Dave's latest conversation with Meghan Juday, the Chairman of the Board at IDEAL Industries, charts a course through her extraordinary ascent from pre-med uncertainty to corporate governance advocate.
As technology entwines itself ever more intricately with the fabric of business, the specter of cyber threats looms large. Meghan and Dave dissect the importance of fortifying cyber defenses within the boardroom, not just the server room. This episode delves into the stark reality of legal repercussions for cybersecurity lapses and the imperative for directors to continuously arm themselves with knowledge. They shed light on the unique vulnerabilities of smaller enterprises and the pivotal role industry support plays in elevating cybersecurity expertise across boardrooms everywhere.
The discussion spotlights the pressing need for boards to evolve, drawing in digitally native and deeply focused directors who can navigate the multifaceted risks of our age. From the potential of CISOs in the boardroom to the art of risk communication, our dialogue emphasizes the intricate dance required in governance—one that fosters a culture of transparency and support.
Dave's latest conversation with Meghan Juday, the Chairman of the Board at IDEAL Industries, charts a course through her extraordinary ascent from pre-med uncertainty to corporate governance advocate.
As technology entwines itself ever more intricately with the fabric of business, the specter of cyber threats looms large. Meghan and Dave dissect the importance of fortifying cyber defenses within the boardroom, not just the server room. This episode delves into the stark reality of legal repercussions for cybersecurity lapses and the imperative for directors to continuously arm themselves with knowledge. They shed light on the unique vulnerabilities of smaller enterprises and the pivotal role industry support plays in elevating cybersecurity expertise across boardrooms everywhere.
The discussion spotlights the pressing need for boards to evolve, drawing in digitally native and deeply focused directors who can navigate the multifaceted risks of our age. From the potential of CISOs in the boardroom to the art of risk communication, our dialogue emphasizes the intricate dance required in governance—one that fosters a culture of transparency and support.
You are listening to Executive Cybersecurity with Dave Tyson. In this episode, dave is speaking with Megan Juday, speaker, author and Family Business and Company Governance Advocate. She is the Chairman of the Board of Ideal Industries, a family business in operation for over 105 years and in its fifth generation of ownership.
Dave Tyson:How's it going, megan, and how you got to where you are. How's your career progressed?
Meghan Juday:Well, I started off really with no plan, so I'll just start there. I had no idea what I was going to do. I went to a college with a firm belief that I would go to get my masters and then figure out what I was going to do After I graduated. I spent a year abroad just kind of learning French and really wanting to experience a new culture. And then it came back, did my pre-med requirements to try to get into med school, and then there was just a moment where I realized I finished all my requirements. I realized I can't be a student for whatever seven more years. So I just kind of cracked from being kind of both poor and stressed all the time and just recognizing that that wasn't really going to change. So I opened a newspaper which I saw you looked for jobs back then.
Dave Tyson:I didn't see that on your resume.
Meghan Juday:I know, I know, I know, but it basically led me to a job that had both French and medical kind of medical background experience requirements and I was like, well, that is my job and that was the job that actually I met somebody who introduced me to my husband and she also introduced me to somebody who got my first kind of real big job. And so I went and worked for Computer Sciences Corporation and was basically a. I did that for about five years and just worked at DuPont and DuPont out and Covax and some of these massive organizations and it was such a excellent experience. I loved it. It was so fun and really getting to know other people and getting to know other businesses so intimately and just learning all about organizational change and dynamics and project planning and stuff. So it was kind of the best foundation anyone could have, especially after that kind of slow start.
Meghan Juday:But then what happened was, having met my husband during that timeframe and we got married, had we're pregnant and realized there's no women between the ages of 30 and 45 at this consulting firm certainly not. At that time they hadn't figured out how to do remote work, they hadn't figured out how to do job sharing or part time, and so I was really kind of forced to have to leave, if that was, if I wanted to spend any time with my son. So I took a I was planning on taking a year off and then, within probably three weeks, I got a phone call from my father, who was chairman of the board of ideal industries, which is a 107 now I keep losing count, it keeps changing 107 year old family business and he asked me to just come and work on this small project which, as it turns out, that is how most women get involved in their family businesses. They just get asked to do one tiny little thing and then it blossoms into this huge career. So I started working just kind of, you know, kind of part time and then I've got kind of fully structured roles there and I was all around governance, which it turns out is I'm a huge fan of, I love governance and we'll talk a lot more about governance soon. But I basically spent, you know, did that for about 15 years with a governance lens focused on the family. So I was employed by the company but the family really was my client.
Meghan Juday:And then, you know, during that time, that 15 years, I was named to the board of directors, the corporate board of directors, which is a majority independent board I was asked to form a nominating governance committee for the first time, was named vice chairman and then, in February of 2020, which was a good time by those were good times I was named chairman, and so it's been work. I've been working for the company now for about 20 years, and I have found governance to be one of the most exciting spaces in the business, because you can affect so much change by moving a lot of small little pieces. You can basically change the trajectory of a business, and so it's been a real joy to become a student of governance and a student of governance as well, as somebody who's really trying to implement good governance practices. So it's been. It's been great.
