amount of risk organizations are subjected to through their current and former employees alike, as well as through business associates or contractors.

These are all people with privileged access to a company’s systems, which means that they can access sensitive data regular staff members don’t have access to.

Insider threat becomes malicious the moment one of these people decides to abuse their access rights to fulfill nefarious motives. Let’s see how and why that happens, as well as how you can stop it from happening to you and keep your enterprise’s assets safe from the grubby paws of hackers.

Unfortunately, insider threat is a widespread issue in corporate cybersecurity. The Ponemon Institute’s 2020 Cost of Insider Threats Global Report recorded a 47% increase in insider threat incidents between 2018 and 2020. This type of inappropriate management of company data can be separated into three categories:
• Accidental, which means that the action was unpremeditated and was not driven by any ulterior motive.
• Negligent, which treads the line between accidental and malicious. The employee in question is not necessarily a hacker, but his intentions aren’t right either.
• And malicious, which consists of an action that is premeditated and was driven by an ulterior motive. That motive can be revenge, ego, financial gain, coercion, or ideology.

To better understand malicious insiders at a human level, SentinelOne’s Jeremy Goldstein classifies insider threat into four archetypes:
• The pawn, who is usually manipulated by a malicious third party into sabotaging the company. This is often unintentional, as it is carried out through phishing or CEO fraud.
• The goof, who is generally ignorant or arrogant regarding their position and thus acts irresponsibly within the company network, causing damage.
• The collaborator, who steals data and disrupts the activity of an enterprise in cooperation with a malicious third party.
• And the lone wolf, whose malicious intent is their own and they act independently of any other cybercriminal group.

Therefore, we can notice right off the bat that not all insider threat actors are malicious. Nevertheless, nearly half of them always are.

5 Threat Scenarios to Expect from a Malicious Insider

So, what happens when insider threat turns malicious? Here are the five scenarios you can expect, illustrated by a few real-life examples of what happened when renowned companies and global organizations went through them.

#1 A malicious insider stole data for competitive interests
• Steven L. Davis, a process controls engineer for Tennessee-based fabrication equipment designer Wright Industries, was contracted by Gillette to oversee their new shaving system in 1997. Out of discontent with his supervisor, Davis stole and sold private data about the technology to Gillette’s competitors.
• A naturalized Chinese-American citizen named Xudong Lao abused his privileges as an employee of the Illinois Locomotive Company between 2014 and 2015, illegally downloading thousands of confidential documents. He then got a job with a Chinese automotive service systems company in 2015 and supplied his new employee with these unlawfully obtained trade secrets.
• Walmart accused their technology vendor and partner Compucom of spying into the private conversations of the retail giant’s C-level executives in 2019. As per the allegations, Compucom employees gathered data that would later give the company an advantage in winning the bid with Walmart.

#2 A malicious insider covertly accessed customer data
• The National Security Agency (NSA) of the United States is responsible for several such cases. In 2003, an NSA employee allegedly monitored a woman he was involved with. She caught onto it and report the incident, which led to an internal investigation.
• One year later in 2004, it was discovered that another employee was keeping tabs on an unknown number she found in her husband’s contacts out of fear that he was cheating on her.
• In 2011, one staff member station oversees spied on the private phone calls of her partner back home, as well as on the conversations of the people she met in that respective country.

These incidents were referred to internally as LOVEINT, which is short for Love Intelligence.

#3 A malicious insider gained profit from privileged information
• In 2011, a former Bank of America employee provided malicious third parties with the sensitive banking info of an undisclosed number of customers. Fraudsters used this information to cause damages that amounted to a whopping $10 million.
• AT&T employee Chouman Emily Syrilien provided a co-conspirator with files containing the personally identifiable information of multiple clients of the telecom services provider. Syrilien was part of a larger data theft scheme involving multiple members of staff.
• An employee working for esteemed cybersecurity software provider Trend Micro accessed a database containing confidential customer information and sold it to a cybercriminal group in 2019.

#4 A malicious insider sabotaged company data and operations
• A former network engineer working at the Charleston-based oil and gas company EnerVest Operating remotely accessed systems in 2014. This had malicious intent behind it, as the engineer reset the network to factory setting, causing damages.
• Back when VP Kamala Harris was a district attorney in San Francisco in 2018, a network engineer for the San Francisco Department of Telecommunications and Information Services (DTIS) named Terry Childs refused to give up the login credentials to the entire network he had built.
• Upon receiving his termination notice in 2015, Canadian Pacific Railway employee Christopher Victor Grupe abused his still-valid login credentials into the company network and deleted some essential administrative accounts, and changed the passwords to others.

#5 A malicious insider shared confidential information with the media
• In 2014, former Microsoft employee Alex Kibkalo, who worked for the company out of Lebanon and Russia, was caught disclosing trade secrets to a French blogger. The leaked information contained, among other things, screenshots of a then-unreleased version of the corporation’s renowned Windows operating system.
• A total of 29 Apple employees disclosed confidential data about product launches in 2018. Out of them, only 12 were arrested.
• While many Tesla employees practiced ethical whistleblowing against the company in the past, one staff member shared confidential business information, such as production numbers, with journalists on Twitter.

A Checklist for Malicious Insider Prevention

If you take just one thing away from the examples I listed above, let it be this – malicious insider threat can target the best in any industry. The checklist below will help you prevent it from happening to you too. So, without further ado, let’s get into some actionable advice.

❒ Know the signs of malicious insider activity
The main purpose of malicious insiders is to steal sensitive information, which they will then misuse in one of the five ways mentioned above. When this type of threat rummages around your company network, they’re going to leave a paper trail regardless of how hard they try to hide their activity. There are three telltale signs of this:
1. Logging in at odd hours
2. Unexpected traffic spikes
3. Data transfers that are out of the ordinary
Looking out for these markers of unusual activity in your system means that you will be able to respond quickly if a malicious insider threat targets your enterprise. Thus, you can take appropriate action right away and remove the privileges of the user account that is being misused.

❒ Prevent privilege creep
The term privilege creep is a cybersecurity concept that is used to describe the accumulation of redundant access privileges, permissions, and rights on a user account that does not need them.

This tends to happen when an employee is promoted to a different position or moved to a different department.

When this happens, the staff member in question is granted new access rights that are appropriate for their tasks, while at the same time retaining the privileges from their previous position.

If overlooked, privilege creep can lead to an accidental superuser account that can be used to fulfill malicious motives.

The best way to prevent this from happening within your company network is by constantly auditing user accounts and monitoring changes. Keeping track of admin rights with a privileged access management tool is another useful route and one that can help you practice privilege bracketing within your system as well.

❒ Practice privilege bracketing
While we’re on the topic of privilege bracketing, let’s take a moment to discuss this beneficial cybersecurity practice. As I mentioned before, the main reason why malicious insiders become threatening to the safety of your enterprise data is through accounts that rack up a lot of privileges over time.

Privilege bracketing is the surest and most effective way to stop this. Based on the principle of least privilege, it involves giving user accounts the minimum access rights that are necessary for the completion of daily tasks. In this way, you can ensure that your enterprise’s private data remains private, together with any personally identifiable information stored in your corporate system.

❒ Implement the zero trust model
Coined by Forrester analyst John Kindervag, the zero trust model implies that no user account operating within a corporate network is to be trusted by default. Instead, everyone’s activity should be continuously authenticated, monitored, and validated. And yes, that includes C-level execs and employees of the company on top of third-party contractors and collaborators. The reason for this is that the practice is based around the never trust, always verify mentality.

Of course, this comes with its set challenges. Implementing the zero trust model is thus an intricate process that includes multifactor authentication, data encryption, privileged access management, cybersecurity auditing, and more.

Nevertheless, it is essential for the prevention of malicious insider threat and the #1 priority in risk mitigation for the past three consecutive years, on the authority of global research and advisory firm Gartner.

❒ Work on your company culture
You know how the old saying goes – the fish rots from the head down. This is true of corporate culture as well, meaning that your leadership within the company or a specific team can be the root cause of issues such as insider threat.

As some of the examples I’ve given above show, malicious insiders are often disgruntled employees looking to cause harm to an enterprise they think has wronged them.

The solution to this issue is pretty straightforward, and it consists of improving the company culture as a whole. If your employees are satisfied with their place of work, they are far less likely to act malevolently towards it or be manipulated by someone who wants them to.

What is more, a staff member that loves their job is far more likely to practice ethical whistleblowing and denounce coworkers that might not have your business’s best interest in mind. It’s a win-win whichever way you look at it, and all you have to do is listen. Be receptive to their feedback and take constructive criticism into your account. That is the mark of a strong leader.

