The Board’s Role in Managing Cybersecurity Risks

Today, more than ever, the demands posed by issues of cybersecurity clash with both the need for innovation and the clamor for productivity. Increasingly, cybersecurity risk includes not only the risk of a network data breach but also the risk of the entire enterprise being undermined via business activities that rely on open digital connectivity and accessibility. As a result, learning how to deal with cybersecurity risk is of critical importance to an enterprise, and it must therefore be addressed strategically from the very top. Cybersecurity management can no longer be a concern delegated to the information technology (IT) department. It needs to be everyone’s business — including the board’s.

Cybersecurity Enters the Boardroom

Network breaches have become so routine that only the most spectacular events, such as the recent breach at the credit reporting agency Equifax Inc. that affected some 143 million U.S. consumers, make headlines. Corporate boards of directors are expected to ensure cybersecurity, despite the fact that most boards are unprepared for this role. A 2017-2018 survey by the National Association of Corporate Directors (NACD) found that 58% of corporate board member respondents at public companies believe that cyber-related risk is the most challenging risk they are expected to oversee. The ability of companies to manage this risk has far-reaching implications for stock prices, company reputations, and the professional reputations of directors themselves. For example, following a 2013 data breach of Target Corp., in which the personal information of more than 60 million customers was stolen, a shareholder lawsuit charged directors and officers with having fallen short in their fiduciary duties by failing to maintain adequate controls to ensure the security of data. Although the board members were ultimately not found to be at fault, both the company’s CEO and CIO resigned.

U.S. case law is based on and generally adheres to the “business judgment rule,” which sets a high bar for plaintiffs pursuing legal action against board members. Similar protections for directors are in place in most “common law” countries, including Canada, England, and Australia. The Equifax cyberattack and future corporate breaches may prompt more challenges to the business judgment rule.

The view that directors are not sufficiently prepared to deal with cybersecurity risk has raised alarm bells in boardrooms nationwide and globally. Even as companies increase their investments in security, we are seeing more — and more serious — cyberattacks. If corporate boards are not sufficiently prepared to deal with cybersecurity, how will they be able to determine the effectiveness of current and proposed cybersecurity strategies? How can they know what operationally effective cybersecurity should look like and how it should evolve? And how can directors know what to ask so that they can make the right cybersecurity investment decisions?

Asking the Right Questions

In our work with dozens of companies and in surveys of executives, we have found that many directors currently cannot ask the right questions because they lack meaningful metrics to assess the cybersecurity of their business. In a 2016 poll of 200 CEOs conducted by RedSeal Inc., a cybersecurity analytics company in Sunnyvale, California, 87% of respondents reported needing a better way to measure the effectiveness of their cybersecurity investments, with 72% calling the absence of meaningful metrics a “major challenge.” Often, executives as well as directors spend too much time studying technical reports on such things as the numbers of intrusion detection system alerts, antivirus signatures identified, and software patches implemented.

To improve the situation, companies need to address two issues. First, directors need to have basic training in cybersecurity that addresses the strategic nature, scope, and implications of cybersecurity risk. Within companies, managers involved in operations, security specialists, and directors alike need to adopt a common language for talking about cybersecurity risk. Second, top management needs to provide meaningful data about not just the state of data security as defined narrowly by viruses quarantined or the number of intrusions detected, but also about the resilience of the organization’s digital networks. This means having strategies to sustain business during a cybersecurity breach, to recover quickly in its aftermath, and to investigate needed improvements to the digital infrastructure. Networks constantly change, so tracking cyber risks and vulnerabilities over time and adapting accordingly is essential.

A few decades ago, when business computers were networked into systems of record, it made sense for organizations to focus exclusively on preventing outside attacks and protecting the network perimeter. However, now that computers have become systems of engagement, strategies geared toward perimeter defense are inadequate. Today’s organizations have vast numbers of network connections and human-machine interactions taking place at all hours of the day and night. In this context, security strategies must extend far beyond the walls of a single organization to reflect interactions with suppliers, customers, and vendors. Networks are permeable, and the relevant question is no longer “Will the organization’s cyberstructure be compromised?” but “What do we do when it is breached?” For organizations, the old challenge of detecting and neutralizing threats has expanded to include learning how to continue doing business during a breach and how to recover after one. In other words, it has expanded from security alone to security and resilience.

