C-Suite Network™

Menu
Search
Close this search box.

Category: Technology

Categories
Best Practices Growth Health and Wellness Human Resources Management Technology Women In Business

Use Technology to Unplug from Technology

Distractions are everywhere. For a lot of employers – they are killing productivity. A recent study by CareerBuilder offers the top productivity roadblocks in the workplace.

  • Cell Phones/texting
  • The Internet
  • Gossip
  • Social media
  • Email
  • Interruptions from coworkers
  • Meetings
  • Smoke breaks/snack breaks
  • Noisy coworkers
  • Sitting in a cubicle

If you’re ready to increase your daily value and the contributions you bring to the workplace, reduce your stress and contribute to boosting profits? Pay attention to these seven strategies productivity strategies and stop killing time:

Extinguish Email. Too many of us are guilty of allowing email to dictate our daily tasks and priorities. It winds up stealing focus and tempts us to venture down paths that aren’t aligned with the priorities we’ve established necessary for the day. Utilize tools, such as Glip, to minimize the back and forth unnecessary chatter email creates. It cuts down on keystrokes required to draft and send messages, the clutter endless back-and-forth emails generates and helps teams get organized in their communication strategies.

Own it. Be honest with yourself. Consider what you’re allowing to become a distraction, keeping you from remaining focused. Is your phone, with their never-ending barrage of text messages, personal phone calls and messages distracting you? Consider implementing the the Moment app. It tracks just how much you’re on your device and allows you to set time limits so you start to step away from the 24/7 phone attachment and step into the present, productive moment.

Be hyper-conscious to what is on your task list this week and prioritize, prioritize, prioritize. What five things are non-negotiables and absolutely have to be accomplished first? What can you delegate? What is just a time-waster and not vital to your vision? Knock those projects out first. The accomplishment will reduce your stress, give you a sense of completion and allow you to move on to other tasks requiring more time and creativity.

Nix the Internet. If you’re anything like me, it’s easy to put off what needs to be done in exchange for a few moments surfing Facebook, Pinterest, YouTube or checking personal emails. Before you know it, you’ve been sucked into a time warp, sacrificing productivity and valuable time. Take a look at the Freedom app to block certain personal websites (including time-draining social media) and allows you to set controls so you can stay on task.

Time-Block. Use your schedule to work with you. Carve out times for periodic breaks where you can check personal messages, social media, get a stretch or go for a walk. Taking mindful breaks will allow you to maximize your focus when it is time to work.

Be clear. In some of the most productive workspaces I know of, team members get creative about sharing when they are in focus mode. Clearly communicating when you are in “do not disturb” mode is vital. Some have signs up when they are on prospecting calls for example. Others use headsets to buffer the noise around them and signal they are “in the zone”. My organization uses Glip’s feature of indicate when we are not to be disturbed, away or available. Using the tools feature helps share with coworkers when you are ready to chat or when you’re in focus mode.

Be mindful. Getting caught in a trap of office politics, gossip or personal chatter can not only be unproductive to your reputation, it can be a real time suck. Utilize days of the week or hours within the day to work remotely when possible. Capitalize on tools like Glip to stay connected without being physically interrupted and side tracked in your day.

Pay attention to what’s pulling at you. What’s taking you away from bringing your best and brightest self to the workplace. Don’t let daily time killers get the best of you and your ability to accomplish what is necessary for success. Which of these strategies can you put in place today to change how you deal with distractions?

 

Categories
Best Practices Growth Management Personal Development Technology

Back to Basics

In the spirit of the recent Super Bowl, let me ask you this: Do you think the Patriots or Eagles would have made it it to the big game if coaches Bill Belichick or Doug Pederson didn’t focus on the basics first? How about legendary coach Vince Lombardi who after losing to Philadelphia in the 1961 Championship game (before there was a Super Bowl) started the next season holding up a football and saying “this is a football” then continued to work on the basics of blocking and tackling for the rest of training camp. His team won the Championship title six months later.

Whether you in pro sports or cybersecurity, getting back to basics is essential. However in modern times, organizations seem so focused on new technology or cutting costs and have forgotten about the cybersecurity basics.

When talking about cybersecurity basics we are talking about three things: People, Processes, and Technology.

We start with people because people are your first line of defense against a cybersecurity incident and as security professionals knows they are unfortunately your weakest link. They are your first line of defense because they can see anomalous behavior and activity, and they are your weakest link because they often don’t know what they are looking for.