Dave Tyson:Governance is exciting. I can't think I've ever heard that said before, but I'm going to go with you. So you seem to have a real passion for it and you know you were involved in other groups. You have clearly the Lotus Forum, which is something that you you've, you know, initiated and drive. Tell me a little bit about that and what your goals are for that.
Meghan Juday:So, as I mentioned to us, named chairman in February of 2020. And I had that feeling. There was a moment when they're like, okay, you're it. And I, I mean, this has been a plan transition. I'd been, you know, it was planned in the sense that I was given the opportunities I had to earn it along the way. So this was not, you know, a fate of complete but having achieved the results, named unanimously to the chairman role I all of a sudden had this like horrible fear, like, oh my God, I can't mess this up. Other people have gotten it right enough over the last you know, hundred plus years, and now I, of course, essentially it's not only on my shoulders, but I will be blamed if it goes down after my watch. And so I, kind of having had that fear and then also really only having had two or three weeks before the pandemic hit and, by the way, ideal industries is a global manufacturing company and we just happened to have had a facility in every single hotspot location in the world Wow, it's lucky, I know. And so you know, and those in the beginning, nobody knew, you know how it was. Is it touch, you know? Was it air? Was it? You know? Like nobody knew how it was transmitted Over time.
Meghan Juday:They didn't know how to care for these employees and people just care. The healthcare system was so struggling with this and you know we always have. We always put our employees first as one of our values as a company and it was so horrible to think that, you know, as an essential business. We had to keep the doors open, but you know safety is such a high priority for us and not just being so stressed about how do we keep our employees safe and then how do you reassure them so that there can come back, and then you know how do you support them when they have sick family members within they're the primary caregivers. So it's just kind of on and on and on. It was a very, very stressful time and also, surprisingly enough, generational transitions can sometimes be challenging in family businesses.
Meghan Juday:I don't know if you've heard of this trend and I was surprised also given that this had been planned and communicated for years that there was, you know, walking into the transition feeling like all right, we've done this properly, to then realizing like, oh my gosh, we still have a lot like there's still a lot of loose ends and fragments and feelings that you know people need to resolve, and so all of that was kind of the background for starting the Lotus farm and really it was not purposeful. I thought that I was starting a quarterly conference call with two or three other female board chairs and what happened was I recognized that okay, so I needed my thing is like always like phone a friend, like whenever I have a challenges.
Meghan Juday:Dave, I've called you, you know this, you know phone a friend and then I realized I didn't know any other female board chairs and I thought that was shocking. I didn't realize that it was unique at all to be a woman in the senior leadership role in the board room. I just kind of was like you know, contributor, team member kind of mindset, and then walking into it, realizing that there was a unique gender element to this. So that's when I reached out to my network, asked for introductions and what. Reaching out to these women just said, you know, I want to do a quarterly conference call. Who's interested? And I think I had 12 people say yes. I was like okay, well, this is not a small informal thing.
Meghan Juday:Like this is a thing, and so we've evolved pretty substantially. We're an international peer group of women in board leadership roles, so it's chairman, vice chairman, lead director and then committee chairs are also welcome, because we really see all of these. It's unique to have a woman in a leadership role in the board room. That is kind of the. I mean, this may sound not very nice, but I do believe that, although companies are really transforming their businesses and you're seeing a lot more women in the senior executive roles, you're not seeing a real substantial change in the board room and I think it's just kind of the final frontier we're. I think we'll get there and we've seen a lot of.
Meghan Juday:We have seen a lot of changes over the last couple of years, especially as there's our organizations and governments that are insisting on gender parity or certainly more gender diversity in the board room.
Meghan Juday:So we are seeing some changes, but I think it's gonna take a little bit of time, especially cause there's a slow turnover in boards, and so that's kind of having started the, having started the Lotus Forum.
Meghan Juday:Now we have really focusing on both how do you be a great board chair and just all the dynamics that are happening in the board meeting and all the work that needs to be done prior to when everybody walks in that room to have it really be a strategic, to add strategic value to the company.
Meghan Juday:But then we're also really spent a lot of time talking about what is on the board agenda today that your directors or your you yourself as a board chair may not be, may not really understand, but you have an fiduciary obligation to oversee it, and so that's when even we brought you in last year to talk about cybersecurity and how do you create a great oversight program. And I think the biggest challenge we have is, as we're building these oversight programs, I think there is still an issue of directors really not knowing if your entire cybersecurity report is all red, is that still good? You just don't know, like they don't know if, and so I really think that there's. I think that happens also in the enterprise risk management, the E&I, esg, all there's a kind of these big items that are coming up on the board agenda today and I think directors probably are some directors are a little bit behind in terms of having a real robust understanding of those areas.
Dave Tyson:It's interesting. You talk about the directors' awareness of the issues, what to do about it. I mean, if you look at the trends that are impacting on the publicly traded side and, to a certain extent, through different regulatory agencies, there seems to be a general trend around getting more understanding of that risk management at the board level and, in some cases, certainly on the publicly traded side. Looking at what the SEC has done recently, it's sort of starting to accelerate that trend. Right, we're they're looking for boards to be not only informed but actually have risk monitoring in place, having expertise on the board in this space. So when you think about you talked a little bit about the percentage of women that are on the board there seems to be a need to evolve the board composition. Cause, I'll tell you, I've seen a lot of board job opportunities and it's almost identical in every one of them, which is you've been a finance person, you've worked in our industry or you can make introductions right, and not single one of them I've seen it says you understand risk management, you know cybersecurity and the entire value chain of our businesses wrap around being able to operate, protect our intellectual property, or we're going into China. What are the new risks that we're creating.