Increasing Resilience

Resilience is essential in any effective cyberdefense strategy. Our cyberadversaries are competent, determined attackers and only have to succeed once. Resilience assumes that attacks are immutable features of the digital business environment and that some fraction of these attacks will inevitably result in breaches. Therefore, creating sufficient resilience both to continue doing business while dealing with a breach and to recover in the aftermath of a breach is the most critical element of a contemporary cyberdefense strategy.

Adequate organizational resilience is about operating the business while fighting back and recovering. Maintaining this level of performance requires the ability to measure an organization’s digital resilience much the way a board oversees its financial health. For board members, no fiduciary obligation is more urgent than overseeing and, where necessary, challenging how executive leadership manages the risks to the company. Managing cybersecurity risk today requires protecting the digital networks essential to conducting business by ensuring effective security and a high level of resilience in response to those inevitable cyberattacks. This can be accomplished through policy, selection of leadership, and allocation of resources. It is a whole-enterprise issue, requiring both full board engagement and superior execution by management.

The 2017-2018 survey by NACD reveals that public company board members are significantly more skeptical about their company’s cybersecurity efforts than are C-suite executives. Just 37% of respondents reported feeling “confident” or “very confident” that their company was “properly secured against a cyberattack”; 60% said they were “slightly” or “moderately” confident. Other surveys, including the 2016 poll of CEOs by RedSeal, pointed to similar weaknesses. Given the disconnect between the risk levels and degree of preparedness, we believe that most companies need to become more realistic about their vulnerability.

The problem isn’t a lack of investment. In 2017, worldwide spending on information security was expected to reach $ 86.4 billion and to further increase to $ 93 billion in 2018, according to Gartner Inc. However, cybercrime losses are rising at more than twice the rate of expenditure increases. Many CEOs continue to focus their attention on keeping hackers out of their networks rather than building resilience for dealing with hackers once they have broken in. Although most CEOs believe that cybersecurity is a strategic function that starts with executives, RedSeal found that 89% of CEOs surveyed treat it less as a whole-business issue than as an IT function, in that the IT team makes all budget decisions on cybersecurity.

Best Practices

Building on insights from the surveys cited above, we have developed a four-part approach to help organizations manage cybersecurity more effectively and formulate digital resilience strategies. It involves educating company leadership; developing a common language for management and corporate directors to discuss cybersecurity issues; understanding the difference between security and resilience; and making both security and resilience strategic corporate imperatives.

1. Educate company leadership. Cybersecurity risk shouldn’t be treated strictly as an IT issue. In terms of risk management, both security and resilience need to be managed as issues of importance to the entire enterprise. Increasingly, directors and senior management are being held accountable for the security and resilience of networks and data. Board members must therefore understand the issues at stake and accept their fiduciary responsibility for their organization’s cyberdefense posture. Company leadership must have an unambiguous understanding of the key elements of security and resilience. Both management and directors need to be aware of (1) the limitations of security (no practical cybersecurity strategy can prevent all attacks) and (2) the need for resilience (strategies to sustain business during a cyberattack and to recover quickly in the aftermath of a breach).

In order to be effective, directors need sufficient knowledge to understand and approach cybersecurity broadly as an enterprise-wide risk management issue. Directors need to understand the legal implications of cybersecurity risks as they relate to their company’s specific circumstances.

2. Develop a common language. Boards must have adequate access to cybersecurity expertise, and their discussions about cybersecurity risk management should be a regular part of each board meeting agenda, with sufficient time allotted. Moreover, board engagement regarding cybersecurity issues should not be restricted to yearly or semiannual reports. A proprietary 2017 McKinsey survey on chief information security officer (CISO) and board reporting found that CISOs who had less-than-productive board interactions felt they needed more time with the board to explain and examine critical issues. One CISO who responded to the survey observed that “board members have to be able to ask questions that may be perceived by others to be ignorant.” No question can be considered bad or inappropriate.

Digital security specialists, like all subject-area experts, must be able to communicate effectively with board members and other leaders. Meetings with CISOs and other security professionals mean nothing if technical experts and directors are unable to understand one another. Information security executives must be capable of presenting information at a level and in a format that is accessible to nontechnical corporate directors. Ideally, assessments of cybersecurity, digital resilience, and cybersecurity budgeting should be expressed using metrics that objectively and unambiguously score issues of risk, reward, cost, and benefit. That said, directors should make themselves conversant in basic principles relevant to digital networking and security. The goal is for CISOs and other IT executives to engage in frank, mutually intelligible dialogue with the board and appropriate subcommittees. Wherever possible, IT and CISO reports should be focused on prioritized items on which the board can take action, especially those that can be addressed by the whole company.