Ransomware payouts of 5 billion dollar were made in 2017 with predictions for 11.5 billion by 2019. This attack is often successful because an innocent user clicks on the wrong link in an email or visits the wrong website.

This means that getting back to basics with people is all about good, consistent, and frequent security awareness training. Letting your workforce know that they are the front line defense against a cyber attack will peak their interest, they will want to learn more. Reminding them of their role and providing them with the knowledge they need to do something about it is the key in getting back to basics.

Make sure they know what to look for, what to do or not do on their computers, and how to report anything suspicious. Reward them for staying on top of security, give them some skin in the game (no pun intended.)

When you rely on that one annual security awareness computer course each year you are missing out on the basics. Your entire team needs regular training if they are going to be sharp on game day, which is everyday in the defense against the cyber attacker. And don’t forget that your employees who do have a job description that includes security need additional and ongoing training above and beyond what everyone else is getting.

We now move to processes because this is what people do daily for their jobs. It’s the process that gets data from point A to point B and the process can be manual or automated.

So what do processes have to do with cybersecurity? Processes are typically created by users who are trying to make their jobs easier (that’s fair) and have not given thought to security, which makes sense since it’s not what they are trained to do. However in creating those processes they don’t realize that they are creating security risks.

The solution is providing the business user with the knowledge that while they own their process they also have a responsibility for ensuring the processes is secure. That means providing a way for them determine easily if their new idea needs to be run by a security expert before implementing. Basically the players here (your users) need a coach (security expert) to run the play by before they run it on the field during the big game.

Last, but not least is technology and while many people think that technology should come first in protecting data it actually comes last. More on that in Security is Not an IT Problem.

This is about to get more technical and if you are a non-technical executive I implore you to read it and then talk with your technical advisors to determine how your team is doing on the technology basics.

From a technology perspective getting back to basics means ignoring all the new flashy technology on the market today. IT decision makers are inundated with fancy names, and terminology like cloud, artificial intelligence, threat modeling, next generation, ransomware, zero day, phishing, data loss prevention, and much more. This can divert their attention towards the new technology and away from the basics.

Patching is as basic as it comes for technology and something that has been around as long as there have been computers. However it is still not applied consistently within organizations and has been pointed to as the cause (there is never just one cause) for the Equifax breach. Only two months behind in applying the patch doesn’t seem like a big deal until it becomes one of the key reasons you lose 143 million customer records.

Back the football analogy when you know there is a patch available and you don’t apply it is like the coach and players knowing there is a hole in their defense, they know the quarterback can run right through it for the touchdown and yet they don’t make any change to fix the play.

There are many other basics when it comes to technology like password controls, user access controls, encryption, firewalls, and anti-malware software to name a few. None of these are new, they all have had technology to support them for a very long time and yet many organizations are not focusing on these basics. They allow users to have the same password for years, they don’t control the access levels that users have and often allow administrative access to non-administrative users, they don’t encrypt sensitive day, they have wide open firewalls, and they don’t install anti-malware consistently.

I warned you, that last section might have been Greek to you and that’s OK because you don’t have to know what it means, all you have to do is have someone in your organization or a trusted advisor you can consult with to ensure the basics are covered before you start purchasing all the new wizbang technology.

Start with the basics; people, processes, and technology, and build from there because you can have all the fancy technology in the world, but if you are not covering the basics you are still wide open to the offensive team making play after play. In other words you are allowing the hackers to come in and take whatever they want.

If you have questions about the basics email sharon@c-suiteresults.com. If you don’t have a security team and want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security and compliance posture reach out so we can talk in more detail.

Categories
Accounting Best Practices Entrepreneurship Health and Wellness Industries Management Marketing Skills Technology Women In Business

Maximize the First 30 Minutes of Each Day

How do you set the tone and maximize productivity at the beginning of each day? Do you give yourself space to map things out or are you more of a wing-it kind of person? I believe how you START your day, sets the intention and momentum for how the rest of the day’s will transpire. When you begin with 30-minutes of focused attention to what really matters most –  that time will pay generous dividends by the end of the day.