Dave Tyson:There seems to be a gap in how boards recruit in many ways.
Dave Tyson:But just one person's opinion.
Dave Tyson:But you know, one of the things that I I'd love to get your perspective on is, you know, for the last number of years we've seen everybody, from the World Economic Forum to other NACD, other groups who have all come out and done surveys, the big four accounting firms have all said cybersecurity is, you know, on the minds of board members, on the minds of CEOs, it's in the top five worries that organizations have from a risk management perspective.
Dave Tyson:Yet, you know, my experience has been that cybersecurity at best we might get 15 minutes once a quarter on the board agenda as a regular practice and it's just a tactical review of what the audit committee said. And maybe the CISO gets in the room, if they have one, and he or she runs through a prescripted, you know filtered set of information that the boards love to get. But the interesting part is if the board is, if the direction is holding board members accountable to managing that risk through their governance program. You know, what do you think that the model is going to have to do to be able to get them to that place. Not only do you have to change the composition of the board, the talent of the board, the way, the access to information. I mean it's. That's a big move.
Meghan Juday:Yes. So I mean there's a lot in your question, but I, you know, is there. I think the biggest issue is that the people putting together the agendas, the general population of directors, does not have a robust understanding of cyber security. And I think that you know, as I've learned from you, I mean really a lot and just wanting to educate myself and in other ways I've really come to learn that it's not just one person's responsibility to understand cyber security in the bar. We're all fiduciaries in there.
Dave Tyson:Absolutely.
Meghan Juday:And it's such a big issue and there's so many angles to it and there's so many impact potential impacts to your business. There's no way that only you can just rely on your you know your CIO, your CISO or your you know CFO director, who's had some experience in their other company, and just all lean on them thinking that they've got it. I think this is a. Every single person who is a director needs to be fully qualified to understand all of the elements of cyber security and they need to continue that education. That's not a one and done right.
Dave Tyson:Yeah, absolutely. I mean it is a, it's a as the technology evolves, and I mean what we tend to see a lot of. His AI, this, or machine learning, that, or you know OT, that you know it's this. It's his buzzword bingo. But that doesn't. That allows you to talk out loud about it, but it doesn't let you understand.
Dave Tyson:How do I change my company's risk management approach when we're going to do that acquisition? How do I think about the potential risks of going into a new market? Right, these are all things that that. So what do you think the appetite is? And I'll give you an example, a specific example. So recently, for the first time, we've seen a corporate officer of a firm convicted criminally for, you know, for failure to disclose a cyber incident. The CEO in this particular case escaped the limelight, but certainly has changed the view of many in the country in terms of their responsibility to both understand the obligations and there are many, because there's a lot of government agencies have gotten into the swing of it. But what do you think about that in terms of do you think that the boardroom understands that it's in their best interest to learn this Better?
Meghan Juday:I mean, I think just it's the situation if you don't know what, you don't know right and you don't, I think there's just kind of some naivete of, oh, what won't happen to us? Or you know we're small, we're not a target, you know we're not on the, we don't make front page news, therefore no one's going to notice us. I just think there's some naivete there. And I'd say also I mean, you know we were talking earlier about family businesses and private companies, and although there are some massive family businesses and private companies, there's also a lot of, you know, sub hundred million dollars in revenue a year, and I think that they're not less vulnerable.
Meghan Juday:They just have fewer resources right, and so I think it becomes this you know pragmatic and practicality. If you only have this many you know capital resources to deploy, where do you put it? And are you bringing on another full-time person to help you manage this risk? And I, you know, et cetera, et cetera, et cetera. So I would say directors really need to be top, top, you know really kind of top form when it comes to cybersecurity, because sometimes that, especially if you're a smaller, smaller company, that may be your only cyber experts you have are the ones in your boardroom. Right, you may I mean you may be getting reports from the IT manager and you know, not even a cyber expert. They have a lot of other responsibilities in keeping you know servers up and stuff, but that doesn't mean that because the company doesn't have the resources to deploy extensively, it doesn't mean that the directors also then can lag in their skill sets. I think it becomes even that much more important.
Dave Tyson:Absolutely. I mean because the bad guy actually loves the fact that you, that that investment hasn't been made. Yeah, because if you've got something of value, they're quite happy to relieve you of it and probably not tell you about it in the process. Right, right, um, certainly we've seen a number of organizations who've done acquisitions and and then come later to realize that their intellectual property is actually gone.
Meghan Juday:Yeah.