Final Thoughts on Malicious Insider Threat

The human factor is an unpredictable liability in any company. You never know when an employee can go rogue or mess up without meaning to. And on top of that, malware operators and other ill-intentioned third parties are always looking for pawns to help them fulfill their nefarious purposes. For this reason, insider threat is a reality of our time, and it can damage your assets and taint your company’s reputation even when it’s unintentional.

When insider threat becomes malicious, it’s a whole other story. It is your responsibility as a leader to make sure that that doesn’t happen to your company by not only putting the right policies into place but by improving your relationship with your team as well.

Change starts from the inside out, and by that, I mean from your company culture. The technical aspect of it all is not to be overlooked, of course. Privileged access management tools, as well as data encryption, multi-factor authentication, password hygiene procedures, and so on, are essential to the digital well-being of your enterprise. The process is a challenging one, but the results are worth it. Are you ready to take your enterprise cybersecurity to the next level?

Sources
CNBC
Computerworld
DataBreachToday Asia
Federation of American Scientists
FindLaw for Legal Professionals
The Federal Bureau of Investigation
Fortune
Medium
The New York Times
The Ponemon Institute
Reuters
Slate Magazine
U.S. Department of Justice

You can contact Alina-Georgiana Petcu on Linkedin with your questions:
https://www.linkedin.com/in/alina-georgiana-petcu-166905197/

Posted on

Guest-blog: Scott Hunter discusses the importance of Five High Impact L&D Ideas on a Shoestring Budget

Scott Hunter

Today’s leadership development landscape demands employees adapt to constant change. In order for organizations to take on the pressing need of reskilling and upskilling, it’s critical they’re immersed in a culture of learning. However, the way we learn is changing: employees want control of their own learning, yet they also want guidance and support from managers and learning and development teams.

The uncertain economic environment of the past few years has had a significant impact on the resources available for learning and development in many organisations. This year we are starting to see signs of greater L&D investment in parts of the private sector, but pressure on resources remains an issue for many and workloads are high. This squeeze on resources, combined with an increasing shortage of key skills, means the need for effective, targeted L&D will continue to grow.

Currently many are held back by a lack of confidence, knowledge and insight around how to harness technological tools to improve their learning and development interventions. L&D needs to build skills and expertise in this area to profit from new innovations that meet business requirements and the demands of learners.

The L&D profession faces a stimulating and challenging future in meeting organisational and learner requirements in fast-paced and busy environments. L&D teams need to continue to work collaboratively across the organisation to ensure that current and future business needs are met and that L&D is agile, effective and timely. Technological developments and emerging insights from other disciplines have great potential to aid this process – but only if the capability to exploit these tools and techniques is developed concurrently. We, therefore, need to keep an eye on the future, to understand the evolving learning landscape, while continuing to build the professional competencies we need today to drive and sustain organisational success.

Today I have the distinct pleasure of introducing another Guest Blogger, Scott Hunter, Scott is a specialist in personal influence and creative thinking.

Scott works in an exciting and ever-changing world, faced with new challenges and opportunities. Organisations today are in desperate need of creating agility and a more open capacity to learn. They need innovative solutions to meet the ever-increasing demand for change, requiring a new approach.

There is an opportunity for a holistic approach to learning and change to come to the fore. There is more demand than ever for learning that engages, adds value, drives performance and reignites organisational values and purpose.

Scott has been involved in learning for over 20 years, experiencing the good, the bad and the downright ugly. Over the last 5 years, he has focused on the changing landscape of learning and finding new ways to create development opportunities and learner journeys outside of the normal approaches.

Scott is going to talk to us about the importance of innovative learning and development and the ‘Five High Impact L&D Ideas on a Shoestring Budget’.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

L&D is often under budgetary and time pressures, with an ever-increasing demand to deliver solutions. This can appear like a never-ending challenge to meet these seemingly paradoxical pressures of developing employees with less money and time.

I would argue, that these challenges can be an opportunity for L&D to have an organisational wide impact, for L&D to help change the perception of what learning is within organisations. Using innovative solutions, it can be possible to guide learning in the organisation that align with business objectives and share accountability.

Learning cannot be detached from performance and, to achieve this, it is important to identify the environmental issues that need to be considered. It is not enough to just introduce new L&D activities and solutions, without considering the requirements needed to help support and the practice of new skills/behaviours in the workplace.

Here are 5 ideas for learning solutions that can be delivered with little financial or time investment from L&D, the participants or the organisation. Included are some thoughts on each idea and some potential environmental considerations for them to deliver the biggest impact.

1. Dragon’s Den (Shark Tank)

Elvin Turner, in his book ‘Be Less Zombie’, describes experiments as the rocket fuel of innovation and, let’s be honest, which organisation doesn’t want more innovation at the moment.

Experiments enable organisations to explore possible innovation, with minimal financial or time investment. They enable innovation to become less risky and more data and evidence-driven.

This is based on the Dragon’s Den TV show.

Once a month/quarter, an employee can pitch their innovation-ideas to a panel of managers in the organisation.

If the managers like the pitch, they can then agree to invest a small amount for the employee to run an experiment to test the assumptions their innovation is based upon.

To meet the criteria of an experiment it should be:

• Small
• Cheap
• Fast
• Designed for learning

This provides an ability to maximise learning with the minimum commitment of resources. Each iteration and development of the innovation is supported by data demonstrating the potential after every step.

It also provides information that can create clarity on actions or directions that will not be beneficial to the organisation.

Some of the advantages of this L&D activity:

• Increases employee understanding of the organisation
• Develops critical skills required for leadership
• Aligns innovation energy towards tangible benefits for the organisation
• Creates deeper insights into opportunities
• Creates knowledge that can be used across the organisation to make evidenced improvements
• Encourages collaboration across the organisation

Environmental considerations

• Leaders being open to the ideas from employees
• Supporting the experimentation during work time
• Reward and recognition of employees in line with learning
• Supporting employees in developing pitches
• Support in designing experimentation and metrics
• Allowing employees to be involved in the projects

2. Work Based Projects

Work-based projects can be used to align employee learning efforts to strategically identified outcomes. Creating opportunities that have tangible business outcomes. Creating the environment where employees can participate and learn simultaneously provide huge benefits.

Projects are ongoing within organisations on a regular basis and are great opportunities for employees to practice the skills/behaviours identified. These projects can be existing ones, or they can be created to specifically support the application of skills/behaviour from a programme, such as a leadership programme.

The use of projects can provide an evaluation of the application of learning, the behaviour of participants and the application of skills in a real business environment. This provides the opportunity for specific and data-rich analysis of the programme and its impact.

Some advantages of this L&D activity:

• Provides opportunities to practice skills and behaviours in a real business environment
• Provides rich data to evaluate the programme and participants
• Links tangible business outcomes to the L&D activity
• Provides the opportunity to test organisations processes and procedures
• Develops a deeper understanding of the organisation
• Encourages collaboration and cross-functional/department working
• Develop leadership skills

Environmental considerations

• Leaders support in providing time to be involved in projects
• Clarity on the deliverable of project and provision of sufficient resources
• Agreement and collection of suitable and relevant metrics
• Ongoing support and feedback during the project

3. Peer to Peer feedback sessions

The power of feedback has been well documented and is an integral aspect of performance management and coaching. However, I would suggest that most of the interactions and observations of our work are with our peers.

It seems, therefore, that gaining feedback from peers can be a great source of information to for areas of improvement, and recognition. The use of peer to peer feedback can create a more open and transparent working environment.

Also, it can provide insights into behavioural aspects of performance, which can often be missed in more traditional performance management approaches.

It can work in an organic way, where feedback is in line with recent observations and requests. Or it can be guided, perhaps to provide feedback to specific behavioural requirements of the organisation.

One example could be, that putting customers first and excellence are key pillars of the organisational strategy. L&D could then provide guidance on what areas to observe and provide feedback on during the peer to peer sessions. This links ongoing organisational feedback with identified strategic outcomes of the organisation.

Potential advantages of this L&D activity:

• Improved performance across the organisation
• Improved relationships
• Improved teamwork and communication
• Alignment of feedback to organisational outcomes
• Support delivery of behavioural change in the workplace

Some environmental considerations

• Support of peer to peer feedback in the performance management process
• Review reward and recognition policies and processes
• Support with guidelines on providing and receiving feedback
• Support from line managers to encourage the process
• Agree metrics for uptake and impact

4. Skills-based video channel

Employees want to be able to do what they need when they need it, lack of specific and often little pieces of information can create unnecessary delays. An example may be needing to create a pivot table in Excel.

