One of your greatest strengths is also your greatest vulnerability. That is the dichotomy inherent in the rapid rise of mobile devices in the enterprise: they simultaneously present significant opportunity for business transformation and the most daunting information-security risk.
Corporate boards must be more diligent and proactive in driving secure enterprise mobility strategies, or they put at risk the core information and reputation of their companies. Mobile technology can streamline business processes and drive greater efficiency, open new channels for engaging customers and generate new revenue opportunities. However, mobile technology also is spawning security risks, with 38% of mobile users experiencing some form of cybercrime, according to a Symantec report this year.
A recent BlackBerry study found that respondents see mobile devices as the weakest link in an enterprise security framework. In fact, Gartner predicts that by 2017 the primary focus of endpoint breaches will shift to smartphones and tablets. Organizations also worry that they underestimate risk because they focus on the device rather than their enterprise's entire enterprise mobility landscape.
A different survey, this time of consumers (a 2013 Norton report), found that half of respondents use their personal devices for work, but they don't take basic security precautions — a fact made more nerve-wracking from a risk management perspective because 27% of those users reported having had their device lost or stolen.
Far-reaching implications
It's easy to see why mobile technology is such an attractive target for cyber-criminals. So how should boards respond?
The exploding use of mobile devices has far-reaching implications for businesses that require boards to take action now before the potential problems become too big to address. Careful governance now can provide executives with guidance and policies to exploit mobile technology for competitive advantage while minimizing the jarring disruptions new technologies have traditionally engendered.
Boards need to seize the opportunities, but know the risks. Mobile business processes will simplify the way our employees work, but they will also introduce a new level of complexity to managing and governing business. Why? Because business processes typically held close to the vest will now be heavily linked to the outside world in new ways, riding public networks and airwaves to interact heavily with digital data from the marketplace and social media.
This can be a very good thing, as modern data analytics will provide far greater insight directly from the market and new levels of both efficiency and productivity for the transaction of business, but it can also expose us to hacking, malware and other security and administrative nightmares.
Ripe for targeting
Internet and mobile applications create and consume vast amounts of data from heterogeneous sources. This is a fount of knowledge for business forecasting, customer service and other business processes, but the disparate nature of those data sources and the increasingly mobile-enabled access to the data make these repositories ripe for targeting.
Now think about the even greater opportunities and risks associated with the Internet of Things [IoT]. The connection of billions of “things” — not just mobile devices, but sensors, cameras, appliances, vehicles and much more — will be fertile new ground for cybercriminals.
Today's data breaches and hacks can disrupt business, wreak havoc on financial markets, and cause the loss of vital personal or corporate data. In the hyper-connected world of the IoT, where your customers are connected via smart home devices, connected cars and wearables, it's not just your customers' bank accounts that could be vulnerable — it's their very health and safety.
Once again, businesses will have to balance heavy external innovation with equal internal process normalization. That means governance. In this extended environment, mobile will not remain just a technology challenge — it becomes a risk management and corporate governance challenge.
The good news is that boards are more aware of the issue than ever before. Cybersecurity was cited as one of the “top 3” concerns among directors in a 2013 survey (EisnerAmper Fourth Annual Boards of Directors
Survey), while more than a third of directors and C-level executives said they believe cyber attacks “threaten their business model” (Deloitte, 2013).
Growing concerns about secure enterprise mobility
⢠Just 1 in 3 organizations (35%) are very confident their organization's data assets are fully protected from unauthorized access via mobile devices.
⢠On average, 41% of sensitive data is potentially exposed or at risk given their existing mobility policy.
⢠59% say the number of data breaches their organization has experienced through mobile devices has increased in the last 12 months.
⢠68% believe that mobile devices are the weakest link in their enterprise security framework.
— BlackBerry Mobile Risk Tolerance Study, Sept. 2014
Action steps
But more boards need to move from awareness to action. Here are my thoughts on how to do just that:
⢠Review and update the enterprise mobility strategy. Boards must understand that enterprise mobility needs to be managed as a distinct strategy. Even if a company has adequate cybersecurity measures in place, the rapid introduction of new mobile technologies can drastically impact them. In the absence of a strategy, the company's mobility initiatives might be driven by employees, without clear direction, agreement on outcomes and assessment of risks.
