Cyber Security

Cyber Security | Henshaw/Vierra Management Counsel, LLC

The Words Which Must be Spoken and The Actions Which Should Be Taken

I have long harped that cyber security is a problem and that because the HCM community deals with critical financial and personal data, and large flows of funds that serious players should look at highly regulated industries and see what they and their regulators are doing to clean up their act.

The rules and regulations are beginning to pile up: federal, state, and local; governments, regulators, industry guidelines.  Some are helpful. Some are expensive to implement.  More are finally coming.  Some have teeth in them which could cause banks and clearing houses to impose restrictions on their customers, including cutting access; some are more than implying that non-compliance and certain cyber security breaches, particularly by insiders, could constitute fraud.  Courts and insurance companies are beginning to reconsider how they need to respond to data holders liability for breeches, mishandling of data, and quality of security taken to assess responsibility and levels of harm.

Here are some policies and practices that are coming to the fore, and may help focus your attention:

  • Written Information Security Program
  • Incident Response Plan
  • Acceptable Use Policy
  • Account Access and Password Policy
  • Clean Desk Policy
  • Patch Management Policy
  • Portable Device Policy
  • Remote Access policy
  • Threat Protection and Monitoring Policy
  • Vendor Due Diligence Policy
  • Disaster Recovery Plan and Protocols (and testing)
  • Anti-Money Laundering Policies and Procedures

Some of these policies focus internally on the company.  Some deal with issues that frankly are new to the industries many companies use daily but over which they have little or no control.  How secure a customer’s employee mobile device is when they sit in a coffee shop using public wi-fi to access data on your servers and move funds around is one that haunts me, daily.

The Vendor Due Diligence Policy involves HCM companies in many ways: their vendors are vendors through them to their customers, they use a variety of vendors to deliver their services from regulated banks to a wide group of unregulated and lighted vetted API linked partners.  If one is only as strong as their weakest link, 360 due diligence seems pretty important, and still seldom seriously used.

I attended a technology conference recently.  It was not the first time.  The difference was that for years the conference was small, had young people gathered around electric plugs in the hall way, and the great event of the week was having a security agency put the most secure software they currently had in a room with the participants and timed how fast it took to break the code.  Never more than 40 minutes.  This time there were five times as many people, half people who were looking for better people, developers, software, and merger candidates.  A sense of urgency is beginning to fill the air.

I think that the cyber problem may very well start to be addressed as the process audits that the banking industry primarily started are driven through the system to service providers.  Historically, the first couple of steps were pretty meaningless. Remember the SOX 1 auditor who came in an asked you what you did, reviewed whatever you gave them, and then gave you a gold star when they saw that you did what you said you did, whether it was complete or not?  The second step began to actually set some templates which were not based on what you did, but what you should be doing.  That was better.  The next steps will be much better.

Many companies are running penetration tests.  It’s good, but not enough.  Running tests on legacy systems tell companies things they may or may not want to know.  They may not but get specific enough on details, in many case, to find all the weaknesses.  Few companies have wanted to even try to fix the problems.  But processes are getting better now.  Automation is here to the scanning existing code, new as well as legacy. It is improving security and the performance levels.

But, companies need to go further to protect against new types of attacks.  Hackers work 24/7 to exploit systems to expose information or shut down systems.  Audits need to be broader and deeper, and the audit results need to be reviewed for accuracy and findings need to faced and fixed.  The fixing gets to be more interesting as companies move control of their IT environment into the cloud where they have little or no direct control, but still bear the liability for loss of data or access, identity theft, etc.

We are making progress.  The conference showed me that more companies, owners and boards, regulators, and key process providers are getting involved.  I am seeing a lot more resources coming into the market place.  The cyber security industry is undergoing great change.  More and better tools are being developed.  Large amounts of data can be scanned.  Systems can be scanned for abhorrent behavior very quickly to isolate issues and focus remediation efforts.  However, I want to see more developers and their sponsors get involved and do all they can to increase protection; more insurance companies defining their coverage better; and, more courts getting involved in enforcement actions.  Participants need to get the message that their cyber table manners need to get better fast or they may be too risky to be part of the future.