Normally this may require an employee to find someone who knows how to do this and then ask them to show them. This is time-consuming and an inefficient method of knowledge sharing.

L&D can create a video channel that is dedicated to micro explainer videos of skills that are often required within the organisation. Working with line managers, L&D can identify employees who have these skills and approach them to create explainer videos.

These videos can then be tagged and hosted on an in-house server, or externally such as a closed YouTube or Vimeo channel. Content can be updated, as and when it becomes clear that skills are required, or an employee has a skill that could be beneficial.

This will provide employees with a searchable and accessible resource of skills and information, which they can easily use at the point of need.

The content could also be highlighted to groups in their employee life cycle as it may become useful. Such as reminders about interview skills, tips for performance management could be provided to line managers in the run-up to scheduled performance management reviews and assessments.

Potential benefits of this L&D solution:

• Provide access to skills as and when required
• Reduce potential delays, improve productivity
• Increase motivation and value for those employees selected to provide content
• Flexible content that is adaptable to organisational needs
• Reduce dependence on training courses, saving time and finances
• Reduce time away from work of subject matter experts

Environmental issues

• Access to the appropriate server to host videos and allow organisation-wide access
• Review reward and recognition for those submitting content
• Provide feedback for content generation
• Support of leadership in creating content
• Ensure compliance with appropriate copyright and licensing requirements
• Communication of resource

5. Microlearning activities

Microlearning is all around us and used in everyday life; allowing employees to consume information and learning quickly and effectively.

These activities can be directly linked to skills or behaviours that are required to deliver team/organisation outcomes. This provides flexibility to create content that can be delivered within specific areas of the organisation, or across the whole organisation.

These can be scheduled and used as stand-alone actions or can be used to support other programmes or initiatives.

In the ‘Influence to Innovate’ coaching programme we provide individual and group microlearning activities. One example is called ‘Lip Sync’ which was designed to help develop better listening skills. Below is an outline of the activity.

Title

Lip Sync

Rationale

To build trust, one of the most important dimensions is selflessness. However, in conversations, we often interrupt and speak over others. This demonstrates that we are more interested in what we have to say rather than what others are saying. This damages our reputation and decreases the trust others have in us.

How to Play

• During your day, when you’re invited into a conversation, pay attention to the lips of the others.
• As soon as their lips move, you must ‘Lip Sync’ by not moving your lips and letting others speak.
• Your objective today is to ‘Lip Sync’ as often as possible, ensuring that your lips do not move at the same time as others

Reflection

At the end of the day, take some time to reflect back and answer the following questions:

• What were the differences in conversations when you managed to ‘Lip Sync’ compared to when you were unable to?
• What do you think the impact on the others was?
• How might ‘Lip Sync’ help you in your work and personal relationships?
• What action can you take to improve your ‘Lip Sync’ ability?

Or if you prefer to see it in a micro-learning format, click here

As an example, you can see that this activity can be briefed quickly and the playing of the activity happens within the normal working day. It does not impact the operations of the organisation and can be completed across specific teams or the whole organisation at the same time.

The use of microlearning can help develop learning at speed and scale.

Some benefits of this L&D solution:

• Specific skills can be developed organisation-wide at the same time
• There is no requirement to be released from work
• Skills can be developed that are directly linked to team/organisation goals
• Can be used to develop behaviours in real work environment
• Can support long term learning programmes
• Improve relationships within organisations
• Can embed values at scale and speed

Some environmental considerations:

• Support from line managers in playing the game
• Support to encourage reflection on the day’s play
• Facilitating healthy discussions within teams
• Link required behaviours to performance management, reward and recognition
• Access to activities
• Enabling all employees to participate

Summary

In my opinion, L&D does not own the learning in the organisation, and can move itself to be seen as the strategic convener of learning. All the ideas in this blog were chosen against the following criteria:

• Had limited operational impact
• Had limited financial costs
• Encouraged learning, as close as possible, to the required application
• Ability to support organisation-wide learning
• Ease of linking to organisational outcomes
• Encourage multiple stakeholders in learning
• Can be easily evaluated for impact

This is not an exhaustive list, and there are many great ideas on how to create learning opportunities in the workplace.

Hopefully, these ideas have given you some food for thought, enabling you to implement some of these quickly and easily into your organisation.

These ideas may help move the conversations L&D are having in organisations and change the perception and move them to be seen as trusted strategic partners.

If you would like to chat about changing the perception of learning in organisations, feel free to reach out.

You can contact Scott Hunter with your questions:
email: scott @ theinnovatecrowd.com
web: www.theinnovatecrowd.com
LinkedIn: Scott Hunter

Posted on

Moving from Cyber Risk Insurance to a Cyber Risk Management Strategy


2021 has progressed with even more challenges and promises to deliver even more changes to the pace of a fast technological environment, risk professionals need to look back and consider the lessons learned from 2020.

Have we returned to where we were, or have we moved on to a new norm?

What does the COVID-19 pandemic market data tell us that will help us to prepare for future global crises?

2020 was a rollercoaster for the financial markets. At the beginning of the year, the economy was enjoying the longest continuous growth stretch on record.

The stock market was constantly hitting new highs. The Federal Reserve was starting to bring Treasury yields back up for the first time since the Great Recession. And, then came March.…

Given that framework, the first question we want to answer is: “As risk professionals, how prepared were we for these types of market swings?”

In the insurance industry, companies rely on economic scenario generators (ESGs) to produce a wide range of plausible, cohesive futures for the variables that drive their results — for example, corporate bond and equity returns, as well as Treasury yields.

These models are not predicting specific events, like a pandemic or a war; instead, they simply attempt to estimate the likelihood of a 20% drop in the equity market over the next year.

So, to answer the question posed above, we need to test how well the ESGs that we use we’re able to predict the financial market movements we have seen in 2020.

If our models covered these types of results, then we can take comfort that we were well prepared; if not, then we have to think about how to adjust our framework to be better prepared for the next calamity.

So, where does this leave an Insurance Chief Risk Officer?

First, we should take a critical look at how well our key economic models performed at anticipating these types of extreme market movements. If our models weren’t up to the task, then we need to rethink how those models are calibrated, as this is likely to lead us to either take on too much risk or the wrong types of risks.

We also want to make sure we perform this review on both the good times and the bad times since we are using these models for much more than just risk measurement.

This now brings us to one of the widest subjects in technology today; Cyber Risk insurance, which has become very popular over the last five years with larger corporations as a means to potentially cover the unexpected cost relating to data breaches and ransomware attacks.

This is not surprising taking into consideration that Global ransomware damage costs are predicted to reach $20 Billion (USD) by 2021 according to the latest report by Cyber Security Ventures.

According to the report, this is a 57X increase in the last five years. Ransomware is expected to attack a company every 11 seconds according to the report.

Ransomware poses the biggest threat as a business is adversely impacted to a point where business is shut down. In 2019 alone, the average business downtime was over nine days. According to Bitdefender, downtime costs due to ransomware on average were 50 times more than the ransom requested from Cyber Criminals.

According to the latest IBM Security Ponemon report on the cost of data breaches, the average for data breaches in the US was $3.8 million (USD) for less than 100,000 records. The average time to identify and contain a breach is 280 days. In breaches of 1 million to 10 million data records breached, the average cost was $50 million (USD), more than 25 times the average of the cost of breaches for less than 100,000 data records.

Looking at the following top Cyber threats to companies for 2021, according to Security Boulevard, the cyber attack surface is increasing as companies accelerate digital transformation and remote work, leaving the company at higher risk for Cyberattacks.

• Cloud-based threats. As more companies move to cloud services and adopt more cloud-based tools from 3rd party vendors, this also increases the security footprint the company needs to look at protecting. It is no longer just the internal systems of the company that poses a risk.

• Insider threats. This involves internal actors (employees, contractors, vendors) with valid credentials to key business systems colluding with cybercriminals to provide them access to data that can lead to data breaches and ransom attacks.

• Remote worker end-point security using unsecured network services leading backdoors open for cybercriminals to gain access to company data and infrastructure.

• Phishing attacks employing social engineering to gain access to access credentials.

• Deep Fakes. A growing threat where artificial intelligence is used to manipulate videos that falsely represent a person to commit more advanced phishing attacks. This could generate synthetic identities to gain access to systems.

• IoT devices. Unless properly secured within the overall part of the business, the introduction of IoT devices increases the complexity and attack surface for cybercriminals to exploit. The recent Verkada cyberattack exposing video footage of over 150,000 cameras of various companies such as Amazon, Tesla demonstrated this risk.

