February 13, 2024 • 59 mins
Dave's latest conversation with Meghan Juday, the Chairman of the Board at IDEAL Industries, charts a course through her extraordinary ascent from pre-med uncertainty to corporate governance advocate.
As technology entwines itself ever more intricately with the fabric of business, the specter of cyber threats looms large. Meghan and Dave dissect the importance of fortifying cyber defenses within the boardroom, not just the server room. This episode delves into the stark reality of legal repercussions for cybersecurity lapses and the imperative for directors to continuously arm themselves with knowledge. They shed light on the unique vulnerabilities of smaller enterprises and the pivotal role industry support plays in elevating cybersecurity expertise across boardrooms everywhere.
The discussion spotlights the pressing need for boards to evolve, drawing in digitally native and deeply focused directors who can navigate the multifaceted risks of our age. From the potential of CISOs in the boardroom to the art of risk communication, our dialogue emphasizes the intricate dance required in governance—one that fosters a culture of transparency and support.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Mark Havenner (00:05):
You are listening to Executive Cybersecurity with
Dave Tyson.
In this episode, dave isspeaking with Megan Juday,
speaker, author and FamilyBusiness and Company Governance
Advocate.
She is the Chairman of theBoard of Ideal Industries, a
(00:27):
family business in operation forover 105 years and in its fifth
generation of ownership.
Dave Tyson (00:35):
How's it going, megan, and how you got to where
you are.
How's your career progressed?
Meghan Juday (00:39):
Well, I started off really with no plan, so I'll
just start there.
I had no idea what I was goingto do.
I went to a college with a firmbelief that I would go to get
my masters and then figure outwhat I was going to do After I
graduated.
I spent a year abroad just kindof learning French and really
(01:00):
wanting to experience a newculture.
And then it came back, did mypre-med requirements to try to
get into med school, and thenthere was just a moment where I
realized I finished all myrequirements.
I realized I can't be a studentfor whatever seven more years.
So I just kind of cracked frombeing kind of both poor and
(01:25):
stressed all the time and justrecognizing that that wasn't
really going to change.
So I opened a newspaper which Isaw you looked for jobs back
then.
Dave Tyson (01:36):
I didn't see that on your resume.
Meghan Juday (01:37):
I know, I know, I know, but it basically led me to
a job that had both French andmedical kind of medical
background experiencerequirements and I was like,
well, that is my job and thatwas the job that actually I met
somebody who introduced me to myhusband and she also introduced
(01:59):
me to somebody who got my firstkind of real big job.
And so I went and worked forComputer Sciences Corporation
and was basically a.
I did that for about five yearsand just worked at DuPont and
DuPont out and Covax and some ofthese massive organizations and
(02:21):
it was such a excellentexperience.
I loved it.
It was so fun and reallygetting to know other people and
getting to know otherbusinesses so intimately and
just learning all aboutorganizational change and
dynamics and project planningand stuff.
So it was kind of the bestfoundation anyone could have,
(02:41):
especially after that kind ofslow start.
But then what happened was,having met my husband during
that timeframe and we gotmarried, had we're pregnant and
realized there's no womenbetween the ages of 30 and 45 at
this consulting firm certainlynot.
At that time they hadn'tfigured out how to do remote
(03:04):
work, they hadn't figured outhow to do job sharing or part
time, and so I was really kindof forced to have to leave, if
that was, if I wanted to spendany time with my son.
So I took a I was planning ontaking a year off and then,
within probably three weeks, Igot a phone call from my father,
(03:26):
who was chairman of the boardof ideal industries, which is a
107 now I keep losing count, itkeeps changing 107 year old
family business and he asked meto just come and work on this
small project which, as it turnsout, that is how most women get
(03:46):
involved in their familybusinesses.
They just get asked to do onetiny little thing and then it
blossoms into this huge career.
So I started working just kindof, you know, kind of part time
and then I've got kind of fullystructured roles there and I was
all around governance, which itturns out is I'm a huge fan of,
(04:09):
I love governance and we'lltalk a lot more about governance
soon.
But I basically spent, you know, did that for about 15 years
with a governance lens focusedon the family.
So I was employed by thecompany but the family really
was my client.
And then, you know, during thattime, that 15 years, I was named
(04:29):
to the board of directors, thecorporate board of directors,
which is a majority independentboard I was asked to form a
nominating governance committeefor the first time, was named
vice chairman and then, inFebruary of 2020, which was a
good time by those were goodtimes I was named chairman, and
(04:50):
so it's been work.
I've been working for thecompany now for about 20 years,
and I have found governance tobe one of the most exciting
spaces in the business, becauseyou can affect so much change by
moving a lot of small littlepieces.
You can basically change thetrajectory of a business, and so
(05:15):
it's been a real joy to becomea student of governance and a
student of governance as well,as somebody who's really trying
to implement good governancepractices.
So it's been.
It's been great.
Dave Tyson (05:30):
Governance is exciting.
I can't think I've ever heardthat said before, but I'm going
to go with you.
So you seem to have a realpassion for it and you know you
were involved in other groups.
You have clearly the LotusForum, which is something that
you you've, you know, initiatedand drive.
Tell me a little bit about thatand what your goals are for
that.
Meghan Juday (05:51):
So, as I mentioned to us, named chairman in
February of 2020.
And I had that feeling.
There was a moment when they'relike, okay, you're it.
And I, I mean, this has been aplan transition.
I'd been, you know, it wasplanned in the sense that I was
given the opportunities I had toearn it along the way.
(06:12):
So this was not, you know, afate of complete but having
achieved the results, namedunanimously to the chairman role
I all of a sudden had this likehorrible fear, like, oh my God,
I can't mess this up.
Other people have gotten itright enough over the last you
(06:34):
know, hundred plus years, andnow I, of course, essentially
it's not only on my shoulders,but I will be blamed if it goes
down after my watch.
And so I, kind of having hadthat fear and then also really
only having had two or threeweeks before the pandemic hit
and, by the way, idealindustries is a global
(06:57):
manufacturing company and wejust happened to have had a
facility in every single hotspotlocation in the world Wow, it's
lucky, I know.
And so you know, and those inthe beginning, nobody knew, you
know how it was.
Is it touch, you know?
Was it air?
Was it?
You know?
Like nobody knew how it wastransmitted Over time.
(07:19):
They didn't know how to care forthese employees and people just
care.
The healthcare system was sostruggling with this and you
know we always have.
We always put our employeesfirst as one of our values as a
company and it was so horribleto think that, you know, as an
essential business.
We had to keep the doors open,but you know safety is such a
(07:41):
high priority for us and notjust being so stressed about how
do we keep our employees safeand then how do you reassure
them so that there can come back, and then you know how do you
support them when they have sickfamily members within they're
the primary caregivers.
So it's just kind of on and onand on.
It was a very, very stressfultime and also, surprisingly
(08:02):
enough, generational transitionscan sometimes be challenging in
family businesses.
I don't know if you've heard ofthis trend and I was surprised
also given that this had beenplanned and communicated for
years that there was, you know,walking into the transition
(08:23):
feeling like all right, we'vedone this properly, to then
realizing like, oh my gosh, westill have a lot like there's
still a lot of loose ends andfragments and feelings that you
know people need to resolve, andso all of that was kind of the
background for starting theLotus farm and really it was not
purposeful.
I thought that I was starting aquarterly conference call with
(08:48):
two or three other female boardchairs and what happened was I
recognized that okay, so Ineeded my thing is like always
like phone a friend, likewhenever I have a challenges.
Dave, I've called you, you knowthis, you know phone a friend
and then I realized I didn'tknow any other female board
chairs and I thought that wasshocking.
(09:10):
I didn't realize that it wasunique at all to be a woman in
the senior leadership role inthe board room.
I just kind of was like youknow, contributor, team member
kind of mindset, and thenwalking into it, realizing that
there was a unique genderelement to this.
So that's when I reached out tomy network, asked for
(09:35):
introductions and what.
Reaching out to these womenjust said, you know, I want to
do a quarterly conference call.
Who's interested?
And I think I had 12 people sayyes.
I was like okay, well, this isnot a small informal thing.
Like this is a thing, and sowe've evolved pretty
substantially.
(09:55):
We're an international peergroup of women in board
leadership roles, so it'schairman, vice chairman, lead
director and then committeechairs are also welcome, because
we really see all of these.
It's unique to have a woman ina leadership role in the board
room.
That is kind of the.
I mean, this may sound not verynice, but I do believe that,
(10:19):
although companies are reallytransforming their businesses
and you're seeing a lot morewomen in the senior executive
roles, you're not seeing a realsubstantial change in the board
room and I think it's just kindof the final frontier we're.
I think we'll get there andwe've seen a lot of.
We have seen a lot of changesover the last couple of years,
(10:40):
especially as there's ourorganizations and governments
that are insisting on genderparity or certainly more gender
diversity in the board room.
So we are seeing some changes,but I think it's gonna take a
little bit of time, especiallycause there's a slow turnover in
boards, and so that's kind ofhaving started the, having
(11:03):
started the Lotus Forum.
Now we have really focusing onboth how do you be a great board
chair and just all the dynamicsthat are happening in the board
meeting and all the work thatneeds to be done prior to when
everybody walks in that room tohave it really be a strategic,
(11:24):
to add strategic value to thecompany.
But then we're also really spenta lot of time talking about
what is on the board agendatoday that your directors or
your you yourself as a boardchair may not be, may not really
understand, but you have anfiduciary obligation to oversee
it, and so that's when even webrought you in last year to talk
(11:49):
about cybersecurity and how doyou create a great oversight
program.
And I think the biggestchallenge we have is, as we're
building these oversightprograms, I think there is still
an issue of directors reallynot knowing if your entire
cybersecurity report is all red,is that still good?
(12:10):
You just don't know, like theydon't know if, and so I really
think that there's.
I think that happens also inthe enterprise risk management,
the E&I, esg, all there's a kindof these big items that are
coming up on the board agendatoday and I think directors
probably are some directors area little bit behind in terms of
(12:32):
having a real robustunderstanding of those areas.
Dave Tyson (12:35):
It's interesting.
You talk about the directors'awareness of the issues, what to
do about it.
I mean, if you look at thetrends that are impacting on the
publicly traded side and, to acertain extent, through
different regulatory agencies,there seems to be a general
trend around getting moreunderstanding of that risk
(12:59):
management at the board leveland, in some cases, certainly on
the publicly traded side.
Looking at what the SEC hasdone recently, it's sort of
starting to accelerate thattrend.
Right, we're they're lookingfor boards to be not only
informed but actually have riskmonitoring in place, having
(13:20):
expertise on the board in thisspace.
So when you think about youtalked a little bit about the
percentage of women that are onthe board there seems to be a
need to evolve the boardcomposition.
Cause, I'll tell you, I've seena lot of board job
opportunities and it's almostidentical in every one of them,
(13:44):
which is you've been a financeperson, you've worked in our
industry or you can makeintroductions right, and not
single one of them I've seen itsays you understand risk
management, you knowcybersecurity and the entire
value chain of our businesseswrap around being able to
operate, protect ourintellectual property, or we're
(14:05):
going into China.
What are the new risks thatwe're creating.
There seems to be a gap in howboards recruit in many ways.
But just one person's opinion.