Here are strategies maximize productivity and ensure a successful day in the first 30 minutes:

  1. Turn OFF your phones. It’s all right. That magical device that is glued to hands seemingly every waking minute of the day, delivering phone calls, chats, text messages and emails at an often-alarming rate does turn off. So does the desk phone! Take 30 minutes to create space for focus. It will all be there when you turn it back on. It’s just an hour. And there’s voicemail! If it’s important, they’ll leave a message or call back.  If you want to maximize productivity – turn off your phones.
  2. Close your door. If you’ve got one. This sends a signal to your team (or your family if you are a work-from-home entrepreneur) that you are unavailable unless there is an emergency. If you are new to the practice, educate your team what procedures you want to have in place when your door is closed. Once everyone is on board that this is your time to create, get strategic, work a business plan, and map out your day, they’ll recognize the importance. Especially when they see the RESULTS.  If you are forced to work in an open environment, consider headphones. I used this technique in one organization, and people eventually got the idea that when your headphones are in, it’s the equivalent of a do-not-disturb sign.
  3. Use smart time-blocking. My recommendations? Book all meetings to start after 9.00 am. If you’ve always had early morning meetings, this might be a tough change, but if needed, can you start your “clock” an hour earlier to ensure that you have a full 30 minutes to complete your planning?
  4. Start off-site if possible.  Can you complete your 30-minute mindset and strategy session BEFORE you walk through your office doors? That way when you are actually in office – you hit the ground running. Once you’ve mastered this, teach your team. Once they’ve mastered it – your Key Performance Indicators (KPIs) will go through the roof. A study done by Ctrip shared that remote workers are able to complete 13.5% more than their comparable office workers. How’s that for food for thought.
  5. Quit the clutter. Seriously. Inboxes. Coffee cups. Paperwork piles. These distractions are stealing brain bandwidth and steering your attention away from streamlining your day. Out with them!  Maximize productivity by decreasing visual distractions.
  6. Check off that early morning workout. If you can muster it, get your exercise out of the way first thing. Start small if you have (15-30-minute increments) but do start. You’ll feel like you’ve already checked one big daily goal off your to-do list! Cheers!
  7. Nix the gossip in the bud. Honestly, gossip is one of the biggest time, energy, and productivity drains an organization can have. We Aussies call a gossip a “flibbertigibbet”. Studies show that 39% of workers admit that gossip and workplace chat are their biggest productivity killers. Another study conducted by Equisys also shared that the average employee spends 65 hours a year gossiping in the workplace! Cull this invasive “thief” from your company if you truly want to maximize productivity.

Starting your day in planning mode will help you stay focused, on track, and set the right tone for not just your day – but that of those around you. Lead by example. Pay ATTENTION to the INTENTION you set for each day. Your productivity, profitability, and bottom-line results will reflect your efforts!

Categories
Growth Management Personal Development Technology

Do or Don’t Do, Complain is Not an Option

Recently I wrote an article about why compliance is good and how it can drive security. After I wrote it I saw a conversation on LinkedIn where security professionals talking a lot of crap about compliance and I thought, “ was I wrong?” That was a fleeting thought and I knew I wasn’t wrong in what I had written, but I also knew that we can’t keep complaining about the situation, talk shit, or roll our eyes; we actually have to do something that will impact change or we are just part of the problem.

So what can we do about making a change so that compliance has a positive impact on security?

Let’s start with the reason compliance gets such a bad wrap. Security professionals don’t see compliance help improve the security posture of an organization and organizational leaders see it as a cost for something they don’t understand.

It looks something like this: 1) the organizational leaders have a bad attitude about it, thinking “it won’t happen to me” and do the bare minimum for compliance in order to stay in business and avoid fines, 2) businesses are run by business people and they may not truly understand there is a difference between compliance and security, and/or 3) due to the attitude or lack of understanding they don’t provide the resources needed (people, budget, time).

For the leaders, let’s be real anything that can happen to the other guy can happen to you too. If Target, Sony, Whole Foods, Equifax, and so many more it would take an entire article to list them all (you’ve read the headlines) can be hacked, so can you.

For the security and compliance professionals, if executives don’t understand the difference between compliance and security are we really doing our job? Are making their lives easier or harder? Are we just selling them something and leaving or are we really advising and consulting?

No one this world is immune to bad things happening, but these two groups together can do something to improve the odds.

When these two groups come closer together in understanding, conversation, collaboration, and implementation we will actually start to move the needle.

The point of this short article is not a big how to list or more checkboxes. It is an awareness piece. If you are reading this as an executive you have a responsibility to learn more about how compliance and security are implemented in your organization. You must provide the necessary resources.