As independent businesses, you can now find ways to act, policies to consider and put in place, and to build a cyber team so that you and your customers are better positioned to compete in the new cyber environment.

Thinking About a Board of Directors

Thinking About a Board of Directors

Is it time for you to consider forming a Board of Directors?
Starting your own Company, for most, was not the job for a committee.  For most founders, it’s the work of one and maybe a couple of partners, taking risks because they are convinced that they can serve customers better than the known competition.  It’s making decisions with partial information and a small budget.  It’s long hours for weeks, months, and even years.

Along the way, the founder may find help from an accountant, a lawyer, and a banker who can provide some practical help for specific issues, but there is little risk sharing going on in many conversations.  Casual advisors can be helpful, share war stories, and empathize.  But when markets are disrupted and hard decisions about “the next five years” come up, the founder falls back to the Board of One.  They get lots of general advice, but not always about what goes bump in the night.

Why think about a Board?
Board can be helpful in providing strategic direction, expertise and advice, oversight, and accountability.  The business of providing services to enhance the management of human resources is going through disruptive change.  Successful owners of businesses in the space need more knowledge and background in more disciplines than ever before.  The pace of change requires making decisions about personnel, location, e-business, software, systems management, compliance, human resource management segments (payroll, HR, benefits, insurance…), funds transfers, mobility, cyber security (physical, software, networks), third party vendors, customers, employees of customers, working capital requirements and business finance, possible mergers and acquisitions, and the list goes on.  It’s a lot to think about for the Board of One.

So why expand the Board and not just continue on with a trusted advisor?  Long term trusted advisors and business partners can help, and if you have one, use them.  If you don’t, an expanded Board may help in three ways.  Members can broaden the founder’s knowledge base and experience level, they can ask important questions about the future of the company and founder investments, and they can deepen the commitment level of its members to the company, the founder, and the family.

  • Duties of the Board
    • To advise company management
    • To challenge Board peers, founders, and management by asking thoughtful, direct, and relevant questions
    • To provide the owners with strategic direction in thinking and planning about “what’s next”
  • Board Composition
    • Individual members need to bring specific skills and have demonstrated qualifications to serve
    • Individual members need to be independent, and bring diverse points of view
    • Individual members must be willing and able to trust each other and contribute to a productive Board environment
  • Terms of Service
    • The Board should have set limits on terms of service
    • Set quarterly meetings, mandatory personal attendance
    • The Company should pay the members a meeting fee plus expenses

Consider a Board to help broaden the company’s customer service, expansion into new markets and market segments, plan for the future competitive market place, and to help in succession planning.  As I look at Human Capital Management companies in terms of the skill sets needed in addition to the drive, risk taking, and common sense that successful founders bring to the table. I can list subject matter expertise in payroll, HR, benefits administration, insurance, channel and sales development, technology and IT, compliance, and security as areas for consideration.  In addition, other issues the founder will face in the next five to eight years could be system conversions, mergers and acquisitions, replacement of management teams, succession planning (particularly the evaluation of family or long term employee candidates) can be helpful depending upon the founder’s situation.  Successful candidates for the Board can add to the founder’s background in several of these areas, and make a difference.

  • Questions Boards should ask, that owners seldom ask but should
    • What are core assumptions that drive current strategy?
    • Are we really meeting Company Goals and Objectives?
    • What are the “disruptions” likely to face our industry and our company?
    • Are we in the right business? Are we the right owners for our company?  How do we position our company best to create value?
    • Do we have the right leadership, competence and capabilities, and capital in place to execute our current strategy?
    • Do we have the right tone at the top of the organization to achieve our goals?

What does the founder need to consider when considering a Board?
Board is a committee, but a good Board can be small.  As few as two outside members can work.  As many as five can be helpful.  A good Board member should be independent and willing to speak up.  They may not always agree with the founder. But, the Board works best when all its members can respect each other’s point of view and the contribution they make to making the company better.

There are hard decisions to be asked and answered about management, direction, capital spending, succession, and the disposition of the company in some cases.  The founder must be willing to listen, and to take advise.  The Board knows that it works on behalf of the management, employees, and customers of the company, but for the shareholders.  The founder is often the primary, if not the only, shareholder.

It might be time to review the Board of One, and consider building a Board of Directors.