1 of 5 © 2013 VELL EXECUTIVE SEARCH
Questions Boards May Want to Ask on Hot Topics Source: PWC
Data security 1. Is the board effort regarding the company's data security risk management commensurate
with its importance to the company? 2. What is the company’s perceived level of data security risk? What controls does the
company have to mitigate the risk? 3. Does the company have a Chief Information Security Officer? If not, should it? 4. Does the company have a comprehensive strategy for addressing data security, and if so, is
it effective? 5. Does the company test its resistance to attacks? 6. Does the company need data security insurance? What protection does the insurance
provide? 7. What IT security resources are in place, and is IT spending on security appropriate? 8. Does the board receive appropriate information regarding attacks, breaches,and their
sources? Is it on a frequent enough basis? 9. Does management have an inventory of the company’s most sensitive and critical
information, including intellectual property? Are critical assets adequately protected? 10. Is any company information housed outside the company with a third party, and if so, is it
protected? 11. How does the company educate employees about the need and ways to protect
information? 12. Has management addressed SEC disclosure requirements and other regulatory guidance
related to data security? Are the company’s disclosures appropriate?
2 of 5 © 2013 VELL EXECUTIVE SEARCH
Mobile computing 1. Is the level of board attention to overseeing the company’s approach to mobile computing
appropriate relative to its importance to the company? 2. Has the company evaluated the appropriateness of a mobile strategy? Do management
and the board agree whether this is an area to pursue further? 3. How does the company evaluate return on its mobile investment relative to its costs? 4. Has the company considered what competitors are doing with mobile? 5. What is the company policy for allowing or restricting employees from using mobile
devices (both company-owned and personal) to access corporate data? 6. How is company data protected on mobile devices? 7. Does the company use encryption technology for data that is accessible from mobile
devices? 8. Does the company consider how employees can use unauthorized devices to gain access? 9. What does the company do when an employee’s mobile device is lost? 10. Is the mobile policy communicated to employees? How vigorous is the education process
to effectively mitigate risks? Data privacy 1. Is the level of board attention to the company’s data privacy appropriate relative to its
importance to the company? 2. How does the company protect private data about individuals from potential predators? 3. Does the company have a Chief Privacy Offi cer? If not, should it? 4. Does the company take advantage of the data it collects? 5. What are the company’s safeguards and vulnerabilities, and how does it monitor the
controls to limit a perpetrator’s ability to obtain private personal information? 6. Does the company have an external data privacy policy? Where can it be accessed, is it
publicly disclosed, and is it in compliance with existing laws? 7. Are internal policies and procedures aligned with external data privacy policies? 8. Does the company transfer any personal and confidential information to third-party
service providers? Are there policies addressing how this information is protected? 9. Does management keep the board up to date on the changing landscape of privacy laws
and regulations in the US and abroad? Is the company in compliance? Does the company inform directors about new laws that might be coming?
3 of 5 © 2013 VELL EXECUTIVE SEARCH
Social media 1. Is the level of board attention to overseeing social media appropriate relative to its
importance to the company? 2. How does the company use social media to engage customers, market products and
services, recruit talent, and capitalize on other opportunities? 3. How do competitors leverage social media, and should the company be doing more to
keep up or surpass them? 4. Do the CEO and executive leadership use social media? Are there policies on what
executives can say? 5. How do employees use social media at work, and what safeguards exist to protect the
brand? 6. Have the company’s policies regarding social media been properly updated and have
employees been appropriately trained? 7. Is the company complying with existing regulations? Is there any proposed legislation that
will impact the company? 8. Does the company monitor social media platforms and negative publicity about the
company?
Cloud services and software rentals 1. Is the level of board attention to overseeing cloud services and software rentals
appropriate relative to its importance to the company? 2. Has the company considered the pros and cons of cloud services? Do management and
the board agree whether the company should pursue this further? 3. What are the security and privacy risks, as well as mitigating factors, of using the cloud? 4. Do the company’s third-party vendors have an appropriate level of data security for
sensitive information? 5. What are the existing and proposed regulatory, compliance, accounting, and tax
implications of moving to the cloud? 6. If systems are being migrated to the cloud, do underlying software licenses allow for data
migration? Are there any regulations that would restrict moving the data to the cloud? 7. Has the company considered the volatility of company expenses associated with adopting
the cloud? 8. Does management have backup plans for business continuity if the company’s cloud
service goes down? 9. Has the company considered the pros and cons of SaaS? 10. Does management have a company-wide strategy for the cloud that outlines procedures
and processes?
4 of 5 © 2013 VELL EXECUTIVE SEARCH
Streamlining business processes using digital means 1. Is the board oversight of management’s reengineering of business processes using IT
appropriate given its relative importance to the company? 2. Is the company appropriately leveraging IT to facilitate more collaboration and
reengineering of internal and external processes? 3. Is someone in the company thinking creatively about how to better leverage IT to get
things done? 4. Does the company have an employee policy for the use of internal collaboration systems?
Is the activity monitored for improper use? 5. Does the company have a policy for third parties when they are integrated into the
company’s IT structure? 6. Should the board use tablets, smartphones, or board portals to communicate company
and board business? Is confidential information adequately protected? 7. Is the company embracing Big Data? Is it reaping a return on its investment? 8. Is the board getting the right customer data?
5 of 5 © 2013 VELL EXECUTIVE SEARCH
Hot Topics in the Boardroom Source: NACD ü Cyber Security ü Privacy ü Big Data ü Social Media ü Devices ü Cloud ü Mobile ü eCommerce ü InSource/ OutSource ü CIO Leadership
Demand
Business Context Big Data
Business Success
Business Capabilities Social Media
IT Contribution
Control
IT Principles
IT Governance
IT Financial Management
Metrics
Supply
IT Services
ArchitectureDevices/Cloud
People CIO Leadership
SourceOutsource/Insource