Dave Tyson:Right and it's sad, but it is a case of there. There is an obligation now to understand, in due diligence, that you know, historically, a lot of acquisitions, it was kind of last to the dance. Yes, they were a line function with, sometimes with HR and others who got told, by the way, we're doing an acquisition, you haven't been allowed to be in the process, but now make it all happen and at that point it's a little late. Right, price has been negotiated, all the leverage is gone, right, and whatever the costs are. You see, you know the purchase of of Yahoo was a perfect example where there was a billion dollar hole in the balance sheet that didn't understand right from a cyber perspective. So you see a lot of this kind of stuff. What do you think, because the industry has a lot of different people talking about this problem, what do you think the industry has to do to help boards when board members get better at this?
Meghan Juday:Gosh, um, I think. I mean, I think it just kind of goes back to well, a couple. I have a couple of things you mentioned earlier. Boards don't turn over very, very frequently and you sometimes will get directors who are on four, five, six, seven, eight boards. Yeah, are they going to set aside time to do their cybersecurity training? Probably not. They probably are so so booked, you know, between their boards, plus whatever you know vacation time with their families. Like, forget it, they have no nothing left. And I'm not.
Meghan Juday:This sounds hyperbolic and not and sounds discharging, and I don't mean to be, but it's just an example and I'd say there's a couple of things that can be help help remediate this issue. One is get directors who are hungry. Right, you have somebody who's been on a board. They really they have this sense of like, well, I've seen it, I've done it, but they've seen it and done it for 20 years and the landscape from their first board role 20 years ago to the landscape of the board roles today is completely different. Would you agree? Oh, absolutely yeah, just in terms of the levels of responsibility, the topics that are coming up. So I would say, if you have directors who are hungry and understand the fiduciary responsibility and the risk of getting it wrong. I think you're far more likely to create maybe a little bit of fear, or enough fear, so that they're then motivated to continue their learning.
Meghan Juday:I, over the last three years, we've changed out four directors and I would say that the new directors we have are far more again, no disparagement intended, but they're very enthusiastic. They're super zeroed in on our company. They're also not on multiple other boards, they're all, they're only other board or one of two, and so it's not. They have full-time jobs and they're so. They're in it every day. Plus, they're bringing it to the table and I would say bringing in, bringing in diversity and also, you know, both from experience and from demographics, I think can really make a difference in terms of experience and bringing in some younger directors who really do understand, you know, more digital natives Born digital guys yeah.
Meghan Juday:They're born digital right, so I think can actually make a huge difference.
Dave Tyson:Yeah, there is a lot of talk in the industry, in the CISO communities, a lot of trends. A lot of CISOs think that they should be on boards, they should be for organizations that their central value proposition is technology or it is heavy intellectual property or a lot of complexity around that. They, you know, they will tell you that they think that the answer is just put them on the board and they will hear the talent, because it will take you 10 years to train board members who are probably going to turn over anyway and they say hire the talent. You think that that's realistic?
Meghan Juday:Oh, it's okay. So first, yes, I think the classic you were mentioning, you know, board perspectives and how they kind of look. All the same, we're looking for a C-level person with our industry's experience who, right, can get us a network or has banking relationships or whatever that thing is. I think that the days of staffing your boards with C-level or with the CEOs or CFOs really should be gone. Ceos, I think every board should have one CEO at least just to be, you know, a sounding board for the company. Ceo, you probably need a CFO to run your audit committee, but I think that's like two out of how many spots, right? And then after that, absolutely, I think, especially if you can't afford, if your company is not complex enough or not big enough for you to have your own CIO or C-SO, absolutely you should bring one in. That's kind of cheap advice.
Dave Tyson:It really is. I mean, we always say in the industry that if you do it right up front it's 10 cents on the dollar. Kind of fix it later right, that's your old adage.
Dave Tyson:But it is true. I'll tell you that the places I've worked, the places in many of the places I've consulted over the last 20 years, there are some aspects that are absolutely true. I mean, you walk in the door, you look at a huge spend that's been done to secure the environment and maybe 5% of that has translated into value. So they bottle the tools, they bottle the equipment. They've got some people who know how to run it. Maybe they've outsourced some of it. But you go to them and you say, oh, you've got this antivirus software on your computers. What percentage of that defense is actually running? And they'll say, well, we've got about 5% running. That's why?
Meghan Juday:that's why that.
Dave Tyson:Okay, so you spend X amount of dollars and you're getting 5% return on that and you're getting all these risks that could be stopped by that. Why'd you turn it off? They say, well, the business didn't like that it was running because it restricted them so who had that conversation? Because I tell you, the board doesn't know about that right, Except that in the world we live in now, it's starting to move closer and closer to the board being accountable for that loss.
Dave Tyson:And so the interesting part is it's not and I've said this a few times the amount of money you spent has absolutely no relationship to how much protection you get. You could spend in most organizations that I've worked in, you could probably spend 10% of what the big four accounting firms tell you and get more protection. If you deploy it smart, on the priorities of the business, then it tends to be we've got to try to solve every problem. So it's an interesting world we live in, where many of the regulations that were well-intentioned have driven us to spend a lot to manage a really small amount of risk in reality.
Dave Tyson:So getting more expertise in the boards, I think, is a good idea, whether it's a CISO or somebody who understands risk management, because my general assumption is board members by their nature have to be good risk managers. They have to look at a lot of risks across the organization but it does seem to be heavily weighted to. It's got to be enough finance people in the room or finance people who could stare at balance sheets and go, yeah, there's a problem here we need to fix that, yeah, I mean this is my philosophy.