⢠Set parameters and start small. If a company is behind the curve in implementing an enterprise mobility strategy, boards should consider setting limits early on in the implementation of new mobile technologies and start with a pilot project entailing a specific business case and a small number of users. The pilot can be used to assess the impact of mobility solutions on the company's operations, costs and risk profile.
⢠Step up oversight activities. For companies that are further along with an enterprise mobility strategy, boards must increase their oversight activities, including reviewing the resources allocated to privacy and security initiatives — both budget and personnel — as well as getting regular updates on breaches and potential risks. If the board doesn't know who at the company is responsible for the enterprise mobility strategy and cybersecurity risk management, it is already in a vulnerable position. Boards should be demanding regular updates to cybersecurity measures that reflect the ever-changing mobile landscape. And those updates need to assess risks across the whole supply chain since a failure by a supplier can be just as devastating as an internal problem.
⢠Assess board member expertise. Boards should also be looking at themselves to assess if their makeup or the makeup of the audit committee includes the technical expertise needed to understand if the enterprise mobility strategy balances the opportunity with the potential cybersecurity risks. If there are gaps in this expertise, boards should consider an appointment that brings the knowledge and experience needed to advise management about the challenges of secure enterprise mobility.
⢠Look for outside advice. Yet another way to address the expertise gap on boards is by bringing on an advisor or having members and management undergo training. Boards can also consider using external auditors to identify security risks associated with enterprise mobility strategies.
⢠Align internal resources. It is also important to align the organization to address the opportunities and risks associated with enterprise mobility. Boards should cultivate a culture and processes where business heads and information technology and risk management specialists collaborate in the creation and management of a secure enterprise mobility strategy. Together they should be tasked with presenting a comprehensive profile of enterprise mobility reputational risks to senior management.
My best advice is a reminder that even the most successful organizations can underestimate the power of mobile technologies to both build and destroy value. Boards must gain a deeper understanding of these risks and rewards, and play a proactive role in aligning their organizations, setting policy and establishing governance over potentially runaway issues.
Boards: Step up, don't be shy
A turnaround is hard work and requires an engaged board.
No matter how good business is, no matter how happy customers are, every company hits tough times sooner or later. Boards are crucial in setting the right conditions for senior management to forge a stronger organization.
Take it from someone who's been there a few times: While there's no easy recipe — Tolstoy's famous words about families hold equally true for companies — there are common traits among the boards I have worked with during a turnaround.
First and foremost is a recognition that turning around an organization in a funk requires as much common sense as fancy economics. It's hard work under trying conditions and it is of utmost importance that a board engages.
While it's essential to give senior management the latitude it needs on the strategy and implementation, a unified and active board does not shy from offering its guidance and expertise. Every director should add a unique piece of experience or wisdom. For example, I look forward to input from my board because I know they possess a variety of insights from their own distinguished careers.
Indeed, a diverse board is essential. Boards should be collaborative, but never put harmonious meetings above ensuring that directors bring a wide range of hard-earned knowledge. If a board lacks the requisite skills to adapt to changing conditions, it's incumbent on directors to add members or make changes. I've had the pleasure of working with boards that do not hesitate to add skills in the form of new directors.
A diverse and engaged board can ensure that the same holds true of its senior management. The right men and women in the C-suite are crucial to ensuring that every hour of every day is spent working toward the right goals. Boards that step up to the challenge of a turnaround empower their executives and hold them accountable. I've said in the past that an urgent, obsessive focus on getting it right can mean the difference between a successful turnaround and a lot of wasted effort.