But you know, one of the thingsthat I I'd love to get your
perspective on is, you know, forthe last number of years we've
seen everybody, from the WorldEconomic Forum to other NACD,
(14:30):
other groups who have all comeout and done surveys, the big
four accounting firms have allsaid cybersecurity is, you know,
on the minds of board members,on the minds of CEOs, it's in
the top five worries thatorganizations have from a risk
management perspective.
Yet, you know, my experience hasbeen that cybersecurity at best
(14:50):
we might get 15 minutes once aquarter on the board agenda as a
regular practice and it's justa tactical review of what the
audit committee said.
And maybe the CISO gets in theroom, if they have one, and he
or she runs through aprescripted, you know filtered
(15:13):
set of information that theboards love to get.
But the interesting part is ifthe board is, if the direction
is holding board membersaccountable to managing that
risk through their governanceprogram.
You know, what do you thinkthat the model is going to have
to do to be able to get them tothat place.
Not only do you have to changethe composition of the board,
(15:35):
the talent of the board, the way, the access to information.
I mean it's.
That's a big move.
Meghan Juday (15:42):
Yes.
So I mean there's a lot in yourquestion, but I, you know, is
there.
I think the biggest issue isthat the people putting together
the agendas, the generalpopulation of directors, does
not have a robust understandingof cyber security.
And I think that you know, asI've learned from you, I mean
(16:06):
really a lot and just wanting toeducate myself and in other
ways I've really come to learnthat it's not just one person's
responsibility to understandcyber security in the bar.
We're all fiduciaries in there.
Dave Tyson (16:21):
Absolutely.
Meghan Juday (16:22):
And it's such a big issue and there's so many
angles to it and there's so manyimpact potential impacts to
your business.
There's no way that only youcan just rely on your you know
your CIO, your CISO or your youknow CFO director, who's had
some experience in their othercompany, and just all lean on
them thinking that they've gotit.
(16:43):
I think this is a.
Every single person who is adirector needs to be fully
qualified to understand all ofthe elements of cyber security
and they need to continue thateducation.
That's not a one and done right.
Dave Tyson (16:57):
Yeah, absolutely.
I mean it is a, it's a as thetechnology evolves, and I mean
what we tend to see a lot of.
His AI, this, or machinelearning, that, or you know OT,
that you know it's this.
It's his buzzword bingo.
But that doesn't.
That allows you to talk outloud about it, but it doesn't
(17:18):
let you understand.
How do I change my company'srisk management approach when
we're going to do thatacquisition?
How do I think about thepotential risks of going into a
new market?
Right, these are all thingsthat that.
So what do you think theappetite is?
And I'll give you an example, aspecific example.
So recently, for the first time, we've seen a corporate officer
(17:41):
of a firm convicted criminallyfor, you know, for failure to
disclose a cyber incident.
The CEO in this particular caseescaped the limelight, but
certainly has changed the viewof many in the country in terms
(18:02):
of their responsibility to bothunderstand the obligations and
there are many, because there'sa lot of government agencies
have gotten into the swing of it.
But what do you think aboutthat in terms of do you think
that the boardroom understandsthat it's in their best interest
to learn this Better?
Meghan Juday (18:22):
I mean, I think just it's the situation if you
don't know what, you don't knowright and you don't, I think
there's just kind of somenaivete of, oh, what won't
happen to us?
Or you know we're small, we'renot a target, you know we're not
on the, we don't make frontpage news, therefore no one's
going to notice us.
I just think there's somenaivete there.
(18:43):
And I'd say also I mean, youknow we were talking earlier
about family businesses andprivate companies, and although
there are some massive familybusinesses and private companies
, there's also a lot of, youknow, sub hundred million
dollars in revenue a year, and Ithink that they're not less
(19:04):
vulnerable.
They just have fewer resourcesright, and so I think it becomes
this you know pragmatic andpracticality.
If you only have this many youknow capital resources to deploy
, where do you put it?
And are you bringing on anotherfull-time person to help you
manage this risk?
And I, you know, et cetera, etcetera, et cetera.
(19:25):
So I would say directors reallyneed to be top, top, you know
really kind of top form when itcomes to cybersecurity, because
sometimes that, especially ifyou're a smaller, smaller
company, that may be your onlycyber experts you have are the
ones in your boardroom.
Right, you may I mean you maybe getting reports from the IT
(19:48):
manager and you know, not even acyber expert.
They have a lot of otherresponsibilities in keeping you
know servers up and stuff, butthat doesn't mean that because
the company doesn't have theresources to deploy extensively,
it doesn't mean that thedirectors also then can lag in
their skill sets.
I think it becomes even thatmuch more important.
Dave Tyson (20:09):
Absolutely.
I mean because the bad guyactually loves the fact that you
, that that investment hasn'tbeen made.
Yeah, because if you've gotsomething of value, they're
quite happy to relieve you of itand probably not tell you about
it in the process.
Right, right, um, certainlywe've seen a number of
organizations who've doneacquisitions and and then come
(20:32):
later to realize that theirintellectual property is
actually gone.
Meghan Juday (20:35):
Yeah.
Dave Tyson (20:36):
Right and it's sad, but it is a case of there.
There is an obligation now tounderstand, in due diligence,
that you know, historically, alot of acquisitions, it was kind
of last to the dance.
Yes, they were a line functionwith, sometimes with HR and
others who got told, by the way,we're doing an acquisition, you
haven't been allowed to be inthe process, but now make it all
(20:58):
happen and at that point it's alittle late.
Right, price has beennegotiated, all the leverage is
gone, right, and whatever thecosts are.
You see, you know the purchaseof of Yahoo was a perfect
example where there was abillion dollar hole in the
balance sheet that didn'tunderstand right from a cyber
perspective.
So you see a lot of this kindof stuff.
What do you think, because theindustry has a lot of different
(21:23):
people talking about thisproblem, what do you think the
industry has to do to helpboards when board members get
better at this?
Meghan Juday (21:32):
Gosh, um, I think.
I mean, I think it just kind ofgoes back to well, a couple.
I have a couple of things youmentioned earlier.
Boards don't turn over very,very frequently and you
sometimes will get directors whoare on four, five, six, seven,
(21:54):
eight boards.
Yeah, are they going to setaside time to do their
cybersecurity training?
Probably not.
They probably are so so booked,you know, between their boards,
plus whatever you know vacationtime with their families.
Like, forget it, they have nonothing left.
And I'm not.
This sounds hyperbolic and notand sounds discharging, and I
don't mean to be, but it's justan example and I'd say there's a
(22:19):
couple of things that can behelp help remediate this issue.
One is get directors who arehungry.
Right, you have somebody who'sbeen on a board.
They really they have thissense of like, well, I've seen
it, I've done it, but they'veseen it and done it for 20 years
and the landscape from theirfirst board role 20 years ago to
(22:40):
the landscape of the boardroles today is completely
different.
Would you agree?
Oh, absolutely yeah, just interms of the levels of
responsibility, the topics thatare coming up.
So I would say, if you havedirectors who are hungry and
understand the fiduciaryresponsibility and the risk of
getting it wrong.
I think you're far more likelyto create maybe a little bit of
(23:03):
fear, or enough fear, so thatthey're then motivated to
continue their learning.
I, over the last three years,we've changed out four directors
and I would say that the newdirectors we have are far more
again, no disparagement intended, but they're very enthusiastic.
(23:26):
They're super zeroed in on ourcompany.
They're also not on multipleother boards, they're all,
they're only other board or oneof two, and so it's not.
They have full-time jobs andthey're so.
They're in it every day.
Plus, they're bringing it tothe table and I would say
(23:47):
bringing in, bringing indiversity and also, you know,
both from experience and fromdemographics, I think can really
make a difference in terms ofexperience and bringing in some
younger directors who really dounderstand, you know, more
digital natives Born digitalguys yeah.
They're born digital right, so Ithink can actually make a huge
(24:10):
difference.
Dave Tyson (24:11):
Yeah, there is a lot of talk in the industry, in the
CISO communities, a lot oftrends.
A lot of CISOs think that theyshould be on boards, they should
be for organizations that theircentral value proposition is
technology or it is heavyintellectual property or a lot
of complexity around that.
(24:32):
They, you know, they will tellyou that they think that the
answer is just put them on theboard and they will hear the
talent, because it will take you10 years to train board members
who are probably going to turnover anyway and they say hire
the talent.
You think that that's realistic?
Meghan Juday (24:49):
Oh, it's okay.
So first, yes, I think theclassic you were mentioning, you
know, board perspectives andhow they kind of look.
All the same, we're looking fora C-level person with our
industry's experience who, right, can get us a network or has
banking relationships orwhatever that thing is.
I think that the days ofstaffing your boards with
(25:13):
C-level or with the CEOs or CFOsreally should be gone.
Ceos, I think every boardshould have one CEO at least
just to be, you know, a soundingboard for the company.
Ceo, you probably need a CFO torun your audit committee, but I
think that's like two out ofhow many spots, right?
And then after that, absolutely, I think, especially if you
(25:37):
can't afford, if your company isnot complex enough or not big
enough for you to have your ownCIO or C-SO, absolutely you
should bring one in.
That's kind of cheap advice.
Dave Tyson (25:49):
It really is.
I mean, we always say in theindustry that if you do it right
up front it's 10 cents on thedollar.
Kind of fix it later right,that's your old adage.
But it is true.
I'll tell you that the placesI've worked, the places in many
of the places I've consultedover the last 20 years, there
are some aspects that areabsolutely true.
(26:10):
I mean, you walk in the door,you look at a huge spend that's
been done to secure theenvironment and maybe 5% of that
has translated into value.
So they bottle the tools, theybottle the equipment.
They've got some people whoknow how to run it.
Maybe they've outsourced someof it.
(26:32):
But you go to them and you say,oh, you've got this antivirus
software on your computers.
What percentage of that defenseis actually running?
And they'll say, well, we'vegot about 5% running.
That's why?
Meghan Juday (26:44):
that's why that.
Dave Tyson (26:44):
Okay, so you spend X amount of dollars and you're
getting 5% return on that andyou're getting all these risks
that could be stopped by that.
Why'd you turn it off?
They say, well, the businessdidn't like that it was running
because it restricted them sowho had that conversation?
Because I tell you, the boarddoesn't know about that right,
Except that in the world we livein now, it's starting to move
(27:06):
closer and closer to the boardbeing accountable for that loss.
And so the interesting part isit's not and I've said this a
few times the amount of moneyyou spent has absolutely no
relationship to how muchprotection you get.
You could spend in mostorganizations that I've worked
in, you could probably spend 10%of what the big four accounting
(27:29):
firms tell you and get moreprotection.
If you deploy it smart, on thepriorities of the business, then
it tends to be we've got to tryto solve every problem.
So it's an interesting world welive in, where many of the
regulations that werewell-intentioned have driven us
(27:50):
to spend a lot to manage areally small amount of risk in
reality.
So getting more expertise in theboards, I think, is a good idea
, whether it's a CISO orsomebody who understands risk
management, because my generalassumption is board members by
(28:10):
their nature have to be goodrisk managers.
They have to look at a lot ofrisks across the organization
but it does seem to be heavilyweighted to.
It's got to be enough financepeople in the room or finance
people who could stare atbalance sheets and go, yeah,
there's a problem here we needto fix that, yeah, I mean this
is my philosophy.
Meghan Juday (28:29):
I don't want any of my directors to power down
because we're not talking abouttheir area of expertise, so I
want everyone to.
They may not be able to all talklike a CFO, but they need to
understand what the CFO issaying and make meaningful
contributions to the dialogue.