If you are a security or compliance professional how can you help your clients navigate this so that it isn’t so hard, so expensive, and so daunting? What can you do to help them operationalize security and compliance and make it part of doing business?

I don’t have all the answers, no one does, but we have to start talking about it. We have to stop complaining and start acting. We don’t have to know how we just have to know it’s possible and that is’t important, but we have start having different conversations. What problem are we really trying to solve and who wants to take real responsibility for solving it?

If you want to further this discussion I welcome a conversation, I want to help come up with the answers that I don’t have. I can’t do it alone because there are much smarter people than me out there. But until enough of us come together to solve the problem and for that matter identify what the problem really is, not much is going to change.

Email sharon@c-suiteresults.com so we can talk in more detail.

Categories
Growth Leadership Personal Development Technology

Check Your Email Please

As part of my social media advisory business I send out a monthly newsletter.  This month I noticed something as I reviewed my mailing list.  I was surprised to find dozens of people on my list that still have old school mailing addresses.  We are talking AOL, Hotmail and others.   Not only do some of these people possess these addresses, but they publicly display them on professional social networking sites, such as LinkedIn, as well as their business websites.

First impressions matter, and often people’s first impression of you is via Email, or a display of your email address.  The first impression these folks are giving is that I am older and not very technologically savvy.  In a business world where digital is everything, and ageism is rampant, this is the last impression you should give.

The movie “You’ve Got Mail” came out in 1998, near the peak of AOL’s business, which steadily declined in the new millennium.  Ten years later, articles started appearing about how old-fashioned AOL users were. Now, 20 years later, why are folks still using these outdated addresses?  I asked a few of my subscribers, and here is a sampling of their response.

“I didn’t think it really mattered.”  I wish it didn’t, but it does!  Another common response included “inertia.” One person told me “Warren Buffett doesn’t even have an Email address!”  Yes, but Warren Buffett became one of the richest men in the world BEFORE email was even invented.

Lastly, some said “my current AOL (or Hotmail) account is established with my friends, family and business associates.  I don’t want to lose those contacts.” This is a fair, but manageable concern.  No-one wants to disrupt connections unnecessarily.     But you can keep the same address for current contacts while presenting a contemporary one for new ones.

AOL users can set up a Gmail account that forwards messages from your AOL address to your new Gmail account.  Old friends and colleagues don’t have to change addresses, while you look contemporary to new peopleHotmail users can do something similar with more contemporary Outlook addresses.

If you have an AOL or Hotmail Email address, it is time to come into the 21st century.  A contemporary e-mail address will improve the impression that you make with new friends and colleagues.

Now, can we talk about that MySpace account?

Categories
Marketing Personal Development Technology

Give Me Another Dollop of That AI

You can be forgiven if the way we talk about Artificial Intelligence makes you think you can order it up like a scoop of ice cream. It seems that way because we constantly read that:

  • AI solves all our problems
  • AI experts cost an arm and a leg
  • AI analyzes data than any person can
  • AI will make us all unemployed

While each of these statements might turn out to be true (well, we hope the last one is wrong), they all suffer from the same problem. They act as though all AI is the same. That all AI is one monolithic thing that can be added to any system if you just have enough money.

It’s not true.

First off, there are many different kinds of AI applications and they require different techniques. Voice recognition is not the same as text analytics is not the same as optimizing search results. These applications are different from each other and they use different techniques to perform their “magic.” Most of them use multiple AI techniques. And they usually depend on the existence of data.

I have been phoned up by more than one expectant client who wants to solve this problem or that problem with AI. Often, that is perfectly reasonable, but just as often I have to tell them they need to take several steps first. Often, they need to set up a standard process that collects data in a standard way so that the AI techniques have something to work with. Luckily, even taking these initial steps has business value, if you do it right, so the clients are usually easily persuaded to move forward.

Wanting to use AI is not a problem. Forward-looking organizations are always pushing the envelope and AI is just the latest way to do it. But let’s make sure that we are getting the business value we expect and that we are ready to take the preliminary steps to get there. We shouldn’t make AI a problem looking for a solution.

Categories
Best Practices Growth Management Personal Development Technology

Compliance – Is It Really Such a Bad Word?

Does the word compliance make your skin crawl, send shivers down your spin, and make you want to run for the hills? It seems to do that to everyone I talk to, and therefore, I want to change the story and tell you why compliance, when viewed through a different filter can be the catalyst your organization needs in order improve its security posture.

