Episode #78 A new board agenda with Anna Leibel
A multi-episode guest on the podcast, we welcome back Anna to discuss how boards have adjusted during COVID - from governing cyber risk; technology and audit risk committees; to encouraging resilience and collaboration. Anna also shares what work looks like since leaving her corporate career.
Anna is a Director of The Secure Board, a Non-Executive Director and senior executive across the financial services, management consulting, telecommunications and technology industries. With three decades experience in leading customer, business and digital change, she is a sought after advisor to Boards, Chief Executives and IT leaders on digital transformation, data, cyber, leadership and culture.
Links:
Episode #21. Anna Leibel, CIO, UniSuper
Episode #38. Lessons Learned with Anna Leibel
Episode #60 The Secure Board with Anna Leibel and Claire Pales - hosted by Paul Rehder
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales, and today it's great to be welcoming back Anna Leibel, great friend of the podcast. And Anna, your episode 21 remains the most downloaded episode of all time of The Security Collective. And we first welcomed you to the podcast in that episode, again in episode 38, and in episode 60, we spoke with Paul Rehder, it is great to have you back on the podcast today.
AL: Amazing. Thank you very much for having me, Claire.
CP: So one thing's for sure the world has changed a lot since my audience first met you back in season two. And for you, you've left the corporate world, you've become an author, a podcast host, a director on three boards, and you're also the chair on an audit and risk committee. I want to start today by diving into the conversation around boards. How has the boardroom conversation changed in general do you think with the remote nature of board meetings since the pandemic?
AL: In two ways I think. First of all, it's trying to facilitate an effective board session online. I think that's been extremely challenging, and really makes all of us recognise how much we rely on the relationships that we have, not just with our fellow directors, but also with management. So across all of the boards that I sit on, but also the boards that I work with, there's an acknowledgment there that we really do miss having those face to face relationships. So it's been interesting to, I suppose, get into a rhythm with each of the boards on how you actually facilitate a really good conversation about the agenda items coming to the board. But the second piece is I suppose, just the topics itself, that's also shifted. For Victoria in particular, we led the way last year in terms of having our workforce move to remote working very, very rapidly. New South Wales has gone through that this year, and unfortunately, Victoria has gone through it again. But I think New South Wales probably learnt a lot from what Victoria went through last year. But as states, we're actually going to remote working, what I call on mass. I think boards really had to start thinking more broadly around remote working, health and safety aspects of that, obviously, the threats of cybersecurity incidents with everyone working remotely, the stability of technology, how to continue servicing your customers, and also consideration to the financial implications of COVID as well. So on top of doing the normal day to day governance of the business that a board usually takes care of.
CP: And if we think about cyber, particularly when we're talking about the board's earlier this year, the World Economic Forum came out with six principles around boards, and governance for cyber risk. What do you think are the key challenges directors have in governing cyber risk?
AL: I think the first and most important is the challenge of finding somewhere that you can learn about cyber in a method that you feel comfortable with. And a lot of the learning that’s out there today is more focused about how you manage cyber at management’s level, rather than the board level. And I think it’s also understanding that being cyber safe is also far more broad than being compliant. And also that insurance policy is not going to get you through this. And so, for me, I think there’s a real need for directors to have somewhere that they can go to understand how to oversee cybersecurity at a board level, and also what a good cybersecurity strategy looks like, and how to actually oversee and govern the implementation of that. There’s also still a perception that cyber is something that IT can solve on its own. And I’m really pleased that that is shifting. But I think understanding all of the aspects that contribute to cyber risk, and the role that they play in any M & A activity, or your supply chain, the role that your employees play in keeping your organisation safe. They’re all aspects that sit outside of IT, or the day to day accountability of IT. And I think it’s understanding all of those aspects to be able to thoroughly oversee cyber risk management. For most directors, it’s also the pace at which cyber risks are emerging. And if you think about other risks, in general, to bring those within appetite, you can put a plan in place and know that you’ve actually achieved that outcome. With cyber risk management, you have a cybersecurity strategy, you have appropriate investment assurance activities around that, but the risk keeps changing. And so there’s this constant need to keep pace. And I know that you can’t catch up anymore, but you’re actually needing to keep up to date with the emerging threats and the sophistication of them to make sure that you’ve got the best mechanisms at keeping your organisation safe.