And same with marketing or cyberor ESG or whatever.
(28:55):
I want my directors to bewell-rounded and then also have
an area of expertise where we'retrying to move the business.
And so I would say that's justthe one risk of having a CFO who
may not be able to contributeor any, not to pick, even pick
(29:15):
on them, but any specialist whoisn't going to be able to
contribute to the entiredialogue.
But if that's the case, thenthere's no reason and this is
one of the things we've talkedabout on our board is really
thinking about how do we bringthe experts into the
conversation While not requiringthem to be fiduciaries, because
(29:35):
maybe they're not well-roundedand can contribute to all
conversations.
So there are options ofbringing in advisory board
members and having them sit inyour fiduciary board, but
they're not fiduciaries andthey're not obligated to be or
required to talk about the wholeconversation, but they're there
to add their areas of expertiseand I think that is an
(29:58):
excellent way of bringing inthose specialists who are there
to support a very strategicperspective of your company and
still keep the fiduciary natureof the board intact.
Dave Tyson (30:17):
It's interesting because the one thing that I've
noticed is running security forsome large companies, both
public and private, is that CSOs, by their nature, are one of
the few functions in theorganization who touch every
aspect of the business.
There are very few outside of,maybe, finance that really touch
(30:39):
every aspect of the business,everything from supply chain all
the way through the customer,and so they tend to be pretty
well informed in terms of thepulse of how the organization is
reacting and changing, whetherit's unhappy employees who
become an insider risk or thirdparties that may have been not
(31:01):
meeting their contractualobligation to protect
intellectual property or any ofthose kinds of things.
So it is one of those fieldsthat I think does, whether it's
as an advisor, which makes a lotof sense.
One of the interesting trendswe've seen in that space is that
some CSOs are starting torefuse to take that title.
(31:21):
They're refusing to take theCSO title because there is now a
stigma.
I don't know if you saw therewas a Wells notice issued by the
SEC to solar winds.
The Wells notice basicallytakes the CFO and the CSO from
the solar winds attack of a fewyears ago and say we're going to
investigate the way that thatwent.
(31:43):
And so what you see is, betweenthe Joe Sullivan case in
California we talked aboutearlier, and this and a few
other things, csos are saying.
You know what, being the CSOhas a lot of liability, and so
your point about making themadvisory whether it's them or
(32:03):
somebody else might be a moreattractive option, because they
can turn up to a board meetingand they can probably contribute
fairly broadly in terms ofanything that even smells like
risk or operations, so that'sactually a really interesting
idea.
So when you think about wherethe conversations you have with
(32:26):
board members, you know, is thissomething that's on their mind?
Is this idea about gettingbetter at cybersecurity reached
its time yet, or is it stillsomething that is?
Yeah, we know we got to getthere, but I'm really busy right
now.
Meghan Juday (32:45):
Well, I would say, generally speaking and not even
speaking about our directors,but about directors in general I
would say there is someinterest, but I don't think
we've reached the zenith yet andI think there's going to be a
(33:07):
lot of hard lessons learned,maybe some dramatic ones, before
it really starts coming intothe boardroom in a very
substantial way.
You know, it's that kind ofinnocence which is kind of cute.
I was like, you know, it's like, oh, we don't have to worry
(33:29):
about that or whatever, and Imean I just think it's one of
those things that it's going totake time and there probably are
going to have to be some moredramatic headlines or maybe some
more personal dramaticexperiences.
But I think the biggest issueis that maybe not that others
don't recognize that this is aproblem, but what do they do?
(33:51):
I feel like that's the bigquestion.
That is, if you have limitedresources, if you have all these
other competing priorities,you've got to make capital
investments.
How do you do it in a smart way?
And I don't think that ageneral director has the
ingrained knowledge to be ableto advise companies or
(34:15):
management team on what to do orwhere to find that support, and
I think that's the really thebiggest challenge.
It's not that they don't know.
It's like they know the risk isthere, but they don't know how
to address it.
What?
Dave Tyson (34:30):
do you do with it?
Yeah, right.
Meghan Juday (34:32):
What do you do about it right?
Dave Tyson (34:33):
You just told me all this black cloud stuff.
Now what do I do?
Meghan Juday (34:37):
So I think there probably are questions being
asked in the boardroom, butagain, this is my example of if
you ask a question aboutcybersecurity because you read
an article or you took a classand you talked to the CIO or
Evers running the cybersecurityprogram, how do you know what's
a good answer?
And I think that's what'sdifficult.
(35:00):
That is, what's reallydifficult about this environment
today is that it is verytechnical and there are a lot of
really smart directors in theboardroom today, but this is an
area that's really out of theirdepth and especially if we're
looking you were mentioningearlier just around the slow
turnover in the boardroom.
Average age of boards isprobably higher than one would
(35:26):
want and again, very generallyspeaking, but they didn't not
grow.
These individuals did not growup in their board experience
with needing to have theseconversations.
Dave Tyson (35:40):
Yeah, it's an interesting evolution that has
to happen because from my side,what I see is and not to pick on
the big four and I tend to usethem a lot as an example but
there's a lot of commoditizationin business as it grows to get
(36:00):
scale, and our industry is thesame IT, cybersecurity and as
organizations get bigger, itbecomes more about.
As an advisor, I want to getbutts in seats with my clients
so I can be there and drivebillables, and in many ways, I'm
(36:21):
incented to not solve theproblems immediately, whereas at
the board level, the last thingyou want to be doing is
dragging this stuff out forever.
You want to monitor, but youwant to have a solution that
makes sense and enables thebusiness and then be able to
monitor the results and theinvestment, and I think that
(36:44):
there has to be a bettersolution.
I know that I've certainlythought about it and saying how
could we create something that aboard member could use to get
the answers to those questionsand be able, to a certain extent
, pressure test the informationthey're being given, and I think
that's something that we'regoing to continue to work on to
(37:05):
be able to offer.
That is, how do we help boardmembers be able to go to a place
to get the answers withouthaving to go get a master's
degree in cybersecurity becausethey've got to manage a lot of
risk.
Meghan Juday (37:19):
It's also unrealistic, and that also I
mean.
Part of what you're doing inthe boardroom is assessing the
senior management team, and ifyou're a member of your senior
management team, it's sayingthings you literally do not
understand.
How are you Is that good?
(37:39):
Is that good?
Are they really smart?
Have you been able to do yourjob as a fiduciary?
I think that's just the bigquestion and the world's
evolving really fast.
The boardroom moves a littlebit slow and I think it just has
resulted in, just now, a reallybig exposure for all directors,
(38:07):
and I don't think there'sgeneral knowledge of the risk of
having cybersecurity issuesjust close to you and then not
following up on the issue getresolved.
Dave Tyson (38:22):
We talked about this before and you gave me some
advice, but I got to put it oncamera Because this is a really
interesting thing.
So there's this assumption thatmakes me crazy in our business,
which is it's not if, but whenyou get hacked, which is, in my
(38:44):
opinion, not helpful Because ittakes away the assumption that
you can do something about it,and you absolutely can.
There are solutions, there areabilities to get in front of
this stuff, and for those whosay that's not true, I would
suggest that they're incented bythat.
(39:04):
But with that said, if youthink about this whole idea
around getting expertise andgetting in front of folks and
being able to share informationwith them, one of the challenges
we've seen in the marketingside of the house is the
industry.
You've got 3,000 companies inthis country that are all
(39:26):
pushing messages at everyaudience, whether it's the CEO,
the board or anybody else, andthey struggle to wade through
this massive amount of data.
So even if you can get aninformation to boards, they're
probably swamped with so manydifferent opinions that have
different agendas.
It's hard to wade through andknow what's true, much less come
(39:49):
up with a strategy if it'ssuccessful, and so we have a
responsible disclosure programthat I told you about, where our
threat intelligence teamdetects a threat that's in
development and you're going tobe ransomware in three days and
here's where it's going to comefrom and here's how you stop it.
And we reach out to the companyand they won't return our call
(40:12):
and then three days later, yousee them get ransomware.
And it's sad, it's verydemoralizing, but everybody
we've talked to has said well,they've been marketed to so much
they don't believe anythinganymore To me.
I don't know how we get overthat problem, and I've asked a
lot of people this question.
(40:33):
But it seems like this ideathat it's not if but when has
created a scenario where peoplehave just tuned out the reality
that you can do something aboutit.
And so do you think that theamount of information that comes
at directors in general is justso overwhelming across all the
subject matter areas that itmakes it difficult to get the
(40:54):
message through?
Meghan Juday (40:55):
Well, I think there's some.
It's trying to find thosetrusted sources.
So when you think aboutfinancial advisors who sell
products versus financialadvisors who provide a service
and then you go choose what youneed, I mean I think that's
really the difference, right, Imean I've been or someone who's
assessing your insurance needsand then also wants to send,
(41:17):
sell you the policy, like allright, how good was that advice?
And not to say that there's,there isn't a lot of great
advice being provided, but Ithink that's really the big
question.
I wonder if there aren'tservices out there that people
could subscribe to, where there,you know, you're just getting
the data and you're not going toget sold to them.
(41:38):
You know, right.
The next thing, because I thinkthat's, I think it's just
finding those reliable sourcesand also recognizing that you
know again, I think it comesback to also the board really
understanding what those peopleare saying to you Also.
Dave Tyson (41:59):
Yeah, that's a challenge because, because you
think about there'smanufacturing, there's finance,
there's technology, there'slegal, there's all these things
right, and it's a lot to tocumulatively for me as a risk
person.
I look at here's the businesssituation.
I know what questions to askand what we're likely it's going
(42:21):
to end up anyway, becauseyou've seen it a thousand times.
And I think, like every subjectmatter expert, right, they can
do that Right.
And then the role of the boardis to look at it cumulatively
across all of the business andsay here's the right thing for
us.
We'll take that risk.
We won't take that risk, youknow, and I think that that is
the subject matter experts.
(42:41):
You know, I think you make agreat point, which is how do I
get a good opinion in front ofyou without it being a sales
effort, Correct, Right?
And I think that is that's achallenge.
I don't think that that trulyexists in its pure form, but
it's interesting.
Meghan Juday (42:59):
I mean, wouldn't it?
I mean, wouldn't that be thething to do?
Is you have?
You know, you just have asubscription service, but we'll
just let you know when it'scoming down the pike and you can
determine how to proceed.
Right, there's no add-ons.
Dave Tyson (43:16):
Right, yeah, there's no click here to buy it.
Yeah, yeah, yeah.
Meghan Juday (43:19):
You can like you're no upselling, but then I
think you know, I think thatwould actually probably be
really helpful Because again,there's this concern, you know,
especially with all the ITinvestments that are happening
today anyway, and you know, nowpeople are like freaking out
about AI, but I think that ifthey knew where to focus those
(43:42):
investments based on real data,not versus, you know what
someone's trying to sell you,right, right, do you want the
undercoding on your new car?
Dave Tyson (43:52):
Like do you want the insurance at that point?
Meghan Juday (43:54):
Yeah exactly right .
So I think that's really thebig, I think the big question.
Dave Tyson (44:00):
So we're talking, maybe a little bit like the
consumer reports, for a cyberthreat Right.
Meghan Juday (44:05):
I think people will go for it and I don't think
.
And then people would knowreally, how do you?
You know, then they would knowyou know where do they need to
kind of ramp up, especially ifwe're talking, you know, those
smaller private companies thatdon't have you know vast IT
departments who are.