There are so many compliance regulations, both government-mandated and industry-mandated, it is hard to find an organization that does not have at least one acronym they have to be complaint with. Whether it is HIPAA, PCI, FFIEC, FEDramp, DIACAP, NIST-171, GLBA, NYCRR 500, FISMA, SOX, GDPR, etc., there is a better-than-good chance you are on the hook for at least one of them. And why has this happened? It’s because when left to their own devices, organizations in just about every industry are not taking security seriously and data breaches continue to get bigger and bigger, affecting more people, costing millions and billions of dollars. Depending on the industry even putting lives in danger.

Some of these regulations can literally put you out of business if you fail to comply and even with that threat people call me saying they need to be compliant in the next three weeks. Instead of creating and maintaining an ongoing compliance program they say what do I need to do to be compliant and avoid the fine? Oh yeah, and it needs to be done in the next three weeks.” They are looking to meet the bare minimum standard, check a box and move on and that is when compliance feels dirty and doesn’t solve the problems it was setup to solve.

The reason compliance feels like a four letter word and makes most people cringe is the way that it is commonly handled.

Smaller organizations often don’t have the staff to properly secure their networks and data and have often outsourced everything technology related to a third party vendor. They are in “fire and forget” mode, meaning that as long as the systems are running and nothing strange happens, they figure everything is fine and they don’t discuss security or compliance with their vendor. The challenge with this model is that security is being left up to a third party and unless you are paying extra for a secure solution, most of the time the vendor is not providing much if any security solutions. It’s only when the organization finds themselves on the hook for compliance that they start asking their vendor the security questions they should have been asking from day one. As a result the compliance requirement helps drive their security going forward. If you are a small business who has outsourced your IT to a third party, I strongly recommend having the security conversation early in the relationship, preferably before hiring them.

Even large organizations who have a security team and a large IT department do not approach security in a systematic or strategic way and they also get complacent. The mentality from executive leadership seems to be that as long as everything is working and they don’t hear of any problems, then everything is okay and they don’t have to spend money on security. But is it okay? There are reports that indicate 50% of organizations will fall victim to some sort of breach and only half of those organizations will even realize it. As we often say in the security business, it’s not about if you are breached; it’s about when and whether you will even know about it or be able to respond. It is compliance for these organizations that is often how security teams and technology groups are able to get the budget they need for security.

Regardless of the size of your organization or the industry you are in, when compliance is viewed as an annual audit, which is how many people view it, and someone in the IT department or worse in the Finance department is told they are responsible for ensuring the compliance work is done on time in order to avoid any fines or penalties, it leaves a bad taste in everyone’s mouth. This type of attitude results in everyone spending the next two months working around the clock to validate compliance and do their day job.

Once you realize that compliance is never an annual audit or a one-and-done effort; rather it is an ongoing program that has to be built into daily operational procedures it can stop feeling like a fire you have to keep putting out. During the process of ongoing compliance you are improving the security and longevity of your organization and protecting in some cases the health and livelihood of your customers.

Of course post-breach remediation lights a fire under everyone’s ass to get their security up to par, and as such it’s as compelling a motivator as you can get, but it’s also the worst possible motivator to face and why compliance should be seen as a good thing rather than a bad word. Not only does compliance provide the necessary budget and attention you need for your organization, it provides a systematic approach that can make implementing security more manageable so that you don’t have to face the post-breach clean-up, lawsuits, brand damage, etc.

When the story changes and compliance is viewed as a business driver, something that leads to a better competitive advantage, and everyone’s responsibility, it does not have to be so hard or “dirty.” When you have the right resources, whether internal or external, to help you set it up correctly from the start, teach the organization what it means, why it’s important, and why their role matters, it become manageable.

If  you are in business to stay in business and grow, security matters, and you will want to embrace compliance as a driver. As a consultant in this arena I work with a lot of clients where I come out knowing that they have made a real difference in their security posture and their future growth.

If you have questions about compliance or want to discuss strategies for making it easier, email sharon@c-suiteresults.com. If you don’t have a security team and want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security and compliance posture reach out so we can talk in more detail.

Categories
Best Practices Entrepreneurship Management Marketing Skills Technology

BEing Seen and BEing Heard as a Thought Leader

When thinking about my first post, I thought that a link to my TED talk was a great way to start.