• Malvertising where malicious advertisements including technical support scams are used to spread malware.

• Sophisticated and targeted ransomware attacks. This includes a key risk around personal staff safety.

• Social Media attacks where cyber criminals use social media platforms posing as the legitimate company in order to spread malware.

Taking into consideration that the average cost of Cyber Insurance in 2020 in the US, according to AdvisorSmith was $1,485 per year covering the liability of up to $1 million.

There are a number of factors such as company revenues, and the number of sensitive data records, to name a few, that impacts Cyber Insurance premiums.

Looking at the averages for Cyber insurance and the explosive growth in the cost of data breaches, most companies are grossly under-insured to cover the costs of potential data breaches or ransomware attacks.

Cyber-insurance may be a good option for covering some of the liability and cost in the event of a breach, however, it falls way short in minimizing the actual liability in the cost of a data breach or ransom attack to the company.

How should companies and the Board balance the cost to cover the liabilities due to cyber risk in the company?

Spend more money on insurance with higher premiums vs. more investment to implement risk management across the organization and supply chain through policies, incidence response preparedness, cyber training, and Cyber Security systems?

The latter part of the equation can be quite daunting, and the “easy” way out seems to be to rather take out the insurance, and deal with it when a breach happens.

What shall companies look at in order to solve an increasingly complex cyber governance problem when looking at the cost, and where to most effectively spend the money to mitigate the risk?

The typical cost for a cyber attack when that happens can be broken down into the following elements:

• Forensic analysis for identifying the attack source
• Unplanned IT spend to recover data, remove malware, recover from downtime, implementation of new systems to prevent similar attacks, 3rd party vendor or supply chain systems updates, other
• Public relations services
• Notification of clients, shareholders, and regulators
• Credit monitoring services (if financial data was stolen of customers)
• Loss of income
• Regulatory penalties depending on the breach

The best strategy is to as much as possible, avoid the additional cost through better governance and incidence reporting and planning and implementation of automation of security as reasonably possible.

Worldwide spending on information security and risk management technology and services continued to grow through 2020, although at a slower rate than previously forecast, according to Gartner, Inc.

Information security spending grew 2.4% to reach $123.8 billion in 2020. This is down from the 8.7% growth Gartner projected in its December 2019 forecast update. The coronavirus pandemic is driving short-term demand in areas such as cloud adoption, remote worker technologies, and cost-saving measures.

“Like other segments of IT, we expect security will be negatively impacted by the COVID-19 crisis,” said Lawrence Pingree, managing vice president at Gartner. “Overall we expect a pause and a reduction of growth in both security software and services during 2020.”

Gartner’s survey showed the top 10 categories of expenditures as follows:

1. Application Security
2. Cloud Security
3. Data Security
4. Identity Access Management
5. Infrastructure Protection
6. Integrated Risk Management
7. Network Security Equipment
8. Other Information Security Software
9. Security Services
10. Consumer Security Software

How big is your cybersecurity budget? Probably not big enough. Organisations need to invest more in their security.

Over the years, spending on cybersecurity has changed substantially. In 2019, worldwide spending for security products and services is estimated to be more than $124 billion, an increase in growth of 8.7% from last year.

Companies around the world are no longer considering cybersecurity a minor part of their spending budget, but rather a priority. One of the main reasons for this is the large security breaches that have occurred in the past few years, putting business and personal data at a higher risk than ever before.

According to IBM’s report, companies with fully deployed security automation saw a cost-saving of $3.58 million (USD) on the cost of a data breach vs. companies with no security automation.

Companies with incident response preparedness so an impact of $2 million (USD) savings on average on the total cost of a data breach.

Boards and companies should have clear plans and strategies around the following four cost centers. Where cost centers are missing, these need to be taken into consideration. Start with assessments of the status of the activities within these four key pillars for cyber governance and make these a strategic part of all budget spend and activities across the whole company, as well as 3rd party supply chain of the company.

Detection and escalation. Activities that enable a company to reasonably detect the breach.
• Forensic and investigative activities
• Assessment and audit services, including Incident Response
• Crisis management
• Communications to executives and boards

Lost business. Activities that attempt to minimize the loss of customers, business disruption, and revenue losses.
• Business disruption and revenue losses from system downtime
• Cost of lost customers and acquiring new customers
• Reputation losses and diminished goodwill

Notification. Activities that enable the company to notify data subjects, data protection regulators, and other third parties.
• Emails, letters, outbound calls, or general notice to data subjects
• Determination of regulatory requirements
• Communication with regulators
• Engagement of outside experts

Ex-post response. Activities to help victims of a breach communicate with the company and redress activities to victims and regulators.
• Help desk and inbound communications
• Credit monitoring and identity protection services
• Issuing new accounts or credit cards
• Legal expenditures
• Product discounts
• Regulatory fines

(Cost center model per IBM in the Cost of Data Breach Report)

Digital technologies are ushering in a new era and driving transformative changes in every industry, as organizations adopt these technologies to redefine how they create, deliver, and capture value.

Identifying, understanding, and addressing new risks associated with digital transformation will help businesses derive more value from their efforts in the future. What’s more, understanding how digital transformation can be applied to risk management will enable organizations to take a more balanced view of digital technologies as both a source of risk and a way to manage risk.

As your organization embarks on its digital journey, we invite you to learn more about the evolving risk landscape and new opportunities to better manage risk.

Misalignment between an organization’s goals for digital transformation and employee values and behavior creates new culture risks.


The final topic we would like to address is digital ethics, being more in tune with digital ethics and having plans and processes in place will also help organisations respond more effectively when an incident does occur.

Firms not only need processes in place to ensure that they are ready to respond quickly to address problems but also to fulfill their regulatory obligations by promptly disclosing any breach to the regulator as well as any impacted customers.

As part of their digital transformation efforts, organizations need to act responsibly and promote ethical use of technology.

They also need to have pre-established influencer relationships that they can leverage to counter any hysteria or misinformation which might arise that could interfere with their business or impact their brand.

Organisations that have a culture that takes digital ethics seriously, will behave in ways that will minimise the risk of incidents and will act in ways that help build stakeholders’ trust. Those that don’t take digital ethics as seriously will not only be at higher risk of impact but will struggle to establish such trust.

Making data ethics a key corporate value can have a significant potential upside. Implementing data privacy policies and updating crisis management plans to address data breach scenarios will minimise any downside.

At the very least, engaging with Influencers or Cyber professionals/experts early can help you be better prepared to respond to calamities, our definition of influencers is quantified as Cybersecurity specialists who play a key role in securing information systems.

By monitoring, detecting, investigating, analyzing, and responding to security events, cybersecurity specialists protect systems from cybersecurity risks, threats, and vulnerabilities.

While taking their advice or using them to independently assess or benchmark your data privacy policies and crisis management plans can be used to demonstrate best practice in these areas, which in turn can mitigate potential fines or legal exposure in the event of a calamity.

Your customers want you to take a stand on data security and privacy, and be transparent about it – seeing it as more important than either your diversity or sustainability efforts.

Each and every company, regardless of its industry, has weaknesses that hackers exploit for their own gain. Just because a business is small or not in a vertical often associated with valuable data (such as healthcare or financial services) doesn’t mean it won’t make an enticing target for an opportunistic cybercriminal.

In fact, there are a number of reasons why start-ups and small businesses are sometimes more likely than even big businesses to be targeted.

  • Customer Information: Even the smallest start-ups often store or handle customer data such as financial information, Social Security numbers, and transaction history.
  • Proprietary Data: Start-ups often carry innovative and creative ideas for products and services, as well as internal research data that could be valuable to outside parties.
  • Third-Party Vulnerabilities: Hackers also target small businesses and start-ups because they sometimes do business with larger companies as third-party vendors and can provide entry points into those more valuable networks. Target’s infamous 2013 credit card breach, for instance, happened because of vulnerabilities in a third-party vendor’s system.
  • Multiple Interfaces: Another reason for increased attacks is the growing use of Internet of Things (IoT) devices that increase the attack surface of networks. Small businesses are turning to IoT devices more often due to their lower costs and growing capabilities. Unfortunately, hackers often exploit poorly secured devices as a backdoor to access broader, more sensitive networks.
  • Lack of Finances: Since small businesses and start-ups are working on a tight budget, they don’t always place cybersecurity is not at the top of their priorities list and often neglect the latest patches and updates.

The power of digital technologies to enable new sources of revenue can be significant. Due to the proliferation of digital technologies and the particular ethical challenges they present, organizations are increasingly expected to consider ethical obligations, social responsibilities, and organizational values as guides to which digital opportunities to pursue and how to pursue them.