You know CSOs and everybody,you know all of the whole team.
(44:27):
I mean, wouldn't that be nice,yeah absolutely.
Dave Tyson (44:32):
I mean the when you think of it, because we do
interact with a lot of $200million companies and we always
say that you know mostbusinesses start considering a
C-Sell around, depending ontheir risk profile around a
billion dollars.
Meghan Juday (44:46):
Yep.
Dave Tyson (44:46):
Right, that's about where we start to see it happen,
unless you're in medicalresearch or something else, but
typically that's where we startto see it, but there's.
I was quite surprised to learnthat there are thousands of
firms in the United States undera billion dollars in revenue,
many of them privately held.
(45:06):
Yes, thousands, yeah.
And so you think about that,that every one of them is a
target in one way, shape or plan.
Meghan Juday (45:15):
And that probably almost none of them have, you
know, deployed all the resourcesrequired, and for companies
half that size, because theyhave other priorities Right.
Dave Tyson (45:25):
It's interesting, though you know you think about
the if but the.
There's a certain amount ofspend that goes on in every
company.
Is it really?
Well, we need to have email andwe need to have computers and
we need to have these things.
But if they had good advice upfront, they could minimize the
spend and make it more securefrom the beginning.
(45:48):
So some of those problems wouldnever show up.
Meghan Juday (45:51):
Yeah, I think that's the way to do it.
Dave Tyson (45:53):
You know.
I mean, it's interesting, oneof the things we talk about all
the time in our industries.
There's this assumption thateverybody's going to get
ransomware.
Right, there's, ransomware isgoing to come up.
And I say, well, you know,there's actually technologies
that are kind of impervious toransomware, that you can use
those things.
You know, but nobody asked thatquestion.
Well, if we're going to buildit, why not build it in a way
(46:13):
that's more secure?
Doesn't show up in thestrategic conversation.
I say to you know, think abouta board thinking about M&A.
Hey, we're going to.
You know, I've done 35 majoracquisitions in the companies
I've worked at and you know theygo and say, oh, we're going to
buy this company in Romania,Great company, Okay, cool.
(46:37):
So here are the security risksfor Romania.
And if you operate it fromHungary instead, you know and do
all your call centers and allthat from there, your cost of
security goes down by 80%.
They're like, wow, okay, Ididn't understand that.
You know, will that change howyou negotiate and what you're
willing to pay for it?
(46:58):
And, by the way, what about theintellectual properties?
Do they actually still own it?
And all of these kinds ofthings.
And I think that there is valuethat can be captured by
organizations by engagingfurther in those discussions,
because, you know, we see thesestatistics every day and we
probably see a dozen companiesauctioned off for sale in the
(47:20):
dark web every day, right, Everyday, and we try to.
We try to.
You know, there are a lot ofmission focused people and we
try to alert them.
When we try, I did five thismorning, before we got here to
this interview, just reachingout to CTOs and CIOs going, hey,
just let me send you thedocument, just so you, you know,
(47:41):
not trying to sell you anything, and I think that you know, as
this volume continues to grow,it's our one of our board
members, John Waters, whorecently was the president of
Mandian they sold it to Googleand very, very smart guy said to
you know, he said to me one dayhe says you know, look, if you
look at the risks and the amountof losses that have occurred in
(48:07):
the US market over the last,you know, 20 years, Go back to
2010 and use that as a benchmark.
And you came through and said,okay, 2020, where maybe 1.3% of
global GDP was lost.
And to cyber attacks.
And if you, if you, trend thatout to 2030, you're talking
(48:29):
about 3.5% of global GDP.
Now that's the economic impactof COVID every single year going
forward.
That in itself should get aboard interested in this as from
an economic reality, Because inmy humble opinion, the people
who are going to bear the costsof that loss are the people who
(48:52):
are least prepared to defend it.
I mean, do you think that thosekind of realities of the cost
to economies in general isunderstood at the board level,
or you think that's more?
We need more education aroundthese these lot, because it's in
the Wall Street Journal, right.
Meghan Juday (49:07):
Everybody reads it .
Yeah, now I would say no.
I definitely think there needsto be more education, there
needs to be more awareness,there needs to be and I would
say the conversation needs to behad in ways and kind of, you
know, layman's terms right.
Because that's the other thingis that you know there may be
(49:29):
this information, may all beavailable, but how do you like
can people read it andunderstand?
You know what they're saying,so I think that's kind of the
other big issue.
Dave Tyson (49:41):
You know that brought up two thoughts for me.
The first is are boards good atasking for what they need from
their subject matter experts?
Do you think?
Meghan Juday (49:55):
I mean, I think that, no, I think absolutely
they do in matters they reallyunderstand.
So you know you always bring ina comp expert every year to go
through exact comp or you knowyou always are bringing in your,
you know outside professionalswho run your board evaluations
or your CEO evaluations, youknow.
So I think there are, I meanthere are a lot of third parties
(50:15):
that will come in and adviseand you know, bringing in you
know some real outside expertise.
But I'll say that that's not.
You know that's certainly inthe boards that I've served on I
haven't seen.
You know you've seen the compexperts.
You see the governance experts.
You see tax experts.
(50:36):
Have you seen the securityexpert?
Dave Tyson (50:39):
That speaks, that speaks.
Meghan Juday (50:41):
Right, right.
Dave Tyson (50:42):
I mean.
No, this is my humble opinion.
It's a small number of my, youknow compatriots who have gotten
proficient at business language.
Meghan Juday (50:55):
Right, and so you're bringing in, you know, so
you have your audit teams arecoming in and reporting to the
audit committee, but, you know,do you have your you know, third
party security folks coming inand giving you just kind of
updates?
No, like that's notconversations that are happening
today and I think that's reallyreally good, really good point
(51:15):
and probably needs to be, as youknow, as common if we're
spending all this time talkingabout, you know, internal audits
.
Right Are we like, are we doing.
Dave Tyson (51:26):
Which is not managing much risk, right.
Meghan Juday (51:28):
I mean right, you know, in the end it's all the
right things to do, and I'm notknocking it, but at the same
time, then you know, why aren'twe having these, these broader
conversations?
Dave Tyson (51:38):
Well, I mean, you know everybody drives down the
road every day and there's speedlimit signs and you wouldn't
want to live in a world withoutthem, right, right, and you
wouldn't want your teenager onthe road without them.
It's kind of like compliance tome, right, you wouldn't want to
live in a world where thereisn't an audit process and a
compliance program and thosekinds of things, but that that
(52:00):
in itself is not the panacea ofprotecting the organization.
Agreed, right?
My last, my last sort ofquestion before we close up
would be around, if you thinkabout how management teams are
incented Right, ceos especially,but others around, progress of
(52:25):
the business, overall results,growth, any number of other
things In some organizations,you know, I've seen where there
was somewhat of a disincentiveto talk at the board level or
allow conversation at the boardlevel about things that were the
the baby's ugly, as it were,and if you think about how the
(52:48):
risk is changing.
So here's the inside story.
My personal record is having mypresentation to the board
filtered 52 times before I wasallowed to present it.
What?
52 times between the executiveteam and and I.
In the end I refused to presentit.
Smart, it's your presentationnow, not mine.
(53:12):
It doesn't actually tell themanything, yeah.
And so they said oh, I just goback to what you're going to do,
but the pressure on CISOs toPretty it up for us.
Pretty it up and to change thelanguage that's not
confrontational or in any waycontroversial is very
significant and in many caseswell, as we saw with the Joe
(53:35):
Sullivan case they often end uppaying the price for it.
The average tenure of a CISOfor the last 10 or 15 years has
been between 17 and 24 months onaverage little little longer in
the private may held business,but it is not.
They get hung with thecompliance failure a lot.
(53:55):
Yeah, so I guess the questionthat I've got and I've done a
lot of research on this, but itis do you think that the role
for governing cyber securitybetween the board and what the
management team's responsibilityand obligation is is clear or
clear enough the differencebetween yeah, so it's.
Meghan Juday (54:16):
I mean, I think this is.
I really feel like this is adelicate balance, because I want
to know the truth but I don'twant to beat anyone up about it.
It's just facts.
We can't do anything about itunless we know, and so I really
tried to take the approach.
And you know, I mean, I'm inboards that are very congenial
but honest.
(54:37):
So it's not, you know.
You know put something stuffunder the rug, but I've really
made a point of trying to.
You know, especially if you'regetting stuff like this, a work
in progress, we're not where wewant to be and, of course, in
cyber you're never done, there'sno like you know, no, all your
guys are not going to turn green, I'm sorry to say like it's.
(54:57):
That's just life.
And so I I really do try toremind the board, as we're
coming into these conversations,that this is a work in progress
.
We want to know these are, it's, important to disclose and, you
know, if there are materialissues we do need to follow up,
but it's only just to close thatgovernance gap.
(55:20):
It's not for, you know,punishment or anything else, and
I think that some really tryingto take that perspective, I
think, makes people feel, youknow, feel more comfortable and
being honest.
But I and I would also, youknow, if there were a director
ever was kind of trying to, youknow, go too far with how did
(55:41):
you let this happen?
Or the equivalent, I wouldintervene because I don't think
that's that's appropriate, andit's not only.
It doesn't engender trust, whichis a huge, a huge issue between
the management team and theboard.
People have to know they cancome in and tell you the truth
and you're there to help themwhen you're not there to beat
(56:02):
them up, and so that's, I think,a lot of the board dynamics
that we've we've been working onin our board is really just
trying to make sure that themanagement and board has a very
strong working relationship andthat they know each other and
can trust each other, and we puta lot of stuff in place so we
can do that.
Because you want the, you wantthe management team to walk in
(56:25):
and think this is the only placeon the planet where everyone is
here helping me be better.
It doesn't mean it's all themesses are going to be awesome,
but they're there to make youbetter.
It's not, you know, beating upfor recreational purposes or
anything else, but I thinkthat's.
I think it's tragic that a CEOwould ever feel like they had to
(56:50):
tailor something for the board.
If they, if there ever is thatinstant, it would mean either
one of two things you have thewrong board or the wrong CEO.
Because I mean, what's the ifeverything's going to be
whitewashed before it gets intothe boardroom?
What is the purpose of having aboard Right?
Dave Tyson (57:11):
Yeah, that's a great question.
That is a great question.
Well, so you know.
To wrap up, I guess you knowyou've got a lot going on.
You're on a number of boards,you've got the Lotus Forum, what
you know.
What's next for you?
What's the next?
You know the next challenge foryou?
Look like you've got your owncompany, which has got a huge
amount of history and and anddoing very well by all accounts.
(57:35):
What's the next few years?
Look like you.
What are you going to focus on?
Meghan Juday (57:39):
Oh my gosh, I always have a long list.
I'm a like an inveteratelearner.
So I just finished my ESGcertification.
I was at six month program.
I thought I was going to die.
I should take in a test inyears.
But it was good, it was a greatexperience and I feel a lot
more prepared to really kind ofembark on that journey with our
board and our company.
(58:03):
Finishing up a risk class, I'mdoing a separate class Nice,
hopefully we'll do that soon.
And then, you know, after thatI just kind of a bunch of.
I really think it's veryimportant to for continuous
learning to just really stayfresh, and I think as board
chair I feel an obligation toreally be kind of on the leading
(58:25):
edge of where, where I need andwant the board to go, based on
where the company's advancing.
