Good Governance in a Tech-Driven Revolution

By Kristi Honey

As we forage deeper into society’s fourth Industrial Revolution, the blend of complex technologies like Artificial Intelligence (AI), robotics and autonomous systems, and quantum computing can leave leaders and decision-makers feeling overwhelmed. 

I have spent over 25 years in tech, including as head of Cyber and IT Security for the protection of nuclear and renewable generation power. As a member of the board for the company Kaihen, a Canadian company that provides energy and utility consulting, I learned how they better prepare and protect their customers in the ever-evolving world of technology. 

These experiences have shaped how I view the adoption of new technologies and why I understand any hesitation senior leadership teams and board members have about embracing it. Ahead, I share insights, advice, and areas for consideration for leaders and decision-makers while organizations contemplate their next generation of technology investments.

The Challenge: Balancing Efficiency with Security and Ethics

In the quest to find increasing efficiencies to streamline, automate, and save, organizations are investing in technology at a never-before-seen pace. With every investment, organizations are grappling with protecting themselves from threat actors (hackers), protecting data assets from internal and external exposure, and ensuring the systems and tools they invest in are not creating unacceptable risks, like bias in artificial intelligence, predictive analytics, and robotics automation. Boardroom tables are grappling with the decisions they must make around programming, ethics, people, and legal and insurance implications.

How do we wade through it all, and, if you’re not an IT professional, how do you know where to start and what questions to ask when it comes to assessing and evaluating technology? 

Navigating the Uncertainty: A Starting Point for Leaders

While the complexities of tech, AI, and cybersecurity may seem daunting, leaders can engage meaningfully with the industry and innovations by considering a few components.

Ethics, Bias, and Fairness: There are many frameworks available where the best and brightest minds have contemplated tough scenarios and thought of ethics, bias, and fairness considerations around them. The IEEE Global Initiative on Ethics of Autonomous & Intelligent Systems wants to guarantee every participant involved in the design and development process of autonomous and intelligent systems is educated, trained, and empowered to prioritize ethical considerations so that technologies can be used for the benefit of humanity. This initiative provides valuable resources and recommendations for corporations and developers to adhere to ethical principles.

If you are investing in artificial, autonomous, or intelligent systems, ask your vendor whether they are members of the Autonomous and Intelligent Systems (A/IS) Standards working groups, and whether they adhere to these standards.

Ask for Corporate Social Responsibility (CSR) reports, transparency initiatives, independent or third-party assessments, and what types of testing for bias and discrimination have been conducted. Consider principles beyond the organization’s values as well, like the principles of working with AI. Ensure there is always a human at the end of the process to confirm the work created by AI.

Boards need to be clear on how their organization is using AI and the policies, procedures, ongoing monitoring, and training that will govern these systems. Ensure the investments consider organizational change impacts from the start, as many projects fail due to lack of adoption. Involving the people affected during the initiation phase and throughout the project lifecycle will reduce resistance to change and improve ownership.

Understanding Insurance, Legal & Regulatory Landscapes: Boards need to be briefed on the legal liabilities and any regulatory oversight or compliance obligations that might come with technology investments. Further, an assessment from your insurer will also provide insights into coverage. You should involve your insurer in the development of Incident Response Plans (IRPs) to fully understand your liability and coverage, and train staff and boards on procedures for any incidents involving data loss, theft, and cyber incidents, to name a few.  

Ask questions about current requirements and any forthcoming legislation that is forecasted as new laws emerge. What procedures and safeguards are in place to ensure continued assessment and ongoing forecasting of regulatory or legal updates? Ask whether insurance upset limits have been set with the vendor of record, and ask whether the insurer has guided on insurable (and uninsurable) events, incident response procedures, and any conditions or responsibility of the organization to ensure insurability.

For complex systems with significant ethical implications, consider a multi-stakeholder board committee to help navigate any insurance, legal, and regulatory matters. This committee could include experts from various fields such as regulatory affairs, legal, insurance, policymakers, consumer advocacy, technology, and more.