CP: So you mentioned about cyber not being something for IT to solve, and one of the World Economic Forum principles that they talk about is for the board to encourage resilience and collaboration. How do you think the board can align with that principle or execute on that principle of encouraging the business to collaborate around cyber?
AL: One of the really easy ways to do that Claire is be mindful of where you're directing your questions as a director. And I think directing some of the questions to the CEO is extremely important. And then also knowing that if you're talking about third party risks, so the people that you partner with, direct those to the executive that's accountable for procurement, so that's usually the CFO or the CEO. So by not directing all of your questions to the technology leader, I think you can actually start to create that awareness across the executive team, knowing that the question might be coming to them. And I think that helps create stickiness in terms of their accountability for elements that contribute to cyber risk.
CP: I mean, the other thing we're seeing a lot of too, it's becoming more and more popular, and I've been fortunate to join a technology committee myself. More and more boards are delegating some of their responsibilities regarding tech and cyber to a committee, you know, and not just an audit risk committee, but as technology specific committee. What are your thoughts on this? How can these committees help the board, if we really want directors to still be uplifting their cyber literacy and their understanding, if they're delegating to a committee, is that still possible that the board are getting the literacy and the understanding that they need?
AL: My thoughts around technology committee are very similar to the business deciding to stand up any other type of subcommittee. I think it's acknowledging that you don't have enough time on the board agenda. And also that you might need some skilled expertise that you decide to actually establish a subcommittee to oversee a certain topic. And at UniSuper, I was the executive accountable for establishing the Technology and Projects Committee, which was a fantastic experience. That was established as the chair of the board recognised that we knew that the skills and more time to actually provide board oversight of the implementation of the IT strategy. So that was a three year programme of work, which was really set up to mitigate risk. One of the key risks there that was outside of appetite, when I joined was cyber. So it was to bring that within appetite, and also to prepare the company for competition. And so by implementing that IT strategy, the company was able to open the doors for competition, so they're now open to all of the public to join UniSuper, and that occurred in July this year, which was a really great outcome. And I think that if we consider the scope of a technology committee, it's broader than cyber, you can look at aspects like digital and data and cloud. But I think one of the most challenging problems for most businesses is what to do with their legacy systems. And so I think having that oversight by people that have got technology experience in that area, so the people that actually sit on the subcommittee is really helpful. And then if I take it back to how that then gets exposure to the board, it's the chair of the subcommittee that decides what papers actually then go through to the board. And on all of the boards that I sit on, the chair actually also gives an update of the topics discussed at the committee meetings as well. So I think actually having those topics on the board agenda and having exposure at the board table is a really good start. And I think that helps drive literacy. But you also need to consider that COVID has really put technology on the radar of all directors now as well as chief executives and their leadership teams. So I think the literacy is growing, and it's growing organically.
CP: You answered a question I was going to ask you off the back of that, which was around how does the information that gets discussed at that technology committee make its way to the board? Are you therefore thinking or, you know, do you advocate for the chair of that committee having a particular background or understanding? What sort of capability does that person need so they can be the conduit between the committee and the board?
AL: There can be benefits of the chair of the subcommittee not being a subject matter expert. When we established the technology and project committee at UniSuper, the board member that was asked to be the chair of the technology and project committee has pretty good awareness around technology. He does some work with start-ups as well, but isn't a subject matter expert. That actually worked really well Claire. He has a really broad business career and focus both working globally and within Australia. He knows UniSuper really well as a business. And so that worked extremely well. And then we also went to market to engage with two IT experts and they actually sit on a subcommittee but are not board members with UniSuper.
CP: So given the three board roles that you've got, and the audit risk committee chair position that you've got, the book we wrote together, all of your consulting experience in the last few months and your executive career, everything you've read. If you kind of bundle that all up together, if you could give other directors one piece of advice about cyber, what would it be?
AL: Firstly, that we all need to acknowledge it’s a really complex issue. And with that creates the need for continuous learning. So I think it’s considering how you can become cyber literate, and then remain literate in terms of the emerging risk in both informal and formal ways.
CP: So I mentioned in the intro that you've obviously left the nine to five, although when you work for yourself, it just becomes the eight til eleven I think! As you know, my listeners are always looking for stories of leadership lessons learned. So I'm interested to know what's been the most surprising thing for you, leaving a C level position in a more traditional nine to five type role, and pursuing a portfolio and advisory career. What do you think surprised you most as a leader, as a female in tech, as a board member? What would you say is has been the most surprising thing over the last eight or nine months?