Meghan Juday:I don't want any of my directors to power down because we're not talking about their area of expertise, so I want everyone to.
Meghan Juday:They may not be able to all talk like a CFO, but they need to understand what the CFO is saying and make meaningful contributions to the dialogue.
Meghan Juday:And same with marketing or cyber or ESG or whatever.
Meghan Juday:I want my directors to be well-rounded and then also have an area of expertise where we're trying to move the business.
Meghan Juday:And so I would say that's just the one risk of having a CFO who may not be able to contribute or any, not to pick, even pick on them, but any specialist who isn't going to be able to contribute to the entire dialogue. But if that's the case, then there's no reason and this is one of the things we've talked about on our board is really thinking about how do we bring the experts into the conversation While not requiring them to be fiduciaries, because maybe they're not well-rounded and can contribute to all conversations. So there are options of bringing in advisory board members and having them sit in your fiduciary board, but they're not fiduciaries and they're not obligated to be or required to talk about the whole conversation, but they're there to add their areas of expertise and I think that is an excellent way of bringing in those specialists who are there to support a very strategic perspective of your company and still keep the fiduciary nature of the board intact.
Dave Tyson:It's interesting because the one thing that I've noticed is running security for some large companies, both public and private, is that CSOs, by their nature, are one of the few functions in the organization who touch every aspect of the business. There are very few outside of, maybe, finance that really touch every aspect of the business, everything from supply chain all the way through the customer, and so they tend to be pretty well informed in terms of the pulse of how the organization is reacting and changing, whether it's unhappy employees who become an insider risk or third parties that may have been not meeting their contractual obligation to protect intellectual property or any of those kinds of things. So it is one of those fields that I think does, whether it's as an advisor, which makes a lot of sense. One of the interesting trends we've seen in that space is that some CSOs are starting to refuse to take that title. They're refusing to take the CSO title because there is now a stigma.
Dave Tyson:I don't know if you saw there was a Wells notice issued by the SEC to solar winds. The Wells notice basically takes the CFO and the CSO from the solar winds attack of a few years ago and say we're going to investigate the way that that went. And so what you see is, between the Joe Sullivan case in California we talked about earlier, and this and a few other things, csos are saying. You know what, being the CSO has a lot of liability, and so your point about making them advisory whether it's them or somebody else might be a more attractive option, because they can turn up to a board meeting and they can probably contribute fairly broadly in terms of anything that even smells like risk or operations, so that's actually a really interesting idea. So when you think about where the conversations you have with board members, you know, is this something that's on their mind? Is this idea about getting better at cybersecurity reached its time yet, or is it still something that is? Yeah, we know we got to get there, but I'm really busy right now.
Meghan Juday:Well, I would say, generally speaking and not even speaking about our directors, but about directors in general I would say there is some interest, but I don't think we've reached the zenith yet and I think there's going to be a lot of hard lessons learned, maybe some dramatic ones, before it really starts coming into the boardroom in a very substantial way. You know, it's that kind of innocence which is kind of cute. I was like, you know, it's like, oh, we don't have to worry about that or whatever, and I mean I just think it's one of those things that it's going to take time and there probably are going to have to be some more dramatic headlines or maybe some more personal dramatic experiences. But I think the biggest issue is that maybe not that others don't recognize that this is a problem, but what do they do? I feel like that's the big question.
Meghan Juday:That is, if you have limited resources, if you have all these other competing priorities, you've got to make capital investments. How do you do it in a smart way? And I don't think that a general director has the ingrained knowledge to be able to advise companies or management team on what to do or where to find that support, and I think that's the really the biggest challenge. It's not that they don't know. It's like they know the risk is there, but they don't know how to address it. What?
Dave Tyson:do you do with it? Yeah, right.
Meghan Juday:What do you do about it right?
Dave Tyson:You just told me all this black cloud stuff. Now what do I do?
Meghan Juday:So I think there probably are questions being asked in the boardroom, but again, this is my example of if you ask a question about cybersecurity because you read an article or you took a class and you talked to the CIO or Evers running the cybersecurity program, how do you know what's a good answer? And I think that's what's difficult. That is, what's really difficult about this environment today is that it is very technical and there are a lot of really smart directors in the boardroom today, but this is an area that's really out of their depth and especially if we're looking you were mentioning earlier just around the slow turnover in the boardroom. Average age of boards is probably higher than one would want and again, very generally speaking, but they didn't not grow. These individuals did not grow up in their board experience with needing to have these conversations.
Dave Tyson:Yeah, it's an interesting evolution that has to happen because from my side, what I see is and not to pick on the big four and I tend to use them a lot as an example but there's a lot of commoditization in business as it grows to get scale, and our industry is the same IT, cybersecurity and as organizations get bigger, it becomes more about.