So I think there's going to bea lot of a lot of work in that
area.
So Excellent.
Dave Tyson (58:38):
Well, I want to say thank you very much for taking
the time to come down here.
I think that your advice isgoing to help so many people out
there to understand this issue.
It's rapidly evolving, so thankyou very much.
Mark Havenner (58:55):
This has been executive cybersecurity with
Dave Tyson, a production ofApollo information systems.
Visit us at Apollo dash iscomor, if in Canada, apollo dash
isca.
Thank you for listening.
You are listening to Executive Cybersecurity with
Dave Tyson.
In this episode, dave isspeaking with Megan Juday,
speaker, author and FamilyBusiness and Company Governance
Advocate.
She is the Chairman of theBoard of Ideal Industries, a
(00:27):
family business in operation forover 105 years and in its fifth
generation of ownership.
Dave Tyson (00:35):
How's it going, megan, and how you got to where
you are.
How's your career progressed?
Meghan Juday (00:39):
Well, I started off really with no plan, so I'll
just start there.
I had no idea what I was goingto do.
I went to a college with a firmbelief that I would go to get
my masters and then figure outwhat I was going to do After I
graduated.
I spent a year abroad just kindof learning French and really
(01:00):
wanting to experience a newculture.
And then it came back, did mypre-med requirements to try to
get into med school, and thenthere was just a moment where I
realized I finished all myrequirements.
I realized I can't be a studentfor whatever seven more years.
So I just kind of cracked frombeing kind of both poor and
(01:25):
stressed all the time and justrecognizing that that wasn't
really going to change.
So I opened a newspaper which Isaw you looked for jobs back
then.
Dave Tyson (01:36):
I didn't see that on your resume.
Meghan Juday (01:37):
I know, I know, I know, but it basically led me to
a job that had both French andmedical kind of medical
background experiencerequirements and I was like,
well, that is my job and thatwas the job that actually I met
somebody who introduced me to myhusband and she also introduced
(01:59):
me to somebody who got my firstkind of real big job.
And so I went and worked forComputer Sciences Corporation
and was basically a.
I did that for about five yearsand just worked at DuPont and
DuPont out and Covax and some ofthese massive organizations and
(02:21):
it was such a excellentexperience.
I loved it.
It was so fun and reallygetting to know other people and
getting to know otherbusinesses so intimately and
just learning all aboutorganizational change and
dynamics and project planningand stuff.
So it was kind of the bestfoundation anyone could have,
(02:41):
especially after that kind ofslow start.
But then what happened was,having met my husband during
that timeframe and we gotmarried, had we're pregnant and
realized there's no womenbetween the ages of 30 and 45 at
this consulting firm certainlynot.
At that time they hadn'tfigured out how to do remote
(03:04):
work, they hadn't figured outhow to do job sharing or part
time, and so I was really kindof forced to have to leave, if
that was, if I wanted to spendany time with my son.
So I took a I was planning ontaking a year off and then,
within probably three weeks, Igot a phone call from my father,
(03:26):
who was chairman of the boardof ideal industries, which is a
107 now I keep losing count, itkeeps changing 107 year old
family business and he asked meto just come and work on this
small project which, as it turnsout, that is how most women get
(03:46):
involved in their familybusinesses.
They just get asked to do onetiny little thing and then it
blossoms into this huge career.
So I started working just kindof, you know, kind of part time
and then I've got kind of fullystructured roles there and I was
all around governance, which itturns out is I'm a huge fan of,
(04:09):
I love governance and we'lltalk a lot more about governance
soon.
But I basically spent, you know, did that for about 15 years
with a governance lens focusedon the family.
So I was employed by thecompany but the family really
was my client.
And then, you know, during thattime, that 15 years, I was named
(04:29):
to the board of directors, thecorporate board of directors,
which is a majority independentboard I was asked to form a
nominating governance committeefor the first time, was named
vice chairman and then, inFebruary of 2020, which was a
good time by those were goodtimes I was named chairman, and
(04:50):
so it's been work.
I've been working for thecompany now for about 20 years,
and I have found governance tobe one of the most exciting
spaces in the business, becauseyou can affect so much change by
moving a lot of small littlepieces.
You can basically change thetrajectory of a business, and so
(05:15):
it's been a real joy to becomea student of governance and a
student of governance as well,as somebody who's really trying
to implement good governancepractices.
So it's been.
It's been great.
Dave Tyson (05:30):
Governance is exciting.
I can't think I've ever heardthat said before, but I'm going
to go with you.
So you seem to have a realpassion for it and you know you
were involved in other groups.
You have clearly the LotusForum, which is something that
you you've, you know, initiatedand drive.
Tell me a little bit about thatand what your goals are for
that.
Meghan Juday (05:51):
So, as I mentioned to us, named chairman in
February of 2020.
And I had that feeling.
There was a moment when they'relike, okay, you're it.
And I, I mean, this has been aplan transition.
I'd been, you know, it wasplanned in the sense that I was
given the opportunities I had toearn it along the way.
(06:12):
So this was not, you know, afate of complete but having
achieved the results, namedunanimously to the chairman role
I all of a sudden had this likehorrible fear, like, oh my God,
I can't mess this up.
Other people have gotten itright enough over the last you
(06:34):
know, hundred plus years, andnow I, of course, essentially
it's not only on my shoulders,but I will be blamed if it goes
down after my watch.
And so I, kind of having hadthat fear and then also really
only having had two or threeweeks before the pandemic hit
and, by the way, idealindustries is a global
(06:57):
manufacturing company and wejust happened to have had a
facility in every single hotspotlocation in the world Wow, it's
lucky, I know.
And so you know, and those inthe beginning, nobody knew, you
know how it was.
Is it touch, you know?
Was it air?
Was it?
You know?
Like nobody knew how it wastransmitted Over time.
(07:19):
They didn't know how to care forthese employees and people just
care.
The healthcare system was sostruggling with this and you
know we always have.
We always put our employeesfirst as one of our values as a
company and it was so horribleto think that, you know, as an
essential business.
We had to keep the doors open,but you know safety is such a
(07:41):
high priority for us and notjust being so stressed about how
do we keep our employees safeand then how do you reassure
them so that there can come back, and then you know how do you
support them when they have sickfamily members within they're
the primary caregivers.
So it's just kind of on and onand on.
It was a very, very stressfultime and also, surprisingly
(08:02):
enough, generational transitionscan sometimes be challenging in
family businesses.
I don't know if you've heard ofthis trend and I was surprised
also given that this had beenplanned and communicated for
years that there was, you know,walking into the transition
(08:23):
feeling like all right, we'vedone this properly, to then
realizing like, oh my gosh, westill have a lot like there's
still a lot of loose ends andfragments and feelings that you
know people need to resolve, andso all of that was kind of the
background for starting theLotus farm and really it was not
purposeful.
I thought that I was starting aquarterly conference call with
(08:48):
two or three other female boardchairs and what happened was I
recognized that okay, so Ineeded my thing is like always
like phone a friend, likewhenever I have a challenges.
Dave, I've called you, you knowthis, you know phone a friend
and then I realized I didn'tknow any other female board
chairs and I thought that wasshocking.
(09:10):
I didn't realize that it wasunique at all to be a woman in
the senior leadership role inthe board room.
I just kind of was like youknow, contributor, team member
kind of mindset, and thenwalking into it, realizing that
there was a unique genderelement to this.
So that's when I reached out tomy network, asked for
(09:35):
introductions and what.
Reaching out to these womenjust said, you know, I want to
do a quarterly conference call.
Who's interested?
And I think I had 12 people sayyes.
I was like okay, well, this isnot a small informal thing.
Like this is a thing, and sowe've evolved pretty
substantially.
(09:55):
We're an international peergroup of women in board
leadership roles, so it'schairman, vice chairman, lead
director and then committeechairs are also welcome, because
we really see all of these.
It's unique to have a woman ina leadership role in the board
room.
That is kind of the.
I mean, this may sound not verynice, but I do believe that,
(10:19):
although companies are reallytransforming their businesses
and you're seeing a lot morewomen in the senior executive
roles, you're not seeing a realsubstantial change in the board
room and I think it's just kindof the final frontier we're.
I think we'll get there andwe've seen a lot of.
We have seen a lot of changesover the last couple of years,
(10:40):
especially as there's ourorganizations and governments
that are insisting on genderparity or certainly more gender
diversity in the board room.
So we are seeing some changes,but I think it's gonna take a
little bit of time, especiallycause there's a slow turnover in
boards, and so that's kind ofhaving started the, having
(11:03):
started the Lotus Forum.
Now we have really focusing onboth how do you be a great board
chair and just all the dynamicsthat are happening in the board
meeting and all the work thatneeds to be done prior to when
everybody walks in that room tohave it really be a strategic,
(11:24):
to add strategic value to thecompany.
But then we're also really spenta lot of time talking about
what is on the board agendatoday that your directors or
your you yourself as a boardchair may not be, may not really
understand, but you have anfiduciary obligation to oversee
it, and so that's when even webrought you in last year to talk
(11:49):
about cybersecurity and how doyou create a great oversight
program.
And I think the biggestchallenge we have is, as we're
building these oversightprograms, I think there is still
an issue of directors reallynot knowing if your entire
cybersecurity report is all red,is that still good?
(12:10):
You just don't know, like theydon't know if, and so I really
think that there's.
I think that happens also inthe enterprise risk management,
the E&I, esg, all there's a kindof these big items that are
coming up on the board agendatoday and I think directors
probably are some directors area little bit behind in terms of
(12:32):
having a real robustunderstanding of those areas.
Dave Tyson (12:35):
It's interesting.
You talk about the directors'awareness of the issues, what to
do about it.
I mean, if you look at thetrends that are impacting on the
publicly traded side and, to acertain extent, through
different regulatory agencies,there seems to be a general
trend around getting moreunderstanding of that risk
(12:59):
management at the board leveland, in some cases, certainly on
the publicly traded side.
Looking at what the SEC hasdone recently, it's sort of
starting to accelerate thattrend.
Right, we're they're lookingfor boards to be not only
informed but actually have riskmonitoring in place, having
(13:20):
expertise on the board in thisspace.
So when you think about youtalked a little bit about the
percentage of women that are onthe board there seems to be a
need to evolve the boardcomposition.
Cause, I'll tell you, I've seena lot of board job
opportunities and it's almostidentical in every one of them,
(13:44):
which is you've been a financeperson, you've worked in our
industry or you can makeintroductions right, and not
single one of them I've seen itsays you understand risk
management, you knowcybersecurity and the entire
value chain of our businesseswrap around being able to
operate, protect ourintellectual property, or we're
(14:05):
going into China.
What are the new risks thatwe're creating.
There seems to be a gap in howboards recruit in many ways.
But just one person's opinion.
But you know, one of the thingsthat I I'd love to get your
perspective on is, you know, forthe last number of years we've
seen everybody, from the WorldEconomic Forum to other NACD,
(14:30):
other groups who have all comeout and done surveys, the big
four accounting firms have allsaid cybersecurity is, you know,
on the minds of board members,on the minds of CEOs, it's in
the top five worries thatorganizations have from a risk
management perspective.
Yet, you know, my experience hasbeen that cybersecurity at best
(14:50):
we might get 15 minutes once aquarter on the board agenda as a
regular practice and it's justa tactical review of what the
audit committee said.