3. Distinguish between security and resilience. Companies should create a clear distinction between digital security and digital resilience. Digital security focuses on essential security measures, including providing such traditional defenses as effective antivirus and anti-malware software, adequate firewalls, and employee education in safe computing practices. Digital security is, therefore, a security issue.

In contrast, digital resilience is a business issue, which relates to how the whole organization conducts business in a digital environment. For example, balancing data accessibility with the necessity of protecting customer data and intellectual property involves a trade-off between security and interactivity that affects the customer experience, customer service, customer retention, acquisition of new customers, and so on. It is therefore a business issue. To the degree that an element of an organization’s security implementation impedes business (for example, by arbitrarily restricting access to data), it may provide adequate security. But it is a poor business practice, which makes the company more liable to fail and therefore less resilient.

In assessing the organization’s strategic cybersecurity policy, the board must balance resilience against security, with priority given to resilience. Over time, your network will be penetrated. Therefore, resilience (the ability to respond to incidents and breaches) should be prioritized over the forlorn hope of security alone as a silver bullet. Security will not enable you to continue to conduct business during a breach. Resilience will. The board must provide necessary leadership in advocating for whole-enterprise resilience policies and practices.

4. Make security and resilience strategic business issues. Directors must set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. The board’s discussions with management concerning cybersecurity risk should include identifying which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach.

In concert with top management, the board should create a clear statement of its role in overseeing, evaluating, and challenging the company’s digital security and resilience strategies. The statement should clearly define and assign responsibilities and must delineate the differing roles of the board and senior management. Within the board itself, cybersecurity and digital resilience must be the responsibility of all directors and not be relegated to a committee or subcommittee. Nevertheless, boards should consider assigning one cyber-savvy director to take the lead on issues of security and resilience, and, when recruiting new directors, companies should seek out people with appropriate cybersecurity expertise.

The board should continually reassess the overall budget for security and resilience and redirect investments as necessary. Given the reality that the number and seriousness of breaches are growing, it is clear that most organizations need to evaluate their cybersecurity investments more clearly and effectively. Improving the ability to measure and quantify cyber-related risks is vital to this step, because it allows cybersecurity and resilience to be evaluated for their impact on the entire business.

MIT Sloan Management Review

Two New Arduino Boards Give LoRa and 2G/3G Connectivity In IoT

Two New Arduino Boards Give LoRa and 2G/3G Connectivity In IoT

IoT developers, makers and enterprises will be excited to know that Arduino has unveiled two new “MKR” form-factor IoT boards focused on applications like environmental monitoring, tracking, agriculture, energy monitoring and home automation. A new update from Cypress is a new Wi-Fi and Bluetooth combo solution promising to make long battery life with Wi-Fi a realily for portable and battery-powered IoT devices. Finally, ON Semiconductor’s new 7 mm x 9 mm x 1 mm RF SiP transceiver is meeting the demand of challenging IoT applications where connectivity is needed close to a sensor.

Two New Arduino Boards Give LoRa and 2G/3G Connectivity In IoT

Two newly designed Arduino boards help IoT developers to quickly add LoRa and GSM connectivity to their IoT projects. The new boards come in a MKR form-factor of 67.64 x 25mm and also offer low power consumption, making them useful for applications such as environmental monitoring, tracking, agriculture, energy monitoring and home automation. The Arduino MKR WAN 1300 delivers LoRa connectivity via a Murata LoRa module, and the MKR GSM 1400 adds global 2G and 3G communications through an integrated u-blox module. Both boards use the Atmel SAM D21 microcontroller, featuring a 32-bit ARM Cortex-M0+ processor, 256KB Flash memory and 32KB SRAM. Read more.

Wi-Fi & Bluetooth Combo Reduces Power Consumption For Wearables

A new combo solution from Cypress brings ultra-low-power WiFi and Bluetooth connectivity to a wide range of IoT systems needing extended battery life, from wearables to smart home products. Supporting Wi-Fi 802.11ac and Bluetooth 5.0, the new CYW43012 chip is manufactured using a 28nm process technology, which claims to reduce energy consumption in comparison with the solutions currently available, in the reception mode by 70% and in sleep mode by 80%. The chip is supported by Cypress WICED Studio development environment to ease integration into IoT projects. Read more.


