A non-exec directorship might (unfairly) be seen as a sinecure – a reward for a career’s accomplishments – combining a comfortable stipend with a light workload and the occasional decent lunch. Once upon a time this might well have had some truth to it, but the winds of change have long blown through the boardroom, and – to mix my metaphor – have shone an uncomfortably bright light on standards of corporate governance.
A non-exec’s real job is to ask difficult questions. He or she is there to represent the interests of shareholders and make sure that the executives are doing their jobs properly. Some recent news stories have thrown this into sharp relief – from Tesco to the Co-Op bank – but the focus so far has been on financial mismanagement.
There’s another upset coming. Right now shareholders are asking whether non-execs pay the attention to the management accounts that they should. Soon they’ll notice that there’s a similar governance deficit in IT. Few non-execs have a technology background, and many of them built their reputations before technology became the all-pervasive backbone of business.
So when their business is fined hundreds of thousands of pounds by the ICO for a data breach, or they are personally prosecuted for failure to register under Section 17 of the DPA, or they watch a year’s profits wiped out by hackers – or by a continuity failure…it’ll come as a bit of a shock.
UK Plc is behind the curve in having exec board representation from the IT function; still fewer businesses have dedicated information security officers. Only 30% of FTSE 350 companies reported that they receive regular cyber-security updates at board level. Yet the rate of breaches – both negligent and malicious – is increasing, while the collateral and reputation damage from a major breach is getting harder to overestimate – the total cost of the breach at Target in the US may now reach $1bn.
The penalties at law also become more stringent every year. The average fine from the ICO this year has been £155,000; last year it was £104,000. To add to that, there’ve been the usual prosecutions for failure to notify. Sounds trivial. Is in fact a criminal offence. Usually they prosecute the company, but sometimes they go for an individual director. A criminal record might sour the post-prandial cognac somewhat.
So the £155,000 question is: can you tell if your company’s IT function is doing what it should to protect shareholder value? If you don’t ask the right questions, the buck might not stop with the IT manager…