As discussed in the “Managing data risks for value creation” trend, responsible and unbiased collection, handling, use, and privacy are top areas for concern when it comes to data. Also, there are increasing calls for digital services that are fair and equitably accessible, promote physically and mentally healthful uses, encourage inclusion, and are geared toward socially beneficial uses.

Digital adopters want technologies that aren’t harmful or abusive and are safe and error-free. There’s an opportunity to do well by doing good—pursuing digitally responsible growth strategies that build stakeholder trust.

Finally, organizations are conscious that digital transformation involves more than technology adoption. It requires concerted efforts to define how enterprises organize, operate, and behave by aligning strategy, structures, processes, people, and technology to build a unique digital DNA.

Organizations can sidestep unnecessary risks and harness risk to power performance by adopting a risk lens and a holistic approach as part of their efforts. Below are a few guiding principles.

Conclusion; Boards can harness risk to power performance in a digital world, but only with a responsible Digital DNA and hopefully with the Digital Services Act (DSA) that will bring digital reform.

As Tom Golway, Chief Technologist in the Advanced R&D organization of Hewlett Packard Enterprise once said:

“The deeper, philosophical question is does the 1st Amendment apply to AI algorithms. Resolving this is an immediate challenge that needs open dialogue that includes a broad set of disciplines, not just technologists”

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Posted on

Are corporate boards complacent with cyber risk?

Boards of directors have been working hard to fulfill their risk oversight responsibilities in a challenging environment. Regulations are changing rapidly in most industries, and vary significantly across countries.

Investors, analysts, and the public are demanding greater transparency into risk and risk management, as are creditors, counterparties, and other stakeholders. Many boards legitimately wonder not only what regulators want, but also which approaches to risk oversight actually work.

Deloitte set out to study a specific and very effective risk governance mechanism: board-level risk committees. This report revealed the prevalence of board-level risk committees (whether standalone committees focused solely on risk, or hybrid committees such as audit/risk) based on an analysis of 400 large public companies in eight countries.

In summary, these were some of the findings:
§ Board-level risk committees are well-established and widespread — present in 38% of the 400 companies analyzed. About a quarter (22%) have standalone board-level risk committees, while 16% oversee risk through hybrid board-level committees.
§ As might be expected, board-level risk committees are most prevalent in FSI companies (88%), but are also present in other industries (26%), often to a significant extent, depending on the country.
§ Local regulations affect risk oversight structures. Australia, Brazil, Mexico, Singapore, the UK, and the US have regulations that require risk committees at the board level for FSI companies (sometimes dependent on the type and size of the company).
§ Overall, 62% of all companies analyzed do not have a board-level risk committee. This largely reflects the lack of regulatory requirements for board-level risk committees in non-FSI companies in most countries.

Every week, a new data and security breach seems to be reported that appears to exceed previous breaches and hack in scale. This year we are also seeing different uses for Distributed Denial-of-Service beyond simple volumetric attacks, including what we call quantum attacks.

Quantum attacks are relatively small and designed to bypass endpoint security and avoid triggering cloud failover mitigation.

These attacks are being used for scouting and reconnaissance. In a recent incident, Neustar stopped a quantum attack that never peaked over 300 Mbps, but it featured 15 different attack vectors, went on for 90 minutes, and involved all of Neustar’s globally distributed scrubbing centers.

This attack came from all over the world and was designed to bypass perimeter hardware, using protocols to circumvent their defenses. The attackers behind such campaigns may start small, but they can quickly add botnets, attack vectors, and ports to get what they want.

If it were to be measured as a country, the facts are; cybercrime which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world’s third-largest economy after the U.S. and China.

Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.

This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year and will be more profitable than the global trade of all major illegal drugs combined.

The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state-sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data, and systems, and reputational harm.

Some with more complexity in the hack such as the Solar Winds supply chain breach, and others with less complexity, such as the recent global breach of Verkada of over 150,000 security camera data by hacktivists. Once again, the data breach was global in nature and exposed again the security policy and process vulnerabilities these hackers are using to gain access to corporate data via root access.

Industry research has shown that hackers are active in corporate systems for an average of 8 months before they may do something or make themselves known. Over 76% of cyber risk is due to insider risk, involving collusion between hackers and corporate insiders. It is no longer just a “technical” hack.

What is root access? A root administrator or gatekeeper is a superuser account on a computer or network and that has complete control over all aspects of the system or network. The root administrator can access all data, software, configure, delete and change software code in the systems or network.

One of the top risks identified in cybersecurity audits today is a regulatory governance risk. This requires a legal requirement to be audited with respect to IT security, making audit and compliance metrics highly relevant and important.

Some examples include:

Audit and compliance metrics
➢ “Are we ISO-27001-compliant?”
➢ “Do we have a vendor risk management program?”
➢ “Do we have any outstanding high-risk findings open from our last audit or assessment?”
➢ “What percentage of the NIST framework are we implementing?”
➢ The NIST framework has roughly 80 questions associated with it. If a board member asks if you’re doing the NIST framework, you might say, “Today we’re doing 60% of it.”

Operational effectiveness metrics
➢ How many intrusions were detected this year?”
➢ “How quickly are we detecting, investigating and remediating threats?”
➢ “How much have we spent this year?”
➢ “How many vulnerabilities were in our network and how quickly were they fixed?”
➢ “How many compromised systems did we have compared to last year?”
➢ “Has our risk profile changed?”
➢ “How did we compare to our peers across X time span?”

Knowing the best practices on how to present cybersecurity to the board is one thing but without substantive data, you won’t have a very compelling (or helpful) presentation.

The first thing you need to keep in mind regarding metrics is context. Board members likely don’t know what it means if you say that “500,000 intrusions hit the detection system.” You need to focus on being concise with your explanation and show them how the metric impacts the health of the company.

You’ll want to focus on showing metrics over time that the management, or lack of management, processes and policies of root admin passwords. In most cases, these processes are manual at best and there seems to be little appetite to implement additional security technologies that can dramatically reduce this risk.

IT organizations have become more fragmented in nature, especially where there are differing roles for Chief Digital-, Chief Information- and Chief Information Security Officers in organizations, each having responsibility for specific aspects of the overall technology stack of the corporation.

Unless there is a close collaboration between these roles, there will remain gaps in governance of access to data, systems and networks in corporations.

Take into consideration that a corporation is part of a business ecosystem of employees, contractors, 3rd party vendors and their contractors, resellers, partners and customers. All these parties require access to corporate data, systems and networks. The management of access and data security is no longer just contained to the closed “bubble” of a corporation and its employees alone.

The cyber strategy needs to incorporate this more complex supply chain risk and how to manage this across the business ecosystem. This is especially true for management of user access into these systems.

Very few companies have checks on when employees from vendors, 3rd party contractors and partners leave, and need to be off-boarded off the corporate systems. The more manual these processes, the higher the risk that their will be dormant user credentials that hackers can exploit.

Where there is little appetite to spend more money in key IT security systems, the typical practice is to have the risk logged in the corporate’s risk register and key executives, and in some cases the board, to accept and sign off on the risk.

Another approach is to do more “training” in awareness of cyber risk and write more policies, which again is only an internal approach to the corporation and employees alone. Training tends to happen when new employees are onboarded, and perhaps retrained after yearly pen-testing.

Employees tend to step through training, which includes reviewing the policies, and then forget about it as soon as they have received the credits for the training. The more extensive the policies are, the less effective they are in having people follow and implement them.

There still seems to be a lot of complacency at board level in managing the cyber risk, or in some cases, this is non-existent at board level. The main driver is the perspective of an “insurance” approach of cyber risk management.

As long as there is an “insurance” cyber risk mindset believing that a breach has not happened and we will “insure” the risk in case it happens, the corporate will remain at high risk when a breach happens. CISO and/or CIO’s are still missing at the board table, although this is changing. This leaves a gap in poor understanding of cyber governance for the company at board level.

Don’t just leave the Cyber risk management up to the audit committee.

When cyber events happen, how do boards manage the challenges, cost and potential reputational risk?

Key steps boards can take to improve cyber governance, strategy and response to a major cyber event:
● Appoint third-party Cyber advisers as non-executive directors of the board.
● Appoint the CIO and/or CISO as members of the board
● Cybersecurity technology and services investment plan and strategy – ensure there is sufficient budget
● Establish a cyber business response plan
● Have a clear plan in place protecting the well-being and safety of employees
● Employee cyber safety reporting – especially where employees may be threatened and at risk
● Cyber incident and risk reporting as part of the monthly board agenda

Cyber risk can no longer be viewed as an “insurance” type of risk. The stakes are too high. The risk is no longer just relevant to your corporate, it involves managing the cyber risk as it relates to your full supply chain and business ecosystem.