Compact Sigfox Device For Low power IoT/IIoT

On Semi is helping developers meet the challenging space constraints of many IoT applications with its new Sigfox RC1 verified SiP (System in Package) transceiver. The new programmable device integrates an advanced RF SoC with all surrounding Bill of Material (including a TCXO). The AX-SIP-SFEU, the company says, provides the most integrated Sigfox solution for both uplink (transmit) and downlink (receive) communications. The 7 x 9 x 1 mm device is said to have almost one-third the footprint and is one-tenth the overall size of a module-based solution, giving engineers much greater design freedom. Read more.



The post Two New Arduino Boards Give LoRa and 2G/3G Connectivity In IoT appeared first on Internet Of Things | IoT India.

Internet Of Things | IoT India

The Board’s Role in Share Repurchases

Capital allocation is a significant function for company directors. How much of the company’s profits gets reinvested in the business rather than distributed to shareholders through cash dividends or share repurchases is a critical decision companies must make. Boards of directors typically approve a dividend policy and precise amounts for each quarter: Everyone knows that cutting the dividend will result in a sharp decline in the share price.

Yet in many companies, decisions about the level and timing of share repurchases are left to management. That stems partly from differences in legal requirements: The board must formally approve the amount of the company’s quarterly dividend but not its repurchases. Moreover, the implementation of the repurchase program is heavily influenced by the company’s actual cash flows.

Nevertheless, share repurchases are something to which directors should pay more attention. Specifically, directors should carefully consider the capital allocated to repurchases relative to the company’s realistic opportunities for value creation through internal development or external acquisitions. They should be highly skeptical of large repurchase programs that are financed by selling debt rather than paid for out of company profits.

From 2014 through 2016, distributions to shareholders — dividends and repurchases together — consistently exceeded 100% of the net income of the companies in the S&P 500. During the same period, share repurchases for the Russell 1000 companies (excluding financial and real estate companies) ranged from 62% to 71% of the free cash flow (net income minus capital expenditures). These trends seem to reflect a slowly growing global economy, together with the availability of very cheap debt. According to ASR Research, roughly half of all share buybacks were financed by debt rather than profits.

Share repurchases are sometimes justified as a way to maintain and increase a company’s share price. However, this view is not supported by the data. The 100 companies with the highest buybacks in the S&P 1500 underperformed that index from 2005-2016.

Why have these companies underperformed? First, sophisticated shareholders know that share buybacks increase earnings per share (EPS) by spreading the same amount of revenue over a reduced number of shares. To these shareholders, buybacks are seen as a form of financial engineering for companies with weak growth prospects.

Second, executives are notoriously bad at timing their share repurchases — they do a lot of buying when the company’s stock price is high and relatively little when the price is low. That’s why, between 2004 and 2016, companies reduced their share count by roughly 25% but increased their EPS by only 12%.

Third, share repurchases reduce the relative market cap of companies in market-weighted indexes such as the S&P 500. As a result, the giant index funds based on the S&P 500 are effectively forced to rebalance by selling the stock of companies with large repurchase programs.

So how should directors evaluate various uses for a company’s cash flow? To begin with, some buybacks are quite sensible. For example, directors should endorse share buybacks sufficient to fund the company’s plans for stock options and restricted shares for employees. Buybacks at this level would minimize the dilution effects of such plans on the company’s public shareholders. Similarly, directors should support capital expenditures necessary to maintain the company’s asset base. In addition, companies should have enough cash on hand to cope with the vagaries of the business, especially if share repurchases are financed from new debt rather than current profits.

Once these priorities are taken care of, directors must address the issue of capital allocation. Does the company have internal products or research projects that are likely to deliver a return that’s higher than its cost of capital? Alternatively, if the company makes a significant acquisition, will the additional revenues and earnings over time justify the deployment of cash debt capacity? These are the questions that we hear more and more from the large institutional investors such as BlackRock and Vanguard, which hold a majority of the shares in most large, public U.S. companies. Given the difficulties these large investors have trading in and out of big blocks of stocks, they tend to be more interested in long-term value creation than brief run-ups in a stock price.

