1 of 5 © 2013 VELL EXECUTIVE SEARCH

Questions Boards May Want to Ask on Hot Topics Source: PWC

Data security 1. Is the board effort regarding the company's data security risk management commensurate

with its importance to the company? 2. What is the company’s perceived level of data security risk? What controls does the

company have to mitigate the risk? 3. Does the company have a Chief Information Security Officer? If not, should it? 4. Does the company have a comprehensive strategy for addressing data security, and if so, is

it effective? 5. Does the company test its resistance to attacks? 6. Does the company need data security insurance? What protection does the insurance

provide? 7. What IT security resources are in place, and is IT spending on security appropriate? 8. Does the board receive appropriate information regarding attacks, breaches,and their

sources? Is it on a frequent enough basis? 9. Does management have an inventory of the company’s most sensitive and critical

information, including intellectual property? Are critical assets adequately protected? 10. Is any company information housed outside the company with a third party, and if so, is it

protected? 11. How does the company educate employees about the need and ways to protect

information? 12. Has management addressed SEC disclosure requirements and other regulatory guidance

related to data security? Are the company’s disclosures appropriate?

2 of 5 © 2013 VELL EXECUTIVE SEARCH

Mobile computing 1. Is the level of board attention to overseeing the company’s approach to mobile computing

appropriate relative to its importance to the company? 2. Has the company evaluated the appropriateness of a mobile strategy? Do management

and the board agree whether this is an area to pursue further? 3. How does the company evaluate return on its mobile investment relative to its costs? 4. Has the company considered what competitors are doing with mobile? 5. What is the company policy for allowing or restricting employees from using mobile

devices (both company-owned and personal) to access corporate data? 6. How is company data protected on mobile devices? 7. Does the company use encryption technology for data that is accessible from mobile

devices? 8. Does the company consider how employees can use unauthorized devices to gain access? 9. What does the company do when an employee’s mobile device is lost? 10. Is the mobile policy communicated to employees? How vigorous is the education process

to effectively mitigate risks? Data privacy 1. Is the level of board attention to the company’s data privacy appropriate relative to its

importance to the company? 2. How does the company protect private data about individuals from potential predators? 3. Does the company have a Chief Privacy Offi cer? If not, should it? 4. Does the company take advantage of the data it collects? 5. What are the company’s safeguards and vulnerabilities, and how does it monitor the

controls to limit a perpetrator’s ability to obtain private personal information? 6. Does the company have an external data privacy policy? Where can it be accessed, is it

publicly disclosed, and is it in compliance with existing laws? 7. Are internal policies and procedures aligned with external data privacy policies? 8. Does the company transfer any personal and confidential information to third-party

service providers? Are there policies addressing how this information is protected? 9. Does management keep the board up to date on the changing landscape of privacy laws

and regulations in the US and abroad? Is the company in compliance? Does the company inform directors about new laws that might be coming?

3 of 5 © 2013 VELL EXECUTIVE SEARCH

Social media 1. Is the level of board attention to overseeing social media appropriate relative to its

importance to the company? 2. How does the company use social media to engage customers, market products and

services, recruit talent, and capitalize on other opportunities? 3. How do competitors leverage social media, and should the company be doing more to

keep up or surpass them? 4. Do the CEO and executive leadership use social media? Are there policies on what

executives can say? 5. How do employees use social media at work, and what safeguards exist to protect the

brand? 6. Have the company’s policies regarding social media been properly updated and have

employees been appropriately trained? 7. Is the company complying with existing regulations? Is there any proposed legislation that

will impact the company? 8. Does the company monitor social media platforms and negative publicity about the

company?

Cloud services and software rentals 1. Is the level of board attention to overseeing cloud services and software rentals

appropriate relative to its importance to the company? 2. Has the company considered the pros and cons of cloud services? Do management and

the board agree whether the company should pursue this further? 3. What are the security and privacy risks, as well as mitigating factors, of using the cloud? 4. Do the company’s third-party vendors have an appropriate level of data security for

sensitive information? 5. What are the existing and proposed regulatory, compliance, accounting, and tax

implications of moving to the cloud? 6. If systems are being migrated to the cloud, do underlying software licenses allow for data

migration? Are there any regulations that would restrict moving the data to the cloud? 7. Has the company considered the volatility of company expenses associated with adopting

the cloud? 8. Does management have backup plans for business continuity if the company’s cloud

service goes down? 9. Has the company considered the pros and cons of SaaS? 10. Does management have a company-wide strategy for the cloud that outlines procedures

and processes?

4 of 5 © 2013 VELL EXECUTIVE SEARCH

Streamlining business processes using digital means 1. Is the board oversight of management’s reengineering of business processes using IT

appropriate given its relative importance to the company? 2. Is the company appropriately leveraging IT to facilitate more collaboration and

reengineering of internal and external processes? 3. Is someone in the company thinking creatively about how to better leverage IT to get

things done? 4. Does the company have an employee policy for the use of internal collaboration systems?

Is the activity monitored for improper use? 5. Does the company have a policy for third parties when they are integrated into the

company’s IT structure? 6. Should the board use tablets, smartphones, or board portals to communicate company

and board business? Is confidential information adequately protected? 7. Is the company embracing Big Data? Is it reaping a return on its investment? 8. Is the board getting the right customer data?

5 of 5 © 2013 VELL EXECUTIVE SEARCH

Hot Topics in the Boardroom Source: NACD ü Cyber Security ü Privacy ü Big Data ü Social Media ü Devices ü Cloud ü Mobile ü eCommerce ü InSource/ OutSource ü CIO Leadership

Demand

Business Context Big Data

Business Success

Business Capabilities Social Media

IT Contribution

Control

IT Principles

IT Governance

IT Financial Management

Metrics

Supply

IT Services

ArchitectureDevices/Cloud

People CIO Leadership

SourceOutsource/Insource