The bottom line is that every board should periodically assess the risk oversight and governance needs of the organization and take whatever steps it deems necessary to address those needs. A board-level risk committee, whether standalone or hybrid, is one effective means of attaining the necessary visibility into risks and risk management and of exercising risk oversight. It is also one that most boards should at least consider

Not long ago, a board of directors would meet once or twice a year to be briefed on cybersecurity, check the box, and move on. Cybersecurity was little more than an afterthought, and mostly a box-checking exercise for compliance or to make sure the bases were covered in the wake of a newsworthy event. With little technical understanding at the board level, many were happy
to simply throw money at the problem and leave it to IT professionals to handle.

The Cyberspace Solarium Commission has an urgent message for the boardroom and C-suite executives: The status quo in cyberspace is unacceptable, which is spelled out in its groundbreaking 2020 Report which proposes a strategy of layered cyber deterrence to protect all U.S. businesses and governments from cybercrime and cyberwarfare.

Finally, We can all agree over the course of 2020, global cyber threats have continued to evolve at speed, resulting in a dramatic reshaping of the cybersecurity landscape. Traditional threats such as generic Trojans, ransomware and spambots were transformed.

Every company should have a CISO or cybersecurity expert on their board because cybercrime is the greatest risk to business continuity that every company faces.

Cyber should be at the center of business strategy – not technical strategy only.

The idea that we are describing, is to put a senior cyber executive in the boardroom who will wave the red flag and challenge the severity of the risk and have the main and operational board pay attention to the severity of risks. No longer can you rely upon or expect the CEO to be carrying the competency of cyber risk to the business, but to have the inclusion of Cyber experts and make better decisions on business risk, absolutely.

The question is not whether you will be attacked. The case may be that you have already been attacked or witnessed a vulnerability breach without your prior knowledge. It is when, by what, and how badly your company’s reputation or finances will be damaged. And one thing is sure in the uncertain world of cybersecurity – the wrong time to consider defence is after the attack has occurred.

James Brien Comey Jr, an American lawyer who was the 7th director of the Federal Bureau of Investigation (FBI) famously once said: “We face cyber threats from state-sponsored hackers, hackers for hire, global cyber syndicates, and terrorists. They seek our state secrets, our trade secrets, our technology, and our ideas – things of incredible value to all of us. They seek to strike our critical infrastructure and to harm our economy.“

This article is the expressed opinions and collaboration between two senior-level industry board professionals on their views and perceptions on the subject matter:

MARIA PIENAAR CTIO, Corporate Innovation, Digital Transformation, Investor Private Company Board Director & Advisor Maria propels growth by speeding up discovery for companies whose leaders are frustrated by the slow pace of innovation.

Being a master networker, she extracts strategic value through tapping latent creativity of teams and customers and catalyzes partnerships with highly innovative organizations. Her diverse leadership roles in global 100 and startup companies enable her to see the end-to-end picture and plot the most effective course for designing, launching and scaling new products and services for companies, driving customer growth. Maria co-founded Blue Label Ventures, a Corporate VC focussing on investments in Digital Health, IOT, Cyber Security, Fintech (incl. InsurTech).

Prior she was CIO at Cell C, a challenger mobile carrier, and prior held various leadership roles in Business Development, Go-to-Market Strategy, Strategic Partner Management and Product Marketing for Lucent, Nokia, Vodafone, Globalstar and various startups. Maria holds a BSC in engineering.

LinkedIn: Profile

Geoff Hudson-Searle is an independent non-executive director across regulation, technology and internet security, C-Suite executive on private and listed companies, and serial business advisor for growth-phase tech companies.

With more than 30 years’ experience in international business and management. He is the author of five books and lectures at business forums, conferences and universities. He has been the focus of TEDx and RT Europe’s business documentary across various thought leadership topics and his authorisms.

Geoff is a member and fellow of the Institute of Directors; associate of The International Business Institute of Management; a co-founder and board member of the Neustar International Security Council (NISC); and a distinguished member of the Advisory Council for The Global Cyber Academy.

He holds a master’s degree in business administration. Rated by Agilience as a Top 250 Harvard Business School thought leader authority covering blogs and writing across; ‘Strategic Management’ and ‘Management Consulting’, Geoff has worked on strategic growth, strategy, operations, finance, international development, growth and scale-up advisory programmes for the British Government, Citibank, Kaspersky, BT and Barclays among others.

LinkedIn: Profile

Sources:
Deloitte
Cyber Security Ventures
CSC Research

Posted on

Guest-blog: Deana Mitchell CMP DMCP discusses the importance of wellbeing and why good mental health matters

Deana Mitchell

The coronavirus COVID-19 pandemic is the defining global health crisis of our time and the greatest challenge we have faced since World War Two.

Since its emergence in Asia in 2019, the virus has spread to every continent except Antarctica.

But the pandemic is much more than a health crisis, it’s also an unprecedented socio-economic crisis.

Stressing every one of the countries it touches, it has the potential to create devastating social, economic, and political effects that will leave deep and longstanding scars.

Experts have predicted a ‘’tsunami of psychiatric illness’’ in the aftermath of the COVID-19 pandemic. For such a large-scale event like the COVID-19 pandemic, the impact on mental health can be long-lasting.

The prevalence of common mental health disorders is expected to rise during the post-pandemic time as a result of the long-term effects of the pandemic, the restrictive measures such as social distancing and quarantine, and the socio-economic effects. This has implications for mental health services.

An inspired quote was shared with me recently ‘The darkest moments of our lives are not to be blurred or forgotten, rather they are a memory to be called upon for inspiration, to remind us of the unrelenting human spirit and our capacity to overcome the intolerable.’

People experience emotional disturbance, irritability, insomnia, depression, and post-traumatic stress symptoms immediately after the quarantine period. The long-term impact is considerable and wide-ranging including anxiety, anger, depression, post-traumatic stress symptoms, alcohol abuse, and behavioural changes such as avoiding crowded places and cautious hand washing. These psychological symptoms can last from several months up to three years after the quarantine period.

Social distancing could possibly lead to substantial increases in loneliness, anxiety, depression, domestic violence, child abuse, and substance abuse.

However, on a more positive note, COVID-19 has created opportunities for businesses to become more innovative. Facing external pressures, some business leaders are stepping out of their routines and comfort zones to become creative problem-solvers.

Along the way, they rediscovered their entrepreneurial spirit and provided us with a new sense of appreciation and gratefulness. It has offered us a new perspective on everything we have taken for granted for so long – our freedoms, leisure, connections, work, family, and friends. We have never questioned how life as we know it could be suddenly taken away from us.

Hopefully, when this crisis is over, we will exhibit new levels of gratitude. We have also learned to value and thank health workers who are at the frontline of this crisis, risking their lives every day by just showing up to their vital work. This sense of gratefulness can also help us develop our resilience and overcome the crisis in the long-term.

Today I have the distinct pleasure of introducing another Guest Blogger, Deana Mitchell CMP DMCP – Deana and myself collaborated on a book, ‘God in Business’, I have the utmost respect for Deana and her work, and I know you will enjoy hearing her experiences and advice.

Deana Mitchell is an entrepreneur, mental health advocate, and co-author.

She started her entrepreneurial journey at the age of 14. Deana holds a Bachelor of Architecture degree from Louisiana State University and has enjoyed a three-decade career in the hospitality, meetings & events industry.

As the President of the newly formed company, Genius & Sanity, her mission is to help entrepreneurs and business owners reach their potential and thrive. The focus is to find the balance between career, success, and whole self-health.

In March of 2020, Deana founded the Realize Foundation which is dedicated to creating awareness around mental health. Specifically, depression, anxiety, and suicide ideation. Deana is going to talk to us about the importance of wellbeing and ‘Why Good Mental Health Matters’.

Thank you, Geoff, it is a pleasure to collaborate with you on this important subject.

“I woke up in the hospital, realizing I was still alive…”

In May of 1997, I survived a suicide attempt. And then I spent 23 years hiding it from the world, and from myself. During those decades, instead of practicing self-care, I threw myself into work 24/7. I was used to being a workaholic, in fact, it was all I knew.

Growing up in a family of entrepreneurs, I had my first business was at the age of fourteen. In 2010, I started a venture that grew into an award-winning seven-figure company.