Nevertheless, some boards capitulate to activist investors on share repurchases without polling their long-term shareholders. For example, having bought less than 1% of the stock of General Motors in 2015, investor Harry J. Wilson persuaded GM’s board to invest $ 5 billion in cash to repurchase shares. Although the share buybacks didn’t seem consistent with long-term value creation (particularly for a company that had recently emerged from bankruptcy), shareholders never got an opportunity to vote on this proposal.

Share repurchases are too important to be left to the discretion of company management.

Boards should set the level of annual repurchases after carefully considering the internal and external opportunities available for the company’s capital as well as the objectives of its long-term investor base. To the extent feasible, directors should support corporate strategies to increase the company’s revenues and profits over several years, and they should look askance at share repurchases that are financed by debt to maintain EPS in the next quarter.

MIT Sloan Management Review

Top 5 IoT Development Boards

Here are 5 best new Internet of Things development boards (Arduino and Raspberry Pi compatible).

00:00 – Lora One (sodaq one)
02:28 – Tespa
05:10 – ESLOV by Arduino
07:10 – Wio Link
10:30 – EspressoBin Board


ESLOV is the amazing new IoT invention kit from Arduino

Do you want to ask us a question?
Our e-mail:
We will answer as soon as possible!

New STM32 Boards Support Cost-Effective and Ultra-Low-Power LPWAN Evaluation for Long-Range IoT Connectivity

New STM32 Boards Support Cost-Effective and Ultra-Low-Power LPWAN Evaluation for Long-Range IoT Connectivity

New Delhi, March 01, 2017 – Two new ready-to-use prototype boards available from STMicroelectronics slash the cost for developers to start evaluating LoRaWAN™ and other Low-Power Wide Area Network (LPWAN) technologies including 6LoWPAN. The boards are based on the smallest and lowest-power LoRaWAN modules that exist on the market today, with a footprint not larger than 13x12mm and power consumption in the range of 1.2µA in standby mode.

The B-L072Z-LRWAN1 STM32 LoRa® Discovery kit ($ 46.50) builds on the all-in-one open module from Murata® that integrates a STM32L072CZ microcontroller (MCU) and Semtech SX1276 transceivers. The module features a LoRa modem that provides ultra-long-range spread-spectrum communication and high interference immunity whilst minimizing current consumption.

Since the module is open, developers have access to the STM32L072 MCU and its peripherals such as ADC, 16-bit timer, LP-UART, I2C, SPI and USB 2.0 FS (supporting BCD and LPM). They can design their applications using STM32L0 HAL and LL embedded software libraries, and can further extend the board’s functionality choosing from expansion boards within the STM32 Nucleo ecosystem or the large range of Arduino™ expansion boards.

The B-L072Z-LRWAN1 kit includes an on-board debugger, a 64-pin STM32 Nucleo morpho connector, an Arduino-compatible connector, and a battery socket. It also comes with access to a completely free development ecosystem that includes the MDK-ARM Integrated Development Environment (IDE), STM32CubeMX configurator and software tools, and ST’s LoRaWAN protocol stack (I-CUBE-LRWAN).

The I-NUCLEO-LRWAN1 ($ 25.00) is an expansion board for STM32 Nucleo or Arduino boards that can be simply plugged in to quickly start work developing a full LoRa-based and/or FSK/OOK (Frequency-Shift Keying/On-Off Keying) connectivity applications. The board features a LoRaWAN module from USI® together with an STM32L052T8 MCU and Semtech SX1272 transceivers.

The USI module comes pre-loaded with an AT command stack that helps streamline development and saves programming. The I-CUBE-LRWAN stack is available free of charge. As an extra bonus, to aid development of Internet-of-Things (IoT) applications, the I-NUCLEO-LRWAN1 board is also equipped with ST’s LIS2DS12 3-axis accelerometer, LPS22HB MEMS pressure sensor, and HTS221 humidity-and-temperature sensor.

Both boards are LoRaWAN-certified and fully compliant with wireless regulations in the US, EU, Russia, India, and other countries using the 860-930MHz frequency bands. In addition to the industry-standard protocols, they also support proprietary LPWAN protocols for long-range connection of IoT devices like smart meters, alarm systems, tracking devices, positioning devices, environmental sensors, and activity sensors.


The post New STM32 Boards Support Cost-Effective and Ultra-Low-Power LPWAN Evaluation for Long-Range IoT Connectivity appeared first on Internet Of Things | IoT India.

Internet Of Things | IoT India