Technology, Media & Telecommunications Industry Perspectives - May 2017

Technology, Media & Communications
Technology, Media & Telecommunications Industry Perspectives - May 2017

Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media & telecommunication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequences.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media & telecommunication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media & telecommunication businesses must be fully prepared to face if they are to survive.

Developments in the First 100 Days of the Trump Administration that Affect the Technology and Telecommunications Industries

In our election implications Flash Report, we suggested there were possible winners and losers across multiple sectors from a Trump presidency. Here is an update of developments during the first 100 days of interest for technology and telecommunications companies.

Possible Losers


What we said we expected: Disruption of technology-friendly trade agreements and tariffs for moving jobs offshore to low-cost countries may be imposed. Opposing the H-1B Visa program that enables access to highly skilled workers not available in the U.S. could stifle innovation and dampen start-ups. The security versus privacy issue is in play. More cyber legislation as well as initiatives to enforce stronger protections and retaliation against cyber attacks. Some benefit to the industry from infrastructure investment.


Developments since inauguration: The April EO focusing on H-1B visa reform has caught the technology industry’s attention, which has long argued that it must attract the best and most qualified workers with advanced skills from across the globe to compete in the global marketplace. Many believe that the EO should be directed toward outsourcing firms based outside of the U.S. that are gaming the visa system to discriminate against American workers by hiring foreign workers at lower-than-market wages. That said, the mood inside the Beltway toward foreign workers is already having a chilling effect in Silicon Valley. As with other industries, trade policy remains an open question.


What we said we expected: The ATT/Time Warner merger could get blocked. The industry could see changes in FCC regulations, e.g., enforcement of net neutrality could be curtailed.


Developments since inauguration: In February, Time Warner shareholders voted to approve the company’s sale to AT&T for $85.4 billion and the FCC announced that it didn’t plan to review the deal, clearing the way for the Justice Department to very likely approve it.

In April, the FCC chair reported preliminary plans to roll back the agency’s net neutrality rules developed by the Obama administration. Net neutrality refers to the requirement for internet service providers (ISPs) to treat all internet traffic equally regardless of the size of the content provider, the type of internet traffic (e.g., streaming video vs. checking email) or any other variation of internet use. In essence, the current rules treat all internet traffic the same. Opponents of the rollback view strong net neutrality rules as crucial to maintaining competition on the internet.

Also, in April, President Trump signed into law a rollback of internet privacy protections. Under the measure, ISPs are permitted to collect and sell their customers’ web browsing history, location information, health data and other personal details. Supporters of the law argue that it levels the playing field between ISPs such as Comcast, AT&T and Verizon, and current internet advertisers such as Google and Facebook. While consumers can easily opt out of using a search engine which they believe violates their privacy, they may not be likely to change their ISP given the limited number of offerings in any given market and the relative cost and effort of effecting a change.



Gordon Tucker
Managing Director
Leader, Technology, Media & Telecommunications Industry Practice


Click here to access all series

Ready to work with us?