And maybe the CISO gets in theroom, if they have one, and he
or she runs through aprescripted, you know filtered
(15:13):
set of information that theboards love to get.
But the interesting part is ifthe board is, if the direction
is holding board membersaccountable to managing that
risk through their governanceprogram.
You know, what do you thinkthat the model is going to have
to do to be able to get them tothat place.
Not only do you have to changethe composition of the board,
(15:35):
the talent of the board, the way, the access to information.
I mean it's.
That's a big move.
Meghan Juday (15:42):
Yes.
So I mean there's a lot in yourquestion, but I, you know, is
there.
I think the biggest issue isthat the people putting together
the agendas, the generalpopulation of directors, does
not have a robust understandingof cyber security.
And I think that you know, asI've learned from you, I mean
(16:06):
really a lot and just wanting toeducate myself and in other
ways I've really come to learnthat it's not just one person's
responsibility to understandcyber security in the bar.
We're all fiduciaries in there.
Dave Tyson (16:21):
Absolutely.
Meghan Juday (16:22):
And it's such a big issue and there's so many
angles to it and there's so manyimpact potential impacts to
your business.
There's no way that only youcan just rely on your you know
your CIO, your CISO or your youknow CFO director, who's had
some experience in their othercompany, and just all lean on
them thinking that they've gotit.
(16:43):
I think this is a.
Every single person who is adirector needs to be fully
qualified to understand all ofthe elements of cyber security
and they need to continue thateducation.
That's not a one and done right.
Dave Tyson (16:57):
Yeah, absolutely.
I mean it is a, it's a as thetechnology evolves, and I mean
what we tend to see a lot of.
His AI, this, or machinelearning, that, or you know OT,
that you know it's this.
It's his buzzword bingo.
But that doesn't.
That allows you to talk outloud about it, but it doesn't
(17:18):
let you understand.
How do I change my company'srisk management approach when
we're going to do thatacquisition?
How do I think about thepotential risks of going into a
new market?
Right, these are all thingsthat that.
So what do you think theappetite is?
And I'll give you an example, aspecific example.
So recently, for the first time, we've seen a corporate officer
(17:41):
of a firm convicted criminallyfor, you know, for failure to
disclose a cyber incident.
The CEO in this particular caseescaped the limelight, but
certainly has changed the viewof many in the country in terms
(18:02):
of their responsibility to bothunderstand the obligations and
there are many, because there'sa lot of government agencies
have gotten into the swing of it.
But what do you think aboutthat in terms of do you think
that the boardroom understandsthat it's in their best interest
to learn this Better?
Meghan Juday (18:22):
I mean, I think just it's the situation if you
don't know what, you don't knowright and you don't, I think
there's just kind of somenaivete of, oh, what won't
happen to us?
Or you know we're small, we'renot a target, you know we're not
on the, we don't make frontpage news, therefore no one's
going to notice us.
I just think there's somenaivete there.
(18:43):
And I'd say also I mean, youknow we were talking earlier
about family businesses andprivate companies, and although
there are some massive familybusinesses and private companies
, there's also a lot of, youknow, sub hundred million
dollars in revenue a year, and Ithink that they're not less
(19:04):
vulnerable.
They just have fewer resourcesright, and so I think it becomes
this you know pragmatic andpracticality.
If you only have this many youknow capital resources to deploy
, where do you put it?
And are you bringing on anotherfull-time person to help you
manage this risk?
And I, you know, et cetera, etcetera, et cetera.
(19:25):
So I would say directors reallyneed to be top, top, you know
really kind of top form when itcomes to cybersecurity, because
sometimes that, especially ifyou're a smaller, smaller
company, that may be your onlycyber experts you have are the
ones in your boardroom.
Right, you may I mean you maybe getting reports from the IT
(19:48):
manager and you know, not even acyber expert.
They have a lot of otherresponsibilities in keeping you
know servers up and stuff, butthat doesn't mean that because
the company doesn't have theresources to deploy extensively,
it doesn't mean that thedirectors also then can lag in
their skill sets.
I think it becomes even thatmuch more important.
Dave Tyson (20:09):
Absolutely.
I mean because the bad guyactually loves the fact that you
, that that investment hasn'tbeen made.
Yeah, because if you've gotsomething of value, they're
quite happy to relieve you of itand probably not tell you about
it in the process.
Right, right, um, certainlywe've seen a number of
organizations who've doneacquisitions and and then come
(20:32):
later to realize that theirintellectual property is
actually gone.
Meghan Juday (20:35):
Yeah.
Dave Tyson (20:36):
Right and it's sad, but it is a case of there.
There is an obligation now tounderstand, in due diligence,
that you know, historically, alot of acquisitions, it was kind
of last to the dance.
Yes, they were a line functionwith, sometimes with HR and
others who got told, by the way,we're doing an acquisition, you
haven't been allowed to be inthe process, but now make it all
(20:58):
happen and at that point it's alittle late.
Right, price has beennegotiated, all the leverage is
gone, right, and whatever thecosts are.
You see, you know the purchaseof of Yahoo was a perfect
example where there was abillion dollar hole in the
balance sheet that didn'tunderstand right from a cyber
perspective.
So you see a lot of this kindof stuff.
What do you think, because theindustry has a lot of different
(21:23):
people talking about thisproblem, what do you think the
industry has to do to helpboards when board members get
better at this?
Meghan Juday (21:32):
Gosh, um, I think.
I mean, I think it just kind ofgoes back to well, a couple.
I have a couple of things youmentioned earlier.
Boards don't turn over very,very frequently and you
sometimes will get directors whoare on four, five, six, seven,
(21:54):
eight boards.
Yeah, are they going to setaside time to do their
cybersecurity training?
Probably not.
They probably are so so booked,you know, between their boards,
plus whatever you know vacationtime with their families.
Like, forget it, they have nonothing left.
And I'm not.
This sounds hyperbolic and notand sounds discharging, and I
don't mean to be, but it's justan example and I'd say there's a
(22:19):
couple of things that can behelp help remediate this issue.
One is get directors who arehungry.
Right, you have somebody who'sbeen on a board.
They really they have thissense of like, well, I've seen
it, I've done it, but they'veseen it and done it for 20 years
and the landscape from theirfirst board role 20 years ago to
(22:40):
the landscape of the boardroles today is completely
different.
Would you agree?
Oh, absolutely yeah, just interms of the levels of
responsibility, the topics thatare coming up.
So I would say, if you havedirectors who are hungry and
understand the fiduciaryresponsibility and the risk of
getting it wrong.
I think you're far more likelyto create maybe a little bit of
(23:03):
fear, or enough fear, so thatthey're then motivated to
continue their learning.
I, over the last three years,we've changed out four directors
and I would say that the newdirectors we have are far more
again, no disparagement intended, but they're very enthusiastic.
(23:26):
They're super zeroed in on ourcompany.
They're also not on multipleother boards, they're all,
they're only other board or oneof two, and so it's not.
They have full-time jobs andthey're so.
They're in it every day.
Plus, they're bringing it tothe table and I would say
(23:47):
bringing in, bringing indiversity and also, you know,
both from experience and fromdemographics, I think can really
make a difference in terms ofexperience and bringing in some
younger directors who really dounderstand, you know, more
digital natives Born digitalguys yeah.
They're born digital right, so Ithink can actually make a huge
(24:10):
difference.
Dave Tyson (24:11):
Yeah, there is a lot of talk in the industry, in the
CISO communities, a lot oftrends.
A lot of CISOs think that theyshould be on boards, they should
be for organizations that theircentral value proposition is
technology or it is heavyintellectual property or a lot
of complexity around that.
(24:32):
They, you know, they will tellyou that they think that the
answer is just put them on theboard and they will hear the
talent, because it will take you10 years to train board members
who are probably going to turnover anyway and they say hire
the talent.
You think that that's realistic?
Meghan Juday (24:49):
Oh, it's okay.
So first, yes, I think theclassic you were mentioning, you
know, board perspectives andhow they kind of look.
All the same, we're looking fora C-level person with our
industry's experience who, right, can get us a network or has
banking relationships orwhatever that thing is.
I think that the days ofstaffing your boards with
(25:13):
C-level or with the CEOs or CFOsreally should be gone.
Ceos, I think every boardshould have one CEO at least
just to be, you know, a soundingboard for the company.
Ceo, you probably need a CFO torun your audit committee, but I
think that's like two out ofhow many spots, right?
And then after that, absolutely, I think, especially if you
(25:37):
can't afford, if your company isnot complex enough or not big
enough for you to have your ownCIO or C-SO, absolutely you
should bring one in.
That's kind of cheap advice.
Dave Tyson (25:49):
It really is.
I mean, we always say in theindustry that if you do it right
up front it's 10 cents on thedollar.
Kind of fix it later right,that's your old adage.
But it is true.
I'll tell you that the placesI've worked, the places in many
of the places I've consultedover the last 20 years, there
are some aspects that areabsolutely true.
(26:10):
I mean, you walk in the door,you look at a huge spend that's
been done to secure theenvironment and maybe 5% of that
has translated into value.
So they bottle the tools, theybottle the equipment.
They've got some people whoknow how to run it.
Maybe they've outsourced someof it.
(26:32):
But you go to them and you say,oh, you've got this antivirus
software on your computers.
What percentage of that defenseis actually running?
And they'll say, well, we'vegot about 5% running.
That's why?
Meghan Juday (26:44):
that's why that.
Dave Tyson (26:44):
Okay, so you spend X amount of dollars and you're
getting 5% return on that andyou're getting all these risks
that could be stopped by that.
Why'd you turn it off?
They say, well, the businessdidn't like that it was running
because it restricted them sowho had that conversation?
Because I tell you, the boarddoesn't know about that right,
Except that in the world we livein now, it's starting to move
(27:06):
closer and closer to the boardbeing accountable for that loss.
And so the interesting part isit's not and I've said this a
few times the amount of moneyyou spent has absolutely no
relationship to how muchprotection you get.
You could spend in mostorganizations that I've worked
in, you could probably spend 10%of what the big four accounting
(27:29):
firms tell you and get moreprotection.
If you deploy it smart, on thepriorities of the business, then
it tends to be we've got to tryto solve every problem.
So it's an interesting world welive in, where many of the
regulations that werewell-intentioned have driven us
(27:50):
to spend a lot to manage areally small amount of risk in
reality.
So getting more expertise in theboards, I think, is a good idea
, whether it's a CISO orsomebody who understands risk
management, because my generalassumption is board members by
(28:10):
their nature have to be goodrisk managers.
They have to look at a lot ofrisks across the organization
but it does seem to be heavilyweighted to.
It's got to be enough financepeople in the room or finance
people who could stare atbalance sheets and go, yeah,
there's a problem here we needto fix that, yeah, I mean this
is my philosophy.
Meghan Juday (28:29):
I don't want any of my directors to power down
because we're not talking abouttheir area of expertise, so I
want everyone to.
They may not be able to all talklike a CFO, but they need to
understand what the CFO issaying and make meaningful
contributions to the dialogue.
And same with marketing or cyberor ESG or whatever.
(28:55):
I want my directors to bewell-rounded and then also have
an area of expertise where we'retrying to move the business.
And so I would say that's justthe one risk of having a CFO who
may not be able to contributeor any, not to pick, even pick
(29:15):
on them, but any specialist whoisn't going to be able to
contribute to the entiredialogue.