Data Governance & Data Privacy: Data serves as the foundation for system automation and investments, encompassing configuration data that dictate operational rules and the data utilized for programming systems. Understanding the entire data lifecycle including collection, protection, storage (both physical and logical), and destruction is paramount.

Boards must ensure clarity regarding data collection or procurement methods, ensuring full compliance with applicable laws and legislation across operational jurisdictions. Additionally, many datasets entail terms of use, potential confidentiality, and security storage requirements.  

Consider implementing a data governance program, encompassing regulations, privacy protection, eDiscovery, audit readiness, and corporate data classification and record retention policies. This involves comprehensive data classifications, management, retention, and disposition of records, alongside establishing rules and procedures to manage the data lifecycle.

Importance of Legal Awareness:

Boards must be acutely aware of data protection regulations in all regions they operate, like Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the Personal Health Information Protection Act (PHIPA), and Europe’s General Data Protection Regulation (GDPR).

By prioritizing data governance, understanding legal requirements, and implementing data minimization practices, boards can ensure responsible data handling and mitigate associated risks. 

Cyber Security: The ever-increasing prevalence of cyberattacks, from financial crime to geopolitical warfare, underscores the importance of robust cybersecurity measures. While implementing data minimization strategies is crucial, organizations face the challenge of effectively safeguarding growing data sets.

Asking the Right Questions:

Boards, while not needing deep technical ability, need to ask key questions to ensure adequate cybersecurity. The Chief Information Security Officer or Senior Leadership should be able to answer these questions below without getting into the technology:

• Resources for Protection: What physical and logical security measures exist (e.g., access control, firewalls, encryption)?
• Monitoring Systems: What systems are used to monitor and detect threats (e.g., intrusion detection, security operations centers)?
• Continuous Assessment: How are vulnerabilities regularly identified and addressed (e.g., ethical hacking, audits)?
• Cyber Insurance Coverage: What is the scope of our cyber insurance coverage?

Standards and Frameworks:

Many organizations use established frameworks like NIST and ISO27001 to measure their cybersecurity posture. Boards can inquire:

• Benchmarking Standards: What standards are used to assess our cyber health?
• Independent Validation: Are third-party audits conducted to verify findings?

Building a Robust Defence:

To enhance protection, response, and recovery, consider:

• Legal and Threat Response Retainers: Engaging legal firms specializing in ransomware response and cyber response teams like Crowd Strike, or Mandiant.
• Immersive Training: Partnering with firms like SiberX to create realistic training scenarios and exercises.

As a member of a senior leadership team or board, you must understand the answers to these questions as you make decisions on investments. Every organization should have cyber security written into their Enterprise Risk Management frameworks, where readiness is reported to the entire board regularly.  

Ask questions about how the organization is cultivating a cyber-conscious culture. How often are employees trained? Does everyone at all levels of the organization (including the Board) know how to recognize and respond to a potential threat? Are employees tested using phishing simulation tools, and if so, what are the ramifications?   

Incident Response Plan testing, simulations, tabletop exercises, and frequent promotion of cyber awareness are essential as every organization’s greatest weakness and threat often lies with human error. On the other hand, your employees can also be your best defence if properly trained).

By actively engaging in these critical areas, boards can play a vital role in ensuring their organizations are prepared to face evolving cyber threats and foster a culture of cyber resilience.

Boardroom Engagement and Awareness

While the allure of new technologies is undeniable, a valid concern often arises in boardrooms, which is the general fear of modernization. However, organizations that don’t adapt and embrace new technologies not only risk losing their competitive edge, but also face the growing challenge and expense of catching up later in terms of systems, processes, talent acquisition, and establishing leadership and board governance practices.

Ignoring these advancements is no longer an option. In the face of the tech-driven revolution, a nuanced approach to governance is essential. This approach should strike a delicate balance between embracing innovation, upholding ethical considerations, complying with regulations, and prioritizing robust cybersecurity.

Ultimately, good governance is the cornerstone of making these crucial investments while safeguarding the organization throughout its journey toward a more modernized future.