All came to a screeching halt in March of 2020 with the rest of the world. I found myself with no work to keep my mind occupied and no travel to keep me moving. I was learning that work was my coping mechanism. I had to focus on something, or I was not OK.

What transpired in the next few months was life-changing. There was research, many conversations, networking, learning, self-reflection, and yes therapy. The result was becoming a different person and realizing my true calling in life. Let me explain…

You see, all those years I was constantly obsessed with climbing the ladder. Driven by proving myself to everyone and anyone around me, and all the while hiding the depression and anxiety that I dealt with on almost a daily basis.

The year of COVID taught me the absolute necessity of honesty and hard conversations. There is no true success in life without some sort of failure. If being successful was easy, whether personally or professionally, it would not have the same meaning to us. There is something to say about overcoming obstacles and working hard for something. It has a deeper meaning and is more fulfilling once you get there.

Without failures and hard times, success would feel empty. I believe that God uses all the tough awful stuff in our lives for growth. Once we have experienced the bad, we can use it for good. In order for that to work, we must be willing to look inside ourselves and process the things we survive. Without self-reflection, we cannot truly be our authentic and best selves.

First, we must get honest with ourselves. I mean, really honest. In order to get there, we have to spend time alone and quiet. You must find what works for you: journaling, meditation, praying, being out in nature, listening to music… there is no right answer as everyone is different. The key is to truly connect with yourself, reflect on your life and discover the kid inside. This can be painful and freeing at the same time.

Try talking to yourself in the mirror. I have a friend that hosted a self-care challenge recently and she told us to get in front of the mirror and say, “I promise to take care of you mentally and physically every day”. I got the first two words out before the tears streamed down my face. I realized I had not taken care of myself physically or mentally in decades, possibly my entire life. I felt like a fraud.

For me, after 23 years of silence on this front, it was difficult to even remember all that I had been hiding. I am not going to lie, it was hard and there were lots of tears, but in the end, it has been more valuable than I can explain.

Talking heart to heart with old friends from childhood and college gave me the sense of the person I had lost along the way. Asking them how they remembered me, helped me find myself again. I decided how I wanted to show up in the world moving forward and I am not ashamed of my past anymore. My identity was not the career I had built, although that was the person people knew for decades.

We must look inside to understand the shortfalls and disappointments we have experienced. The wisdom you glean from being honest with yourself is immeasurable. It is freeing. Then you get to decide what to do with that information.

It will change you. Are you are feeling stuck, stressed, overwhelmed, stretched thin, and exhausted? Self-reflection and a custom plan of self-care can indeed change you into a happy, healthy, productive, rested, balanced person. It is a process, so be patient with yourself.

Next, we must get honest with the people closest to us. These conversations are hard, but I promise they will bring so much clarity and understanding. Preparing for these conversations is key.

Make sure you tell your loved one or friend that you need to have a serious conversation about something especially important to you. Make the time and space that you both need to make it productive. You cannot just schedule this as an hour in your calendar, it may need to be a whole day.

This works personally and professionally on different levels, but the person you are approaching needs context to understand what they are walking into, so they are ready, open to hearing what you want to tell them and not blindsided.

Think about the annual review you receive from your boss. You must mentally prepare for that conversation. Usually, even the criticism is constructive once you have time to digest and reflect on it. That information is painful at first but makes you stronger and better for it in the long run.

In my situation, I have the most loving supportive husband anyone could ask for, but he does not understand how my brain works. To be truthful, most of the time I do not understand how my brain works! Communication is key for him to help me get through. In the past, I hid it all. I traveled so much that it was easy to not let anyone in.

We can only hold it in and ‘go it alone’ for so long. There are people in our lives that care about us. If they knew what you were going through, they would do whatever they could to be supportive.

Having hard conversations does not end with your family and friends. It can be a business partner, employees, audiences that you speak to, or your followers on social media. If you start these conversations, there will have a ripple effect and help people in your various communities do the same.

Why do you do what you do? Does it make you happy? Do you enjoy your daily routine? I am not talking about what the people around you want you to do… or what you do to make others happy. This is not about why you make the world, or your industry better. But why do you do what you do? What is your passion? What makes you come alive? What is your life’s mission? Your true calling?

If you would have asked me those questions a year ago, I would have said I loved what I was doing. I had a wonderful husband and family, a successful business, an amazing team, and I enjoyed a plethora of colleagues all over the world. I served on several boards and was traveling all the time. It appeared that I had everything.

With the understanding I have gained over the last 10 months, the reality is that I was keeping up the appearance, so everyone saw what I just explained. But for me, I was exhausted, stressed, anxious and there was no end in sight. I was never home to spend time with the person in the world who loved me most.

The gift for me was understanding how life changes when you find your why. I lost a 20-year friend to suicide and knew at that moment I had to do something about it. That I needed to use my story to save others from the same plight. My silence did not help my friend, but the hard conversation may have.

When you understand your true calling in life and reach for it with everything you’ve got, your perception of yourself and the world changes for the better.

We all feel afraid, powerless, and alone at some point in our life. Whether it is a sick loved one or keeping our business afloat. Give yourself some grace, the world needs more kindness.

You matter, you are worth it, and you are not alone.

You can contact Deana Mitchell via the following websites and social links:

www.deanabrownmitchell.com

Linkedin – Deana (Brown) Mitchell, CMP DMCP
Facebook – @GenuisandSanity
Instagram – @geniusandsanity
Twitter – @GeniusandSanity

Foundation – www.realizefoundation.org

Posted on

The four Intelligences; IQ, EI, SI, DI and why we need Wisdom Intelligence (WI)

I recently had a very in-depth philosophical discussion with a good friend and associate, Douglas, this was a fascinating discussion, one that could have easily progressed through the day and not the hour.
Emotional intelligence (EQ) is the “something” in each of us that is a bit intangible. It affects how we manage behaviour, navigate social complexities, and make personal decisions that achieve positive results. Emotional intelligence is your ability to recognize and understand emotions in yourself and others, and your ability to use this awareness to manage your behaviour and relationships.

I have written on the subject of the balance between IQ vs EI and more recently ‘why emotional intelligence is leadership, team spirit and company culture’ and Emotional Intelligence and Your Survival through the 4th Industrial Revolution.

Decades of research now point to emotional intelligence as the critical factor that sets star performers apart from the rest of the pack. It’s a powerful way to focus your energy in one direction with a tremendous result. TalentSmart tested emotional intelligence alongside 33 other important workplace skills, and found that emotional intelligence is the strongest predictor of performance, explaining a full 58% of success in all types of jobs.

Of all the people I have studied at work, I found that 90% of top performers are also high in emotional intelligence. On the flip side, just 20% of bottom performers are high in emotional intelligence. You can be a top performer without emotional intelligence, but the chances are slim.

The WEF (World Economic Forum) published a report, Future of Work 2020-2030, no big surprise that in the skills categories EI was identified as one of the key categories of skills to save your job in the decade.

The questions I am sure you are thinking:
1. What is Emotional Intelligence (EI) and why it matters?
2. What is Intelligence Quotient (IQ) and why it matters?
3. What is Spiritual Intelligence (SI) and why it matters?
4. Is there a significant relationship between EI and SI?
5. What is Decency Intelligence (DI)?
6. How does Wisdom Intelligence (WI) have a place in society?

It is clear that today’s executives are more diverse in terms of their wellbeing, age, culture, nationality and several other factors.

EI is the ability to sense, understand and effectively apply the power and acumen of emotions as a source of human energy, information, connection and influence.
SI is the set of abilities that individuals use to apply, manifest and embody spiritual resources, values and qualities in ways that enhance their daily functioning and wellbeing.
With both these intelligences happening in the workplace, the environment will be more conducive. A better working environment relates to a higher level of productivity and wellbeing of both individual as well as organizational wellbeing.

Intelligence quotient (IQ)
Total score derived from a set of standardized tests or subtests designed to assess human intelligence. The abbreviation “IQ” was coined by the psychologist William Stern for the German term Intelligenzquotient, his term for a scoring method for intelligence tests at the University of Breslau he advocated in a 1912 book.

Historically, IQ was a score obtained by dividing a person’s mental age score, obtained by administering an intelligence test, by the person’s chronological age, both expressed in terms of years and months.

The resulting fraction (quotient) is multiplied by 100 to obtain the IQ score. For modern IQ tests, the median raw score of the norming sample is defined as IQ 100 and scores each standard deviation (SD) up or down are defined as 15 IQ points greater or less. By this definition, approximately two-thirds of the population scores are between IQ 85 and IQ 115. About 2.5 percent of the population scores above 130, and 2.5 percent below 70.