Dave Tyson:As an advisor, I want to get butts in seats with my clients so I can be there and drive billables, and in many ways, I'm incented to not solve the problems immediately, whereas at the board level, the last thing you want to be doing is dragging this stuff out forever. You want to monitor, but you want to have a solution that makes sense and enables the business and then be able to monitor the results and the investment, and I think that there has to be a better solution. I know that I've certainly thought about it and saying how could we create something that a board member could use to get the answers to those questions and be able, to a certain extent, pressure test the information they're being given, and I think that's something that we're going to continue to work on to be able to offer. That is, how do we help board members be able to go to a place to get the answers without having to go get a master's degree in cybersecurity because they've got to manage a lot of risk.
Meghan Juday:It's also unrealistic, and that also I mean. Part of what you're doing in the boardroom is assessing the senior management team, and if you're a member of your senior management team, it's saying things you literally do not understand. How are you Is that good? Is that good? Are they really smart? Have you been able to do your job as a fiduciary? I think that's just the big question and the world's evolving really fast. The boardroom moves a little bit slow and I think it just has resulted in, just now, a really big exposure for all directors, and I don't think there's general knowledge of the risk of having cybersecurity issues just close to you and then not following up on the issue get resolved.
Dave Tyson:We talked about this before and you gave me some advice, but I got to put it on camera Because this is a really interesting thing. So there's this assumption that makes me crazy in our business, which is it's not if, but when you get hacked, which is, in my opinion, not helpful Because it takes away the assumption that you can do something about it, and you absolutely can. There are solutions, there are abilities to get in front of this stuff, and for those who say that's not true, I would suggest that they're incented by that. But with that said, if you think about this whole idea around getting expertise and getting in front of folks and being able to share information with them, one of the challenges we've seen in the marketing side of the house is the industry.
Dave Tyson:You've got 3,000 companies in this country that are all pushing messages at every audience, whether it's the CEO, the board or anybody else, and they struggle to wade through this massive amount of data. So even if you can get an information to boards, they're probably swamped with so many different opinions that have different agendas. It's hard to wade through and know what's true, much less come up with a strategy if it's successful, and so we have a responsible disclosure program that I told you about, where our threat intelligence team detects a threat that's in development and you're going to be ransomware in three days and here's where it's going to come from and here's how you stop it. And we reach out to the company and they won't return our call and then three days later, you see them get ransomware.
Dave Tyson:And it's sad, it's very demoralizing, but everybody we've talked to has said well, they've been marketed to so much they don't believe anything anymore To me. I don't know how we get over that problem, and I've asked a lot of people this question. But it seems like this idea that it's not if but when has created a scenario where people have just tuned out the reality that you can do something about it. And so do you think that the amount of information that comes at directors in general is just so overwhelming across all the subject matter areas that it makes it difficult to get the message through?
Meghan Juday:Well, I think there's some. It's trying to find those trusted sources. So when you think about financial advisors who sell products versus financial advisors who provide a service and then you go choose what you need, I mean I think that's really the difference, right, I mean I've been or someone who's assessing your insurance needs and then also wants to send, sell you the policy, like all right, how good was that advice? And not to say that there's, there isn't a lot of great advice being provided, but I think that's really the big question. I wonder if there aren't services out there that people could subscribe to, where there, you know, you're just getting the data and you're not going to get sold to them. You know, right. The next thing, because I think that's, I think it's just finding those reliable sources and also recognizing that you know again, I think it comes back to also the board really understanding what those people are saying to you Also.
Dave Tyson:Yeah, that's a challenge because, because you think about there's manufacturing, there's finance, there's technology, there's legal, there's all these things right, and it's a lot to to cumulatively for me as a risk person. I look at here's the business situation. I know what questions to ask and what we're likely it's going to end up anyway, because you've seen it a thousand times.
Dave Tyson:And I think, like every subject matter expert, right, they can do that Right. And then the role of the board is to look at it cumulatively across all of the business and say here's the right thing for us. We'll take that risk. We won't take that risk, you know, and I think that that is the subject matter experts. You know, I think you make a great point, which is how do I get a good opinion in front of you without it being a sales effort, Correct, Right? And I think that is that's a challenge. I don't think that that truly exists in its pure form, but it's interesting.
Meghan Juday:I mean, wouldn't it? I mean, wouldn't that be the thing to do? Is you have? You know, you just have a subscription service, but we'll just let you know when it's coming down the pike and you can determine how to proceed. Right, there's no add-ons.
Dave Tyson:Right, yeah, there's no click here to buy it. Yeah, yeah, yeah.
Meghan Juday:You can like you're no upselling, but then I think you know, I think that would actually probably be really helpful Because again, there's this concern, you know, especially with all the IT investments that are happening today anyway, and you know, now people are like freaking out about AI, but I think that if they knew where to focus those investments based on real data, not versus, you know what someone's trying to sell you, right, right, do you want the undercoding on your new car?
Dave Tyson:Like do you want the insurance at that point?
Meghan Juday:Yeah exactly right. So I think that's really the big, I think the big question.
Dave Tyson:So we're talking, maybe a little bit like the consumer reports, for a cyber threat Right.
Meghan Juday:I think people will go for it and I don't think. And then people would know really, how do you? You know, then they would know you know where do they need to kind of ramp up, especially if we're talking, you know, those smaller private companies that don't have you know vast IT departments who are. You know CSOs and everybody, you know all of the whole team. I mean, wouldn't that be nice, yeah absolutely.