But if that's the case, thenthere's no reason and this is
one of the things we've talkedabout on our board is really
thinking about how do we bringthe experts into the
conversation While not requiringthem to be fiduciaries, because
(29:35):
maybe they're not well-roundedand can contribute to all
conversations.
So there are options ofbringing in advisory board
members and having them sit inyour fiduciary board, but
they're not fiduciaries andthey're not obligated to be or
required to talk about the wholeconversation, but they're there
to add their areas of expertiseand I think that is an
(29:58):
excellent way of bringing inthose specialists who are there
to support a very strategicperspective of your company and
still keep the fiduciary natureof the board intact.
Dave Tyson (30:17):
It's interesting because the one thing that I've
noticed is running security forsome large companies, both
public and private, is that CSOs, by their nature, are one of
the few functions in theorganization who touch every
aspect of the business.
There are very few outside of,maybe, finance that really touch
(30:39):
every aspect of the business,everything from supply chain all
the way through the customer,and so they tend to be pretty
well informed in terms of thepulse of how the organization is
reacting and changing, whetherit's unhappy employees who
become an insider risk or thirdparties that may have been not
(31:01):
meeting their contractualobligation to protect
intellectual property or any ofthose kinds of things.
So it is one of those fieldsthat I think does, whether it's
as an advisor, which makes a lotof sense.
One of the interesting trendswe've seen in that space is that
some CSOs are starting torefuse to take that title.
(31:21):
They're refusing to take theCSO title because there is now a
stigma.
I don't know if you saw therewas a Wells notice issued by the
SEC to solar winds.
The Wells notice basicallytakes the CFO and the CSO from
the solar winds attack of a fewyears ago and say we're going to
investigate the way that thatwent.
(31:43):
And so what you see is, betweenthe Joe Sullivan case in
California we talked aboutearlier, and this and a few
other things, csos are saying.
You know what, being the CSOhas a lot of liability, and so
your point about making themadvisory whether it's them or
(32:03):
somebody else might be a moreattractive option, because they
can turn up to a board meetingand they can probably contribute
fairly broadly in terms ofanything that even smells like
risk or operations, so that'sactually a really interesting
idea.
So when you think about wherethe conversations you have with
(32:26):
board members, you know, is thissomething that's on their mind?
Is this idea about gettingbetter at cybersecurity reached
its time yet, or is it stillsomething that is?
Yeah, we know we got to getthere, but I'm really busy right
now.
Meghan Juday (32:45):
Well, I would say, generally speaking and not even
speaking about our directors,but about directors in general I
would say there is someinterest, but I don't think
we've reached the zenith yet andI think there's going to be a
(33:07):
lot of hard lessons learned,maybe some dramatic ones, before
it really starts coming intothe boardroom in a very
substantial way.
You know, it's that kind ofinnocence which is kind of cute.
I was like, you know, it's like, oh, we don't have to worry
(33:29):
about that or whatever, and Imean I just think it's one of
those things that it's going totake time and there probably are
going to have to be some moredramatic headlines or maybe some
more personal dramaticexperiences.
But I think the biggest issueis that maybe not that others
don't recognize that this is aproblem, but what do they do?
(33:51):
I feel like that's the bigquestion.
That is, if you have limitedresources, if you have all these
other competing priorities,you've got to make capital
investments.
How do you do it in a smart way?
And I don't think that ageneral director has the
ingrained knowledge to be ableto advise companies or
(34:15):
management team on what to do orwhere to find that support, and
I think that's the really thebiggest challenge.
It's not that they don't know.
It's like they know the risk isthere, but they don't know how
to address it.
What?
Dave Tyson (34:30):
do you do with it?
Yeah, right.
Meghan Juday (34:32):
What do you do about it right?
Dave Tyson (34:33):
You just told me all this black cloud stuff.
Now what do I do?
Meghan Juday (34:37):
So I think there probably are questions being
asked in the boardroom, butagain, this is my example of if
you ask a question aboutcybersecurity because you read
an article or you took a classand you talked to the CIO or
Evers running the cybersecurityprogram, how do you know what's
a good answer?
And I think that's what'sdifficult.
(35:00):
That is, what's reallydifficult about this environment
today is that it is verytechnical and there are a lot of
really smart directors in theboardroom today, but this is an
area that's really out of theirdepth and especially if we're
looking you were mentioningearlier just around the slow
turnover in the boardroom.
Average age of boards isprobably higher than one would
(35:26):
want and again, very generallyspeaking, but they didn't not
grow.
These individuals did not growup in their board experience
with needing to have theseconversations.
Dave Tyson (35:40):
Yeah, it's an interesting evolution that has
to happen because from my side,what I see is and not to pick on
the big four and I tend to usethem a lot as an example but
there's a lot of commoditizationin business as it grows to get
(36:00):
scale, and our industry is thesame IT, cybersecurity and as
organizations get bigger, itbecomes more about.
As an advisor, I want to getbutts in seats with my clients
so I can be there and drivebillables, and in many ways, I'm
(36:21):
incented to not solve theproblems immediately, whereas at
the board level, the last thingyou want to be doing is
dragging this stuff out forever.
You want to monitor, but youwant to have a solution that
makes sense and enables thebusiness and then be able to
monitor the results and theinvestment, and I think that
(36:44):
there has to be a bettersolution.
I know that I've certainlythought about it and saying how
could we create something that aboard member could use to get
the answers to those questionsand be able, to a certain extent
, pressure test the informationthey're being given, and I think
that's something that we'regoing to continue to work on to
(37:05):
be able to offer.
That is, how do we help boardmembers be able to go to a place
to get the answers withouthaving to go get a master's
degree in cybersecurity becausethey've got to manage a lot of
risk.
Meghan Juday (37:19):
It's also unrealistic, and that also I
mean.
Part of what you're doing inthe boardroom is assessing the
senior management team, and ifyou're a member of your senior
management team, it's sayingthings you literally do not
understand.
How are you Is that good?
(37:39):
Is that good?
Are they really smart?
Have you been able to do yourjob as a fiduciary?
I think that's just the bigquestion and the world's
evolving really fast.
The boardroom moves a littlebit slow and I think it just has
resulted in, just now, a reallybig exposure for all directors,
(38:07):
and I don't think there'sgeneral knowledge of the risk of
having cybersecurity issuesjust close to you and then not
following up on the issue getresolved.
Dave Tyson (38:22):
We talked about this before and you gave me some
advice, but I got to put it oncamera Because this is a really
interesting thing.
So there's this assumption thatmakes me crazy in our business,
which is it's not if, but whenyou get hacked, which is, in my
(38:44):
opinion, not helpful Because ittakes away the assumption that
you can do something about it,and you absolutely can.
There are solutions, there areabilities to get in front of
this stuff, and for those whosay that's not true, I would
suggest that they're incented bythat.
(39:04):
But with that said, if youthink about this whole idea
around getting expertise andgetting in front of folks and
being able to share informationwith them, one of the challenges
we've seen in the marketingside of the house is the
industry.
You've got 3,000 companies inthis country that are all
(39:26):
pushing messages at everyaudience, whether it's the CEO,
the board or anybody else, andthey struggle to wade through
this massive amount of data.
So even if you can get aninformation to boards, they're
probably swamped with so manydifferent opinions that have
different agendas.
It's hard to wade through andknow what's true, much less come
(39:49):
up with a strategy if it'ssuccessful, and so we have a
responsible disclosure programthat I told you about, where our
threat intelligence teamdetects a threat that's in
development and you're going tobe ransomware in three days and
here's where it's going to comefrom and here's how you stop it.
And we reach out to the companyand they won't return our call
(40:12):
and then three days later, yousee them get ransomware.
And it's sad, it's verydemoralizing, but everybody
we've talked to has said well,they've been marketed to so much
they don't believe anythinganymore To me.
I don't know how we get overthat problem, and I've asked a
lot of people this question.
(40:33):
But it seems like this ideathat it's not if but when has
created a scenario where peoplehave just tuned out the reality
that you can do something aboutit.
And so do you think that theamount of information that comes
at directors in general is justso overwhelming across all the
subject matter areas that itmakes it difficult to get the
(40:54):
message through?
Meghan Juday (40:55):
Well, I think there's some.
It's trying to find thosetrusted sources.
So when you think aboutfinancial advisors who sell
products versus financialadvisors who provide a service
and then you go choose what youneed, I mean I think that's
really the difference, right, Imean I've been or someone who's
assessing your insurance needsand then also wants to send,
(41:17):
sell you the policy, like allright, how good was that advice?
And not to say that there's,there isn't a lot of great
advice being provided, but Ithink that's really the big
question.
I wonder if there aren'tservices out there that people
could subscribe to, where there,you know, you're just getting
the data and you're not going toget sold to them.
(41:38):
You know, right.
The next thing, because I thinkthat's, I think it's just
finding those reliable sourcesand also recognizing that you
know again, I think it comesback to also the board really
understanding what those peopleare saying to you Also.
Dave Tyson (41:59):
Yeah, that's a challenge because, because you
think about there'smanufacturing, there's finance,
there's technology, there'slegal, there's all these things
right, and it's a lot to tocumulatively for me as a risk
person.
I look at here's the businesssituation.
I know what questions to askand what we're likely it's going
(42:21):
to end up anyway, becauseyou've seen it a thousand times.
And I think, like every subjectmatter expert, right, they can
do that Right.
And then the role of the boardis to look at it cumulatively
across all of the business andsay here's the right thing for
us.
We'll take that risk.
We won't take that risk, youknow, and I think that that is
the subject matter experts.
(42:41):
You know, I think you make agreat point, which is how do I
get a good opinion in front ofyou without it being a sales
effort, Correct, Right?
And I think that is that's achallenge.
I don't think that that trulyexists in its pure form, but
it's interesting.
Meghan Juday (42:59):
I mean, wouldn't it?
I mean, wouldn't that be thething to do?
Is you have?
You know, you just have asubscription service, but we'll
just let you know when it'scoming down the pike and you can
determine how to proceed.
Right, there's no add-ons.
Dave Tyson (43:16):
Right, yeah, there's no click here to buy it.
Yeah, yeah, yeah.
Meghan Juday (43:19):
You can like you're no upselling, but then I
think you know, I think thatwould actually probably be
really helpful Because again,there's this concern, you know,
especially with all the ITinvestments that are happening
today anyway, and you know, nowpeople are like freaking out
about AI, but I think that ifthey knew where to focus those
(43:42):
investments based on real data,not versus, you know what
someone's trying to sell you,right, right, do you want the
undercoding on your new car?
Dave Tyson (43:52):
Like do you want the insurance at that point?
Meghan Juday (43:54):
Yeah exactly right .
So I think that's really thebig, I think the big question.
Dave Tyson (44:00):
So we're talking, maybe a little bit like the
consumer reports, for a cyberthreat Right.
Meghan Juday (44:05):
I think people will go for it and I don't think
.
And then people would knowreally, how do you?
You know, then they would knowyou know where do they need to
kind of ramp up, especially ifwe're talking, you know, those
smaller private companies thatdon't have you know vast IT
departments who are.
You know CSOs and everybody,you know all of the whole team.
(44:27):
I mean, wouldn't that be nice,yeah absolutely.
Dave Tyson (44:32):
I mean the when you think of it, because we do
interact with a lot of $200million companies and we always
say that you know mostbusinesses start considering a
C-Sell around, depending ontheir risk profile around a
billion dollars.
Meghan Juday (44:46):
Yep.
