Zoom just announced the addition of a new cybersecurity team leader, Jason Lee, that they poached from Salesforce. This is a critical leadership addition as they reboot from their very public cybersecurity failings.
But it’s not the last leadership step they need to make before their cybersecurity redemption is complete.
Next week Zoom exits the 90-day sprint their CEO implemented to deal with a wide range of cybersecurity and privacy issues that were roiling Zoom as their user growth exploded during the shift to work-from-home practices.
The term and act of Zoom-bombing by infiltrating and crashing video calls became an embarrassing cybersecurity failing for Zoom during the panic of the coronavirus in March and April.
The growth gift that the coronavirus dropped on their doorstep was quickly becoming a cybersecurity nightmare as firm after firm abandoned Zoom over their security and privacy concerns. Some even went so far as to call Zoom itself “malware.” Google, SpaceX, Standard Chartered, NASA, the German Foreign Ministry, the Australian Defence Force, all of Taiwan’s government agencies, and schools in New York City and Singapore and others abandoned Zoom because of their cybersecurity and privacy shortcomings.
Zoom was one of the first coronavirus beneficiaries and success stories as their daily meeting participants growth exploded from 10 million in December 2019 to over 300 million today. They recently reported over 265,400 customers with over 10 employees, up 354% from the same quarter last fiscal year.
Zoom’s CEO launched a comprehensive 90-day security and privacy plan in early April to prioritize these issues, freezing all other development work. Their 90 days is up July 1st.
As a result of Zoom’s rapid progress on their cybersecurity issues the NYC Department of Education has since reinstated the use of zoom and Singapore also quickly reinstated use shortly after their suspension.
But Zoom still has one critical step they need to take to become a global cybersecurity and privacy leader. Their approach to cybersecurity will never be complete and a leading practice until they fully address cybersecurity at the board level, as some others are starting to do.
There are three aspects to this issue at the board level. First, do they have corporate directors who have the ability to understand and oversee cybersecurity risk? Second, is the board organized effectively on cybersecurity risk? And finally, does their approach to cybersecurity risk oversight reflect a deep understanding of systemic risk?
If you look at Zoom’s corporate board, they have several directors who also hold board seats with some leading cybersecurity firms. However, none of their directors appear to have held functional cybersecurity management or leadership roles before.
Just like sitting on a hospital board doesn’t make you a doctor, the competencies needed to effectively oversee cybersecurity risk are developed from having the experience and/or education to understand these dynamic and complex issues.
The SEC used a competency based approach for defining Qualified Financial Experts in the boardroom as part of the Sarbanes-Oxley legislation of 2002. Using this same conceptual model, it’s unlikely any of Zoom’s corporate directors would qualify as Qualified Cybersecurity Experts. While that standard doesn’t yet exist, it does reflect the importance the SEC puts on having directors who have actual experience with the issues they oversee.
Second, Zoom has its audit committee tasked with cybersecurity risk oversight. Some companies have realized that the audit committee is far from an ideal place for cybersecurity risk oversight. And it can in fact be the worst place to put it.
This is because the audit committee already has a very full agenda, and skills alignment can also frequently be an issue. Cybersecurity risk then becomes a check the box item that can create a false sense of understanding to the reality of the risks. It’s thrown into the audit committee, because why not, where else do we put it?
While Zoom does offer more detail than others in their disclosure filings around the role of the audit committee in overseeing cybersecurity risk oversight including calling out cybersecurity training and education that the committee receives, why not just take the final step? Put a technology and cybersecurity committee in place like Walmart, J&J, Fedex and others are starting to do.
These firms know that digital and cybersecurity risk leadership starts in the boardroom and they put the rights skills and approach in place to adequately oversee these risks. Committee structures play an important role in the boardroom and bring focus, attention and send a strong external signal about what the board values and spends its time on.
And finally, the corporate board needs to have an understanding of systemic risk. Systemic failure created from systemic risk is an experience we’re all living through with the pandemic. Cybersecurity risk is inherently systemic and digital business systems also embody significant systemic risk to the value they create. Leading firms are recognizing that adapting to systemic change and understanding systemic risk requires more systems thinking competencies from their leaders.
While Zoom has come a long way with their approach to cybersecurity and data privacy and their recent leadership addition is another important step, the last step they need to take is in their boardroom. Zoom will never fully redeem their cybersecurity failings until they take it and decide to lead in the boardroom with a comprehensive approach to cybersecurity risk oversight.