It covers several thoughts and ideas for your business. When I re-watched it this weekend, I wrote down twenty different ideas that stood out. Here are seven:

  • As a thought leader, are you sharing a message of service?
  • Trust comes from vulnerability, integrity & authenticity!
  • Are you being vulnerable & authentic?
  • Are you creating opportunities to be known, liked and trusted?
  • Are you screaming “Buy, Buy, Buy” on social media? If won’t work!
  • The microphone that everyone has with social media is really a headset, where you must listen more than talk.
  • Are you “truly” listening to your prospects and clients and changing your products and services as a result?

What do you think? What idea stood out for you when watching this talk?

Mitchell Levy is a people publisher that empowers thought leaders to share their genius. After a 2-hr interview to extract your genius, his team will write and publish your book in hardcover, paperback, Kindle, PDF, and AHAbook formats. To explore what this means for you, sign up for a 30-minute strategy session http://aha.pub/focused

Categories
Best Practices Growth Management Personal Development Technology

The CISO… Who?

I was interviewed for a podcast recently for a new show that is all about the business of information/cyber security, and the hosts asked me what I thought was the number one thing that should change in the industry. My answer had nothing to do with more secure software, better security awareness training, better patching schedules, anti-virus, or bigger security budgets. It had to do with the role of the Chief Information Security Officer (CISO).

Since cybersecurity strategy is one of the hats I wear, this was an easy question to answer. Until the CISO has the same seat at the table with the CEO and the board just like the CIO and CFO do, security within an organization will never be a priority. As I mentioned in my article The Culture of Security, security culture, like all culture, lives or dies from the top down.

Most people I talk to outside the security industry have never heard of a CISO, but they can tell me what the CEO, CFO, COO, and CIO are. When I tell people that I am a virtual CISO, I often get blank stares or the question about what’s a CISO.  What this tells me is that security is still taking back stage in the landscape of business strategy and priority.

I talk to a lot of CISOs and hear their stories, more often than not they tell me they report to the CIO, and that rarely if ever do they get in front of the board. When the CISO does not actually sit at the table with the decision makers, whether that’s the CEO and CFO or the board and their message is filtered through another level or two before ever getting to the decision makers, the importance and context of their message gets lost. Moreover, if those decision makers have questions, there is no one at the table to answer them.

When the CISO reports to the CIO, which is the most common reporting structure there is a real issue that needs to be discussed. The CIO and CISO have different priorities and even conflicting priorities. The CIO is responsible for making data and assets available to support business functions. Funding is generally tied to performance of those assets in support of business needs. Conversely, the CISO is responsible for managing business risk, risk that extends to all responsibilities of business and not just technology. The CISO may also recommend a level of protection for data and technology in such a way that negatively impacts the performance of those assets, a metric that is very important to the CIO. Reporting to the CIO will mean security decisions align with the protection of information assets versus protection of the business and only to the degree that does not too badly impact the numbers the CIO is responsible for.

I’ve also seen where the CISO reports to the CIO who reports to the CFO, which has an even bigger impact on their contact with the board. Now the CISO is two layers removed from the top decision makers and strategists, and the person responsible for reporting the information is someone who does not have the background to properly communicate the message or answer important questions. The CFO is interested in budgets and return on investment, which is hard to see with security. The work of the security professional is often invisible and is very hard to prove ROI when the result of doing a good job, having the right people, and the right tools is no breach or no loss of data. It is very hard to tie the effect of no breach to the cause of a good security department.

Here are my recommendations for leaders who don’t want their brand on the front page of the paper because of a breach or security issue:

If you are the CEO or sit on the board of an organization and you believe that security is a priority, ensure your CISO reports to you or another independent executive that is looking at the organization as a whole. For example the Chief Operating Officer, Chief Risk Officer, or General Counsel could be good for reporting structure as long as the CISO has the opportunity to directly brief the board at least quarterly.

If you are the CIO and you have a CISO reporting to you and you believe your organization should take security more seriously, talk to your CEO about moving the CISO out of your reporting chain. Even if you can be unbiased, It’s the right thing to do for your organization.

If you are a CISO or aspiring CISO for your organization, and you report to anyone other than the COO, General Counsel, Chief Risk Officer, or CEO, I would consider having this conversation with the executive team as a whole. Not because you don’t trust your CIO or whomever you report to, but because security is a real current threat and they hired you to help create the strategy to stay secure. You can’t provide real time direction if you are not riding in the same car as everyone else.