Dave Tyson (44:46):
Right, that's about where we start to see it happen,
unless you're in medicalresearch or something else, but
typically that's where we startto see it, but there's.
I was quite surprised to learnthat there are thousands of
firms in the United States undera billion dollars in revenue,
many of them privately held.
(45:06):
Yes, thousands, yeah.
And so you think about that,that every one of them is a
target in one way, shape or plan.
Meghan Juday (45:15):
And that probably almost none of them have, you
know, deployed all the resourcesrequired, and for companies
half that size, because theyhave other priorities Right.
Dave Tyson (45:25):
It's interesting, though you know you think about
the if but the.
There's a certain amount ofspend that goes on in every
company.
Is it really?
Well, we need to have email andwe need to have computers and
we need to have these things.
But if they had good advice upfront, they could minimize the
spend and make it more securefrom the beginning.
(45:48):
So some of those problems wouldnever show up.
Meghan Juday (45:51):
Yeah, I think that's the way to do it.
Dave Tyson (45:53):
You know.
I mean, it's interesting, oneof the things we talk about all
the time in our industries.
There's this assumption thateverybody's going to get
ransomware.
Right, there's, ransomware isgoing to come up.
And I say, well, you know,there's actually technologies
that are kind of impervious toransomware, that you can use
those things.
You know, but nobody asked thatquestion.
Well, if we're going to buildit, why not build it in a way
(46:13):
that's more secure?
Doesn't show up in thestrategic conversation.
I say to you know, think abouta board thinking about M&A.
Hey, we're going to.
You know, I've done 35 majoracquisitions in the companies
I've worked at and you know theygo and say, oh, we're going to
buy this company in Romania,Great company, Okay, cool.
(46:37):
So here are the security risksfor Romania.
And if you operate it fromHungary instead, you know and do
all your call centers and allthat from there, your cost of
security goes down by 80%.
They're like, wow, okay, Ididn't understand that.
You know, will that change howyou negotiate and what you're
willing to pay for it?
(46:58):
And, by the way, what about theintellectual properties?
Do they actually still own it?
And all of these kinds ofthings.
And I think that there is valuethat can be captured by
organizations by engagingfurther in those discussions,
because, you know, we see thesestatistics every day and we
probably see a dozen companiesauctioned off for sale in the
(47:20):
dark web every day, right, Everyday, and we try to.
We try to.
You know, there are a lot ofmission focused people and we
try to alert them.
When we try, I did five thismorning, before we got here to
this interview, just reachingout to CTOs and CIOs going, hey,
just let me send you thedocument, just so you, you know,
(47:41):
not trying to sell you anything, and I think that you know, as
this volume continues to grow,it's our one of our board
members, John Waters, whorecently was the president of
Mandian they sold it to Googleand very, very smart guy said to
you know, he said to me one dayhe says you know, look, if you
look at the risks and the amountof losses that have occurred in
(48:07):
the US market over the last,you know, 20 years, Go back to
2010 and use that as a benchmark.
And you came through and said,okay, 2020, where maybe 1.3% of
global GDP was lost.
And to cyber attacks.
And if you, if you, trend thatout to 2030, you're talking
(48:29):
about 3.5% of global GDP.
Now that's the economic impactof COVID every single year going
forward.
That in itself should get aboard interested in this as from
an economic reality, Because inmy humble opinion, the people
who are going to bear the costsof that loss are the people who
(48:52):
are least prepared to defend it.
I mean, do you think that thosekind of realities of the cost
to economies in general isunderstood at the board level,
or you think that's more?
We need more education aroundthese these lot, because it's in
the Wall Street Journal, right.
Meghan Juday (49:07):
Everybody reads it .
Yeah, now I would say no.
I definitely think there needsto be more education, there
needs to be more awareness,there needs to be and I would
say the conversation needs to behad in ways and kind of, you
know, layman's terms right.
Because that's the other thingis that you know there may be
(49:29):
this information, may all beavailable, but how do you like
can people read it andunderstand?
You know what they're saying,so I think that's kind of the
other big issue.
Dave Tyson (49:41):
You know that brought up two thoughts for me.
The first is are boards good atasking for what they need from
their subject matter experts?
Do you think?
Meghan Juday (49:55):
I mean, I think that, no, I think absolutely
they do in matters they reallyunderstand.
So you know you always bring ina comp expert every year to go
through exact comp or you knowyou always are bringing in your,
you know outside professionalswho run your board evaluations
or your CEO evaluations, youknow.
So I think there are, I meanthere are a lot of third parties
(50:15):
that will come in and adviseand you know, bringing in you
know some real outside expertise.
But I'll say that that's not.
You know that's certainly inthe boards that I've served on I
haven't seen.
You know you've seen the compexperts.
You see the governance experts.
You see tax experts.
(50:36):
Have you seen the securityexpert?
Dave Tyson (50:39):
That speaks, that speaks.
Meghan Juday (50:41):
Right, right.
Dave Tyson (50:42):
I mean.
No, this is my humble opinion.
It's a small number of my, youknow compatriots who have gotten
proficient at business language.
Meghan Juday (50:55):
Right, and so you're bringing in, you know, so
you have your audit teams arecoming in and reporting to the
audit committee, but, you know,do you have your you know, third
party security folks coming inand giving you just kind of
updates?
No, like that's notconversations that are happening
today and I think that's reallyreally good, really good point
(51:15):
and probably needs to be, as youknow, as common if we're
spending all this time talkingabout, you know, internal audits
.
Right Are we like, are we doing.
Dave Tyson (51:26):
Which is not managing much risk, right.
Meghan Juday (51:28):
I mean right, you know, in the end it's all the
right things to do, and I'm notknocking it, but at the same
time, then you know, why aren'twe having these, these broader
conversations?
Dave Tyson (51:38):
Well, I mean, you know everybody drives down the
road every day and there's speedlimit signs and you wouldn't
want to live in a world withoutthem, right, right, and you
wouldn't want your teenager onthe road without them.
It's kind of like compliance tome, right, you wouldn't want to
live in a world where thereisn't an audit process and a
compliance program and thosekinds of things, but that that
(52:00):
in itself is not the panacea ofprotecting the organization.
Agreed, right?
My last, my last sort ofquestion before we close up
would be around, if you thinkabout how management teams are
incented Right, ceos especially,but others around, progress of
(52:25):
the business, overall results,growth, any number of other
things In some organizations,you know, I've seen where there
was somewhat of a disincentiveto talk at the board level or
allow conversation at the boardlevel about things that were the
the baby's ugly, as it were,and if you think about how the
(52:48):
risk is changing.
So here's the inside story.
My personal record is having mypresentation to the board
filtered 52 times before I wasallowed to present it.
What?
52 times between the executiveteam and and I.
In the end I refused to presentit.
Smart, it's your presentationnow, not mine.
(53:12):
It doesn't actually tell themanything, yeah.
And so they said oh, I just goback to what you're going to do,
but the pressure on CISOs toPretty it up for us.
Pretty it up and to change thelanguage that's not
confrontational or in any waycontroversial is very
significant and in many caseswell, as we saw with the Joe
(53:35):
Sullivan case they often end uppaying the price for it.
The average tenure of a CISOfor the last 10 or 15 years has
been between 17 and 24 months onaverage little little longer in
the private may held business,but it is not.
They get hung with thecompliance failure a lot.
(53:55):
Yeah, so I guess the questionthat I've got and I've done a
lot of research on this, but itis do you think that the role
for governing cyber securitybetween the board and what the
management team's responsibilityand obligation is is clear or
clear enough the differencebetween yeah, so it's.
Meghan Juday (54:16):
I mean, I think this is.
I really feel like this is adelicate balance, because I want
to know the truth but I don'twant to beat anyone up about it.
It's just facts.
We can't do anything about itunless we know, and so I really
tried to take the approach.
And you know, I mean, I'm inboards that are very congenial
but honest.
(54:37):
So it's not, you know.
You know put something stuffunder the rug, but I've really
made a point of trying to.
You know, especially if you'regetting stuff like this, a work
in progress, we're not where wewant to be and, of course, in
cyber you're never done, there'sno like you know, no, all your
guys are not going to turn green, I'm sorry to say like it's.
(54:57):
That's just life.
And so I I really do try toremind the board, as we're
coming into these conversations,that this is a work in progress
.
We want to know these are, it's, important to disclose and, you
know, if there are materialissues we do need to follow up,
but it's only just to close thatgovernance gap.
(55:20):
It's not for, you know,punishment or anything else, and
I think that some really tryingto take that perspective, I
think, makes people feel, youknow, feel more comfortable and
being honest.
But I and I would also, youknow, if there were a director
ever was kind of trying to, youknow, go too far with how did
(55:41):
you let this happen?
Or the equivalent, I wouldintervene because I don't think
that's that's appropriate, andit's not only.
It doesn't engender trust, whichis a huge, a huge issue between
the management team and theboard.
People have to know they cancome in and tell you the truth
and you're there to help themwhen you're not there to beat
(56:02):
them up, and so that's, I think,a lot of the board dynamics
that we've we've been working onin our board is really just
trying to make sure that themanagement and board has a very
strong working relationship andthat they know each other and
can trust each other, and we puta lot of stuff in place so we
can do that.
Because you want the, you wantthe management team to walk in
(56:25):
and think this is the only placeon the planet where everyone is
here helping me be better.
It doesn't mean it's all themesses are going to be awesome,
but they're there to make youbetter.
It's not, you know, beating upfor recreational purposes or
anything else, but I thinkthat's.
I think it's tragic that a CEOwould ever feel like they had to
(56:50):
tailor something for the board.
If they, if there ever is thatinstant, it would mean either
one of two things you have thewrong board or the wrong CEO.
Because I mean, what's the ifeverything's going to be
whitewashed before it gets intothe boardroom?
What is the purpose of having aboard Right?
Dave Tyson (57:11):
Yeah, that's a great question.
That is a great question.
Well, so you know.
To wrap up, I guess you knowyou've got a lot going on.
You're on a number of boards,you've got the Lotus Forum, what
you know.
What's next for you?
What's the next?
You know the next challenge foryou?
Look like you've got your owncompany, which has got a huge
amount of history and and anddoing very well by all accounts.
(57:35):
What's the next few years?
Look like you.
What are you going to focus on?
Meghan Juday (57:39):
Oh my gosh, I always have a long list.
I'm a like an inveteratelearner.
So I just finished my ESGcertification.
I was at six month program.
I thought I was going to die.
I should take in a test inyears.
But it was good, it was a greatexperience and I feel a lot
more prepared to really kind ofembark on that journey with our
board and our company.
(58:03):
Finishing up a risk class, I'mdoing a separate class Nice,
hopefully we'll do that soon.
And then, you know, after thatI just kind of a bunch of.
I really think it's veryimportant to for continuous
learning to just really stayfresh, and I think as board
chair I feel an obligation toreally be kind of on the leading
(58:25):
edge of where, where I need andwant the board to go, based on
where the company's advancing.
So I think there's going to bea lot of a lot of work in that
area.
So Excellent.
Dave Tyson (58:38):
Well, I want to say thank you very much for taking
the time to come down here.
I think that your advice isgoing to help so many people out
there to understand this issue.
It's rapidly evolving, so thankyou very much.
Mark Havenner (58:55):
This has been executive cybersecurity with
Dave Tyson, a production ofApollo information systems.
Visit us at Apollo dash iscomor, if in Canada, apollo dash
isca.
Thank you for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.