AL: It's interesting that I left my corporate career with a few things on my mind that I thought I might find challenging. And one of them was that I wouldn't be working with the team every day. I love being around people and I absolutely loved working with my team at UniSuper. And so I expected to find that quite challenging. But through the board roles that I have, and the work that I'm doing with you through The Secure Board, and also the interim work, so I'm currently working at Integrity Life as the Chief Technology Officer. I'm getting, I suppose exposure to the people and the relationships that I thought I might miss. But the biggest learning for me or surprise has been considering that corporate life keeps you pretty busy, and that's through back to back meetings and emails, and really breaking the thought process around being busy versus being productive. And what that might look like in a day in my own business is that if I can actually sit down in the morning and do four hours of work, and get everything done that I wanted to achieve, then that's a good day. But I really had to break this cycle of keeping myself busy at times. I had to catch myself, I was about to create things to do on my to do list. And so it's breaking that and really enjoying the flexibility and the variety that I was looking for when I made the decision to pursue a portfolio career.
CP: It's really interesting you say that, because we had Samm McLeod come back on the podcast earlier this season. And she talks a lot about this sabbatical that she took for just over 12 months, I think it was, and she left, for all intents and purposes, left the cyber industry, her and her husband bought an organic food shop. And then she has returned to the industry, but in a much different way to how she worked in it before. And you know, the follow up question I asked Samm was, do you think that all of your experience has led to you today being able to make that choice about your career? Being able to make the choice to go into a portfolio career, and if you only want to work four hours on a Tuesday, you can do that. And if you want to take Friday's off, you can do that. Do you think that comes from having, you know kind of earned your stripes and put in all those years of experience so that you're in a position now where you're a subject matter expert, you can give the time you want to give and then you can have structured time for yourself? Or do you think that people who are younger than us and are earlier in their careers, can they have a day to day lifestyle, similar to what you've just described and what Samm described earlier in the season, of being able to make choice around when you work and how you work?
AL: The gig economy is creating an environment where people have choice. So I think regardless of age, you can take advantage of that and achieve the things that I’m finding really rewarding from having a portfolio career like having variety. But your question around whether the experience that I’ve got and the years that I’ve put in, if you like, have helped me achieve the portfolio career that I have today, you make me think about a conversation I had with one of my managers at Telstra. His name is Fulvio and we were having a discussion one day about remaining as a permanent employee versus actually leaving and becoming a contractor. And what he posed to me at the time was you need to hop off the merry go round when you are comfortable that you’ve got the skills and the experience to pursue the contract work that you’re looking to do. And I took a very similar approach to that when I was thinking about my portfolio career. I was mindful that I needed to have an executive role under my belt. I had the board experience with Ambulance Victoria, I had a lot of board exposure through UniSuper which I’m extremely grateful for. I presented to the board every month there and presented to three board subcommittees and even establishing the subcommittee for technology and projects that we’ve talked about today is a really great experience. So, for me, it was the right time. And I feel comfortable and confident with the decision to leave my career at the time that I did.
CP: Do you feel like taking on interim positions will allow you to continue to be current in your skills and experience, but also allow you to see the risk and the technology challenges that organisations are having, that maybe you didn't get to experience in part of your permanent career?
AL: Interim roles is a really great way to keep my skills current. I'm very mindful of having nearly 30 years experience working in IT. But we've talked about the pace at which cyber is changing, but IT changes at the same pace. For me also Claire, it's working with companies where I want to work with really great people, and feel that I can add value and contribute. And I'm thrilled to be working at Integrity Life, a life insurance startup who's shifting from, I suppose a small business into a medium business. And the problem statement there is different to the experience I had at UniSuper. So that's a startup who needs help in scaling. And so I'm thrilled to be there. And part of my role is to help them find a permanent Chief Technology Officer to come in when my time finishes with them.
CP: It's kind of been a podcast of two halves today, because we talked a lot about your opinions and thought leadership around cyber governance in boards and what you've experienced since the pandemic. But I really want to thank you for sharing your leadership journey over the last few months as well and how things have changed for you. And I guess what that means for others out there who might be considering a portfolio career. And certainly thank you for being a role model as a female in tech.
AL: Thank you and thanks for inviting me to join your security collective community again today.
CP: Thanks, Anna.