If you are looking to take a job as a CISO for a new organization, when you negotiate terms for the position, ensure that you report to the CEO, COO, or General Council. If they say no, it’s a sign that they might not take security as seriously as you want them to, and you might not be happy working there for long.

If security was just a simple part of an IT organization, it would make sense for a security executive to report to the CIO, and they wouldn’t need the “chief” in their title. However since every part of the organization is reliant on security, and not just within IT, it is incredibly important for the CISO to sit outside of IT where they can have a view of and help the organization at large.

The intent is for the CISO to have an unbiased chain of command and access to brief the decision makers and an opportunity to answer their questions. If security is important to your organization this one change could be a real lasting impact that you are looking for.

If you have questions or want to discuss the challenges of the CISO, email sharon@c-suiteresults.com. If you don’t have a CISO, but want more information on how Virtual CISO services work, which are designed to help small and medium size organizations maintain their security posture reach out so we can talk in more detail.

Categories
Best Practices Growth Personal Development Technology

Don’t Go Into a Proxy Fight with One Hand Tied Behind Your Back

After investing in their stock last summer, activist investor Bill Ackman of Pershing Square went after human resource services provider ADP.  He proposed replacing the CEO and asked for Board seats. What ensued was a nasty proxy fight that played out on CNBC.  Both sides peppered shareholders with webinars, letters to shareholders, highly targeted advertising, and more.

Ackman, who reportedly boasted that he “gets more clicks on that internet that anyone except Donald Trump”, also took to social media.  He promoted his cause on his personal Twitter account to his 15k+ followers and created the ADP Ascending account specifically for the proxy fight.  Some of ADP Ascending’s few followers were large shareholders of ADP.  In addition, Pershing Square promoted the content on the account to targeted investors.

ADP ceded the social media battlefield to Mr. Ackman, despite the fact that the majority of Americans get their news from social media.  Increasingly proxy fights play out on the social media stage. Investment professionals use social media to keep tabs on current and prospective investments.

Other than a few business-as-usual tweets on its September Analyst Day, ADP did not mention any investor topics on its Twitter, Facebook or LinkedIn presences during the proxy fight.  Their content remained customer focused, which is understandable.  Why upset happy customers with board room drama that may never affect them?

Like Mr. Ackman, ADP could have created social media accounts specifically for the proxy fight.  While short term issue-specific accounts rarely garner many followers, content on the account can easily be promoted to key investor stakeholders.  Lastly, ADP CEO Carlos Rodriguez could have taken this on personally.  Investors expect to hear from the company and the CEO.  Unfortunately, Mr. Rodriguez does not appear to have any public facing social media profiles, so he was absent from the social media discussion as well.

While ADP and Mr. Rodriguez were prepared in many channels, they were not in social media.  Unwilling to use their branded social media account to reach shareholders, they should have had alternatives in place well before the crisis hit.  One might have been a dedicated “news” oriented social media account that was geared towards investors and the news media.  Bank of America News is a good example on Twitter.

Another alternative is CEO Carlos Rodriguez.  CEO social media accounts, if well managed, are a great way to communicate with shareholders who expect to hear from the CEO.  But as PR Week notes “a crisis is not the time to test whether the CEO is up to the task.  Advance preparation is critical.”

Of course, ADP and Mr. Rodriguez came out victorious in the proxy fight.   But there are still lessons to be learned for others who may not be so lucky.  Here are three tips.

1)   Build Relationships with Current Investors.    Investor satisfaction is a resource you can tap into when things get ugly.  

2)   Prepare for Activist Investor Scenarios.  While it’s impossible to identify every threat, consulting firms and other resources are available to help. Demands for social responsibility are increasingly common.  Whenever possible, threats should be mitigated in advance.    

3)   Develop Draft Messaging and Communications Plans.  Every attack varies slightly, so you will never get it 100% right…but you will be so much further along than if you had to start from scratch.

4)   Ensure that you Have the Right Tools in Place.  Do you have the right Communications and Marketing resources (internal or external) to execute your draft plan?  Do you have the right communications platforms in place?  Of course, this includes social media.  Have you established well followed social media accounts that can be employed during an attack.  If this includes leadership, make sure that the CEO’s account is well established with consistent content, well in advance of any attack.  

Activist investors and proxy fights can be huge distractions from the business.  But with planning and the development of foundational tools, you can be better prepared to take on the challenge.