Board Discussion Guide on Adapting to Emerging Technologies

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, presents cybersecurity-related questions directors should consider in discussions within the board, with management, and with other interlocutors regarding emerging technologies and their impact on the organization’s strategy.

Strategic Impact

High-performing boards address emerging technologies as part of their board agenda, with many often actively seeking technologies with the potential to be disruptive or transformational in their market. They deliberately align the introduction of new technologies with the organization’s purpose and values. Strategic decisions for the board include whether to posture the company as an early adopter, to move with the market, or stand fast.

As technology providers race to deliver capabilities to the market, cybersecurity protections in their products and services often fall subordinate to other requirements, exposing their customers and users to unexpected risks. Accordingly, boards should clearly recognize cybersecurity requirements of emerging technologies as a core element of the organization’s long-term strategy, define the board’s role in technology and data oversight, and ensure the board is postured to provide effective technology governance.

Questions Boards Can Consider About Emerging Technologies

• What role does the board have in evaluating the strategic landscape for emerging technologies that can impact our business?
• Do we have the right board composition and organization to provide timely and effective governance and oversight regarding the identification, technical appraisal, business impact, and risk assessment of emerging technologies?
• Does the board have the right talent and experience to effectively govern the introduction of new technologies into our business in a manner that does not compromise our cybersecurity requirements? What are the gaps?
• Do we have sufficient access to information from a variety of independent sources to make informed decisions regarding the cybersecurity impacts/risks of the proposed new technology?
• Are our existing cyber-risk management processes sufficient as disruptive new technologies are introduced into the marketplace? If not, what needs to change?
• What is our cyber-risk appetite toward the adoption of emerging technologies into our business? Is the method of determining our risk appetite adequate in this environment? Does this align with our enterprise risk appetite, threshold, and tolerance?
• Do we need to create a dedicated committee or subcommittee to provide deliberate focus on cybersecurity risks? If so, do we have the right talent composition to be successful?
• Do we have the right people in place on our executive team to effectively and efficiently introduce emerging technology with the right cybersecurity capabilities to support our strategy? Are our CEO, chief information officer, and CISO, capable of successfully overseeing such a project and integrating it with our strategy?
• Is our executive team properly organized to introduce new and emerging technologies with sufficient cybersecurity capabilities to support our business strategy? What are the gaps?
• Does our executive team conduct sufficient competitor analysis and market research to identify the cybersecurity risks and opportunities of emerging technology? Do they deliberately share that information with the board?
• Is our executive team challenging itself by constantly evaluating our strategy against market forces? Does our competitive analysis program include cybersecurity assessments?
• Does the executive team actively maintain relationships with trusted and recognized technical experts and organizations to gather independent assessments of emerging technologies?
• Is the executive team an eager and competent participant in modeling and testing cybersecurity and other risk assessment planning assumptions before introducing emerging technology into the business?
• Are we bold enough to test something that may fail, learn from it, and keep trying?
• Do we understand the risks and opportunities to our business and how quantum technology impacts our business strategy and ultimately its long-term growth and viability?
• Are we able to effectively interpret and assess management and third-party presentations on quantum technologies, as well as their answers to our questions?

Questions Boards Can Ask Management About Emerging Technologies

• How are you surveying the strategic landscape to identify and assess emerging technologies that could potentially disrupt our industry?
• What are the emerging technologies you have identified as most critical to our business and why?
• What are our competitors doing with these new technologies, and how is it impacting them?
• How does the introduction of this technology affect our business strategy and position in the market? Our supporting cybersecurity strategy? Do we need to rethink our strategy?
• Have we broadened our aperture to evaluate various competing technologies to identify the best contenders and minimize our risk exposure?
• How are our investments in new emerging technologies aligned with our strategy and business forecasts? What are the trade-offs? What changes will we make to fund the new emerging technology initiative?
• What are the cybersecurity and other risks to our organization if we adopt this technology? What is the risk if we do not? How do you know? What data do you have to measure the risk?
• How capable are the cybersecurity protections of this new product or service in today’s contentious cyber environment? How do you know?
• What are our cybersecurity requirements when contemplating the acquisition of emerging technologies?
• What third-party cybersecurity risks are associated with this new technology?
• Has the emergent technology been subject to an independent third-party penetration and red teaming test protocol? What were the results?
• How can we effectively and efficiently mitigate cybersecurity risks associated with emergent technologies?
• Do you have a future-proof technology road map that incorporates this emerging technology and includes cybersecurity capabilities? Is the roadmap congruent with our investment strategy?
• Does this emerging technology enable us to reduce costs by retiring legacy systems and processes? If so, which ones, and what are the savings?
• What effect will the introduction of practical quantum technologies into the marketplace have on our business? What is the impact on our business if a quantum computer can decrypt all our data?
• What means of modeling and simulation are there to assess our current strategy’s effectiveness in a post-quantum world?
• How prepared are we to thrive in a quantum-enabled marketplace?
• What is our risk exposure if all our data can be decrypted by quantum computers? How much will it cost in time and resources to implement post-quantum cryptography?
• What decisions do we need to make to remain competitive in a quantum-enabled marketplace?

Return: Toolkit For Action