Dave Tyson:I mean the when you think of it, because we do interact with a lot of $200 million companies and we always say that you know most businesses start considering a C-Sell around, depending on their risk profile around a billion dollars.
Meghan Juday:Yep.
Dave Tyson:Right, that's about where we start to see it happen, unless you're in medical research or something else, but typically that's where we start to see it, but there's. I was quite surprised to learn that there are thousands of firms in the United States under a billion dollars in revenue, many of them privately held. Yes, thousands, yeah. And so you think about that, that every one of them is a target in one way, shape or plan.
Meghan Juday:And that probably almost none of them have, you know, deployed all the resources required, and for companies half that size, because they have other priorities Right.
Dave Tyson:It's interesting, though you know you think about the if but the. There's a certain amount of spend that goes on in every company. Is it really? Well, we need to have email and we need to have computers and we need to have these things. But if they had good advice up front, they could minimize the spend and make it more secure from the beginning. So some of those problems would never show up.
Meghan Juday:Yeah, I think that's the way to do it.
Dave Tyson:You know. I mean, it's interesting, one of the things we talk about all the time in our industries. There's this assumption that everybody's going to get ransomware. Right, there's, ransomware is going to come up. And I say, well, you know, there's actually technologies that are kind of impervious to ransomware, that you can use those things. You know, but nobody asked that question. Well, if we're going to build it, why not build it in a way that's more secure? Doesn't show up in the strategic conversation. I say to you know, think about a board thinking about M&A. Hey, we're going to.
Dave Tyson:You know, I've done 35 major acquisitions in the companies I've worked at and you know they go and say, oh, we're going to buy this company in Romania, Great company, Okay, cool. So here are the security risks for Romania. And if you operate it from Hungary instead, you know and do all your call centers and all that from there, your cost of security goes down by 80%. They're like, wow, okay, I didn't understand that. You know, will that change how you negotiate and what you're willing to pay for it? And, by the way, what about the intellectual properties? Do they actually still own it? And all of these kinds of things.
Dave Tyson:And I think that there is value that can be captured by organizations by engaging further in those discussions, because, you know, we see these statistics every day and we probably see a dozen companies auctioned off for sale in the dark web every day, right, Every day, and we try to. We try to. You know, there are a lot of mission focused people and we try to alert them. When we try, I did five this morning, before we got here to this interview, just reaching out to CTOs and CIOs going, hey, just let me send you the document, just so you, you know, not trying to sell you anything, and I think that you know, as this volume continues to grow, it's our one of our board members, John Waters, who recently was the president of Mandian they sold it to Google and very, very smart guy said to you know, he said to me one day he says you know, look, if you look at the risks and the amount of losses that have occurred in the US market over the last, you know, 20 years, Go back to 2010 and use that as a benchmark.
Dave Tyson:And you came through and said, okay, 2020, where maybe 1.3% of global GDP was lost. And to cyber attacks. And if you, if you, trend that out to 2030, you're talking about 3.5% of global GDP. Now that's the economic impact of COVID every single year going forward. That in itself should get a board interested in this as from an economic reality, Because in my humble opinion, the people who are going to bear the costs of that loss are the people who are least prepared to defend it. I mean, do you think that those kind of realities of the cost to economies in general is understood at the board level, or you think that's more? We need more education around these these lot, because it's in the Wall Street Journal, right.
Meghan Juday:Everybody reads it. Yeah, now I would say no. I definitely think there needs to be more education, there needs to be more awareness, there needs to be and I would say the conversation needs to be had in ways and kind of, you know, layman's terms right. Because that's the other thing is that you know there may be this information, may all be available, but how do you like can people read it and understand? You know what they're saying, so I think that's kind of the other big issue.
Dave Tyson:You know that brought up two thoughts for me. The first is are boards good at asking for what they need from their subject matter experts? Do you think?
Meghan Juday:I mean, I think that, no, I think absolutely they do in matters they really understand. So you know you always bring in a comp expert every year to go through exact comp or you know you always are bringing in your, you know outside professionals who run your board evaluations or your CEO evaluations, you know. So I think there are, I mean there are a lot of third parties that will come in and advise and you know, bringing in you know some real outside expertise. But I'll say that that's not. You know that's certainly in the boards that I've served on I haven't seen. You know you've seen the comp experts. You see the governance experts. You see tax experts. Have you seen the security expert?
Dave Tyson:That speaks, that speaks.
Meghan Juday:Right, right.
Dave Tyson:I mean. No, this is my humble opinion. It's a small number of my, you know compatriots who have gotten proficient at business language.
Meghan Juday:Right, and so you're bringing in, you know, so you have your audit teams are coming in and reporting to the audit committee, but, you know, do you have your you know, third party security folks coming in and giving you just kind of updates? No, like that's not conversations that are happening today and I think that's really really good, really good point and probably needs to be, as you know, as common if we're spending all this time talking about, you know, internal audits. Right Are we like, are we doing.
Dave Tyson:Which is not managing much risk, right.
Meghan Juday:I mean right, you know, in the end it's all the right things to do, and I'm not knocking it, but at the same time, then you know, why aren't we having these, these broader conversations?