If you take an IQ test, you will be presented with questions to assess the following competence:
• spatial ability, a person’s capacity to visualise space and shapes
• mathematical ability, how a person uses logic in solving problems
• language ability, the recognition of meaning from incomplete sentences and jumbled letters
• memory ability, how a person recalls information

Emotional Intelligence (EI)
Daniel Goleman in 1998, defined emotional intelligence as ‘the capacity to recognize our own feelings and those of others, for motivating our-selves, and for managing emotions well in ourselves and in our relationships.’ EI is essential for the accomplishment of day-to-day objectives of life, which is a challenge to everyone. EI is increasingly relevant to organizational development and developing people because EI provides a new way to understand and assess people’s behaviours, management styles, attitudes, interpersonal skills, and potential.

EI is an important consideration in human resources planning, job profiling, recruitment interviewing and selection, management development, customer relations and customer service, and more. EI determines the potential for learning practical skills viz. personal skills and social skills. These skills lead to superior performance at work which is based on the five elements: self-awareness, motivation, self-regulation, empathy, and adeptness in relationships.

Spiritual Intelligence is the ability to act with wisdom and compassion, while maintaining inner and outer peace, regardless of the circumstances. Spiritual intelligence is the way we assign meaning and feel connected to the power of larger than ourselves.

It has been identified as a key component of leadership by bestselling business author Stephen (2004), who observes that Spiritual Intelligence is the central and most fundamental of all the intelligences, because it becomes the source of guidance for others. Spiritual intelligence is one of the several types of intelligence that can be developed independently and contributes to psychological wellbeing and overall healthy human development (Vaughan, 2003).

The four components of spiritual intelligence are critical existential thinking, personal meaning production, transcendental awareness and conscious state expansion.
Critical existential thinking is best described as the capacity an individual to critically contemplate meaning, purpose, and other existential/metaphysical issues; to come to original existential conclusions or philosophies, and to contemplate non-existential issues in relation to one’s existence. An ability to derive personal meaning and purpose from all physical and mental experiences, including the capacity to create and master a life purpose is regarded as personal meaning production.

Transcendental awareness is the capacity to identify transcendent dimensions/patterns of the self, of others, and of the physical world during normal states of consciousness, accompanied by the capacity to identify their relationship to one’s self and to the physical world. Conscious State Expansion is defined as an ability to enter and exit higher/spiritual states of consciousness at one’s own discretion.

Decency quotient (DI)
Bill Boulding is dean of Duke University’s Fuqua School of Business who goes on to say that DI goes a step further than EI and IQ and combines SI. DQ means that a leader has a genuine desire to do the right thing for employees and colleagues. DQ means wanting something positive for everyone in the workplace and ensuring everyone feels respected and valued. DQ is evident in a manager’s daily interactions with others, as well as in setting goals for the company that meet fiscal objectives and improve lives. DQ implies your focus is on doing right by others.

Decency quotient has to start at the top. It’s essential that leaders and managers model this type of behaviour more than ever, because outside forces of polarization are working against us. The world feels like an ugly place for many people. It’s impossible for employees to check their feelings at the door, and naïve to think they can.

Leaders with DQ will better navigate what’s bleeding in from outside the office to instil a sense of common purpose and shared values at work. Employees will know the leader always has their best interest at heart. People want to work for decent people, and they will give those leaders their best. Decency is at its core a moral obligation, but it can also be key to a winning business strategy.

If business becomes intentional about decency, it can become the healing force our world so badly needs. It can be the model for how people who are very different come together to work with common purpose. It can demonstrate respect and caring that transcends difference and polarization. It can solve some of the world’s toughest problems by uniting people to find solutions.

Wisdom Intelligence
If you were to look up the word wisdom in the dictionary, you would find a simple definition: a person’s ability to act sensibly, reasonably, and correctly. Of course, that raises some questions. Doesn’t intelligence give you the ability to act reasonably in day to day life? Surely a high IQ guarantee’s the power to make good decisions?

“The only true wisdom is in knowing you know nothing.”
-Socrates-

Of course, it can, but there are also different types of intelligence. A brilliant person’s success might be influenced by their personality and maturity, as well as their own ability to care for their own well-being and that of others.

Well, intelligence and wisdom need to be broken down and analyzed to gain a clearer and useful understanding. We have to recognize what’s really important. Beyond a high IQ, becoming exceptionally wise and developing clear values that go beyond cognitive or emotional reasoning is imperative.

It is very strange to know that universities and professors around the world have just started studying the difference between intelligence and wisdom. The concept of wisdom has often been associated with philosophical or spiritual disciplines. It was considered something that the great Greek masters or Buddhist monks studied.

However, a few psychologists investigated wisdom in the last few decades. These studies, like the one led by two University of California psychiatrists, Dr. Dilip V. Jeste and Dr. Thomas W. Meeks, uncovered quite a few interesting ideas.

Some of the findings:
Exploring minds say that ‘Wisdom’ doesn’t come from personal experience.

This important idea creates a common myth. Many people think that experience grants wisdom. However, there’s not a strong and direct association between the length of someone’s life and how wise they are. This quality doesn’t always naturally come with age.

Moreover, many researchers in the fields of psychology and sociology are trying to understand the social, emotional, and cognitive processes that transform experience into wisdom. There are many other mediating variables between the two, such as the ability to reflect on one’s actions. That ability may have created the experience/wisdom myth in the first place.

Intelligence makes you more efficient and competent

Intelligent people are efficient and have high standards. Because of this, they may get frustrated when things don’t meet their expectations. They are often goal-orientated and seek concrete results.

This viewpoint can often make them anxious. This is because people with high IQs often have poor tolerance for uncertainty. That’s precisely what sets them apart from wise people. Wise people are better able to accept the unexpected and unplanned. They know how to step back and take a patient, relaxed, and insightful look at reality.

Wise people make better decisions

Of course, there are huge individual differences between people with a high IQ. While some make reasonable, responsible decisions, others might get carried away by goals and statistics, failing to take other factors into account.

However, if there’s one clear difference between people with high intelligence or deep wisdom, it’s that the second group is often more open-minded. This is because wisdom is more than just factual knowledge. Wise people have experience, are able to reason clearly, and are able to accept life’s ups and downs.

Wise people are also usually more cognizant of how situations develop over time, which helps them stay balanced.

High intelligence can be used for noble ends or, on the contrary, to manipulate, conspire, betray, or create sophisticated plans for bad reasons. However, people also use their intelligence for unselfish and noble purposes.

Wisdom, on the other hand, is connected to an authentic sense of goodness. The word itself has connotations of goodness, humanity, and a sense of spirituality that inspires others to do good as well.

There’s one more interesting difference between intelligence and wisdom. Wisdom almost always gives you a more positive view of life, your situation, and other people. This hopeful yet resolute attitude is related to the factors mentioned above, and to kindness. Looking at a situation with wisdom can give us the energy and the motivation to move forward.

At this point, you may ask yourself which is better, being very intelligent or very wise. But neither quality is better than the other. There are plenty of wise, successful people who might not be very intelligent. However, they’re still happy and effective in their day to day life.

Therefore, aspire (as much as possible) to have both qualities. Train your cognitive abilities, improve in emotional intelligence, and integrate each experience to form a more reasonable, relaxed, and optimistic perspective.

Final thought, wisdom is the art of knowing what really matters and making good decisions to improve our own well-being and, more importantly, that of others. There lies the real key.

The quest for wisdom is an age-old effort. It’s one many have recommended.

It’s been said to be as useful for finding inner contentment as it for fueling external successes. It’s a more prudent way of interacting with reality.

While not everyone’s definition of wisdom is the same, it doesn’t seem too far-fetched to distinguish it by a mode of deeper understanding. One that goes beyond just the knowing we commonly associate with the range of intelligence’s; IQ,EI, SI, DI.

When we think of the acquisition of intelligence, we think of new information inspired by a perspective-shift that tells us a truth about one aspect of reality.

Wisdom goes further than that. It strips that same information down to its essence so that it can relate the underlying principle of that knowledge to the existing information network that exists in the mind.

It’s the connectedness of this network that separates it from mere intelligence.

The more links between each pocket of information, the more valuable the whole network will be when tackling any other problem. It adds an extra dimension to each mental model contained in the mind.

Simply knowing this doesn’t make a person more equipped to soak in wisdom, but with awareness and practice, new thinking patterns and imagination can be created.

The great Aristotle once stated when discussing Metaphysics :

“It is the mark of an educated mind to be able to entertain a thought without accepting it.”