That urgent, obsessive focus starts with strategy. What is it about your company that makes it worth saving? What is it that makes your customers want to be part of your turnaround? Take the time to reestablish that connection through research and customer meetings. Customers want you to succeed and often know the problems better than your own management. For example, the specific conditions at Sybase and BlackBerry — two companies at which I've led turnarounds — were very different, but the core drivers of success are similar: Sybase and BlackBerry earned the trust and affection of core customers. Crucial to rekindling that trust and affection are innovative products and services that fit new niches.
Once a board and its senior management understand where the company needs to go, the really hard work starts — applying that same urgent, obsessive focus on getting it right to execution. That is where we are at BlackBerry, and I am reminded every day that customers, shareholders, suppliers and employees are counting on us to make it work.
The same is no doubt true of your constituents. They are counting on you and your leadership team. During tough times, board members need to commit to execution with the same passion and determination as if their net worth depends on it. The choices made in the boardroom have significant impacts on thousands of families, so it's vital that directors act as if their families are among them.
As I said, there is no single recipe to a successful turnaround, but there are common ingredients: the right people with the right skills willing to give their all to prove that what made your company successful is worth saving.
Bill McDermott to John Chen: ‘This is a big, big play'
Ed. Note: The following is an excerpt from Winners Dream: A Journey from Corner Store to Corner Office by Bill McDermott with Joanne Gordon. Copyright ©2014 by Winning Dream LLC. Reprinted with permission of the publisher, Simon & Schuster (www.simonandschuster.com). McDermott is CEO of SAP, the world's largest business software company. In this passage from his new memoir, he describes how SAP's 2010 acquisition of Sybase Inc., then being led by John Chen, came about.
Blown away. That's how I feel after checking out a new mobile application on my brand-new iPad as I sit in the backseat of a car, on my way to a trade show. Apple had not launched its tablet yet, but SAP already was jointly developing a new mobile customer relationship management (CRM) product with Sybase, a database and mobile technology company. A number of our customers, I'd been told, were already so impressed that they were placing orders. Now I know why. The look and feel of the interface on the screen is so beautiful, like nothing SAP has produced. Back in my door-to-door sales days, I would have loved this tool. Now it's what SAP needs, for itself and for customers.
I get on my phone to call Sybase's CEO, John Chen. We've known each other for years.
“John, it's Bill. Have you seen the prototype? Have you seen how good this thing is?” I am almost wiggling in my seat. John agrees that it's very special.
“John, we need to talk,” I say. “SAP needs to have a closer relationship with Sybase.”
“Sure, Bill. What do you have in mind?” he asks. “A joint marketing or sales agreement?”
“No, no, no. Closer than that.”
“Okay, you want to resell it?”
“No. Closer.” I hear John laugh lightly.
“Do you want SAP to invest in Sybase?” he asks.
“Nope. Closer than that.” He becomes quiet. We both know there is only one step closer.
“There are times when dating is a great idea but times when getting married is even better,” I tell John, about to present an idea that I had discussed with SAP's board. “We should think about getting married. How would you feel if SAP bought Sybase?” I count silently to myself, One one-thousand, two one-thousand â¦
Finally, “John, are you there?”
“I am intrigued,” he says, “but I am not there right now.”
Sybase was not a company in play. It was doing well, generating cash and a number of John's own initiatives were just taking off. I knew how much he enjoyed running his own organization, having turned Sybase from a loser to a winner since taking over in 1997. John also was a straight shooter and a pragmatist. I knew his personal history. Like mine, his family had faced its own struggles, and as a result, John faced life with a perpetual optimism as well as a strong work ethic.
“John, in all friendship and humility, this is a big, big play.”
“Let me think about it, my friend,” John says. “Let's talk after the quarter closes.”
In April, after Sybase announced its strong quarter, I called John again. Eventually SAP presented Sybase with a purchase price, and John took the offer to his board of directors.
The deal needed to be done quickly and quietly. The only reason we could even fathom getting away with it was that John and I trusted each other. I trusted that no significant problems would crop up once the deal was done. In turn, John trusted that I would ensure SAP saw the deal through.
On May 12, 2010, less than 60 days from the moment I first called John from the backseat of that car, SAP announced that it would buy Sybase for $5.8 billion.