Dave Tyson:Well, I mean, you know everybody drives down the road every day and there's speed limit signs and you wouldn't want to live in a world without them, right, right, and you wouldn't want your teenager on the road without them. It's kind of like compliance to me, right, you wouldn't want to live in a world where there isn't an audit process and a compliance program and those kinds of things, but that that in itself is not the panacea of protecting the organization.
Dave Tyson:Agreed, right? My last, my last sort of question before we close up would be around, if you think about how management teams are incented Right, ceos especially, but others around, progress of the business, overall results, growth, any number of other things In some organizations, you know, I've seen where there was somewhat of a disincentive to talk at the board level or allow conversation at the board level about things that were the the baby's ugly, as it were, and if you think about how the risk is changing. So here's the inside story. My personal record is having my presentation to the board filtered 52 times before I was allowed to present it. What? 52 times between the executive team and and I. In the end I refused to present it. Smart, it's your presentation now, not mine. It doesn't actually tell them anything, yeah. And so they said oh, I just go back to what you're going to do, but the pressure on CISOs to Pretty it up for us.
Dave Tyson:Pretty it up and to change the language that's not confrontational or in any way controversial is very significant and in many cases well, as we saw with the Joe Sullivan case they often end up paying the price for it. The average tenure of a CISO for the last 10 or 15 years has been between 17 and 24 months on average little little longer in the private may held business, but it is not. They get hung with the compliance failure a lot.
Dave Tyson:Yeah, so I guess the question that I've got and I've done a lot of research on this, but it is do you think that the role for governing cyber security between the board and what the management team's responsibility and obligation is is clear or clear enough the difference between yeah, so it's.
Meghan Juday:I mean, I think this is. I really feel like this is a delicate balance, because I want to know the truth but I don't want to beat anyone up about it. It's just facts. We can't do anything about it unless we know, and so I really tried to take the approach. And you know, I mean, I'm in boards that are very congenial but honest. So it's not, you know. You know put something stuff under the rug, but I've really made a point of trying to. You know, especially if you're getting stuff like this, a work in progress, we're not where we want to be and, of course, in cyber you're never done, there's no like you know, no, all your guys are not going to turn green, I'm sorry to say like it's.
Meghan Juday:That's just life. And so I I really do try to remind the board, as we're coming into these conversations, that this is a work in progress. We want to know these are, it's, important to disclose and, you know, if there are material issues we do need to follow up, but it's only just to close that governance gap. It's not for, you know, punishment or anything else, and I think that some really trying to take that perspective, I think, makes people feel, you know, feel more comfortable and being honest. But I and I would also, you know, if there were a director ever was kind of trying to, you know, go too far with how did you let this happen? Or the equivalent, I would intervene because I don't think that's that's appropriate, and it's not only.
Meghan Juday:It doesn't engender trust, which is a huge, a huge issue between the management team and the board.
Meghan Juday:People have to know they can come in and tell you the truth and you're there to help them when you're not there to beat them up, and so that's, I think, a lot of the board dynamics that we've we've been working on in our board is really just trying to make sure that the management and board has a very strong working relationship and that they know each other and can trust each other, and we put a lot of stuff in place so we can do that.
Meghan Juday:Because you want the, you want the management team to walk in and think this is the only place on the planet where everyone is here helping me be better. It doesn't mean it's all the messes are going to be awesome, but they're there to make you better. It's not, you know, beating up for recreational purposes or anything else, but I think that's. I think it's tragic that a CEO would ever feel like they had to tailor something for the board. If they, if there ever is that instant, it would mean either one of two things you have the wrong board or the wrong CEO. Because I mean, what's the if everything's going to be whitewashed before it gets into the boardroom? What is the purpose of having a board Right?
Dave Tyson:Yeah, that's a great question. That is a great question. Well, so you know. To wrap up, I guess you know you've got a lot going on. You're on a number of boards, you've got the Lotus Forum, what you know. What's next for you? What's the next? You know the next challenge for you? Look like you've got your own company, which has got a huge amount of history and and and doing very well by all accounts. What's the next few years? Look like you. What are you going to focus on?
Meghan Juday:Oh my gosh, I always have a long list. I'm a like an inveterate learner. So I just finished my ESG certification. I was at six month program. I thought I was going to die. I should take in a test in years. But it was good, it was a great experience and I feel a lot more prepared to really kind of embark on that journey with our board and our company. Finishing up a risk class, I'm doing a separate class Nice, hopefully we'll do that soon. And then, you know, after that I just kind of a bunch of. I really think it's very important to for continuous learning to just really stay fresh, and I think as board chair I feel an obligation to really be kind of on the leading edge of where, where I need and want the board to go, based on where the company's advancing. So I think there's going to be a lot of a lot of work in that area. So Excellent.
Dave Tyson:Well, I want to say thank you very much for taking the time to come down here. I think that your advice is going to help so many people out there to understand this issue. It's rapidly evolving, so thank you very much.
Mark Havenner:This has been executive cybersecurity with Dave Tyson, a production of Apollo information systems. Visit us at Apollo dash iscom or, if in Canada, apollo dash isca. Thank you for listening.