A top spy explains the cybersecurity mistake that companies keep making—and a simple fix

March 31, 2023, 12:35 PM UTC
Senior businesswoman gesturing while looking at world map on screen
Companies need to get past the "Here's what my team is working on" presentations when they discuss cybersecurity.
Getty Images

“On my best days, I remember that the people I’m working with don’t care about what I’m doing.”

I made note of that striking comment while attending PwC’s Trust Leadership Institute Academy, held in Washington, D.C., earlier this week. The unusual self-assessment was extra surprising considering its source: Sue Gordon, the former U.S. deputy director of national intelligence who spent nearly three decades rising through the CIA’s ranks. Gordon now consults for large companies and organizations, and you would assume that the CEOs and boards who hire her would care about what she’s doing for them.

But the former top spy was making a point about how cyber experts communicate with executives and directors. Too often, companies merely seek updates from their data security chiefs, who show up and drown their audience in tech talk. What corporate leaders and executives actually care about is how cyber protection measures will impact their work and how they can use security tools. She says the best approach at board meetings is for company directors to ask their tech team questions: How can we help? What are your concerns? What are your risks?

Companies are most equipped to foresee and deal with cyber threats when internal communication about security runs deep and becomes a meaningful discourse. The same is true for governments. “Do you think we could have anticipated Russian interference in the 2016 election if the tech people and the geopolitics people had been talking to each other?” she mused.

Gordon also offered general cybersecurity tips. Take advantage of ransomware simulations so you can grapple with the decisions that must be made in a crisis before you’re in one, she advised. Do all the basics, like deploying two-factor authentication whenever it’s available. (“Cyber criminals won’t attack fortified companies. They’re really lazy,” she said.) And keep running routine phishing drills, which help create a culture that says data security is everyone’s burden.

Lila MacLellan


“​​When you have all the information, it’s not called a ‘decision.’ It’s called an ‘equation.’”

 —Sue Gordon, former U.S. deputy director of national intelligence, board member, and cybersecurity consultant

On the Agenda

👓 Read: Companies and consumers disagree about what defines a “trust-damaging” event, and executives vastly overestimate how much they’re trusted by consumers and employees, according to PwC’s latest Trust Survey.

🎧 Listen: On The Political Scene podcast, The New Yorker’s Kyle Chayka dissects TikTok CEO Shou Zi Chew’s recent appearance in Congress, looking at the role of xenophobia and why “Tik Tok is a perfect storm of things that all politicians can be against.”

📖 Bookmark: Last week, the National Association for Corporate Directors released an updated cybersecurity handbook for company directors, with guidance on managing risks and meeting compliance requirements.


Macy’s newly appointed CEO Tony Spring will join its board. John Rogers, founder and co-CEO of Ariel Investments, and Bob Eckert, chairman emeritus of Mattel, are leaving the McDonald's board of directors amid a shake-up. Both men joined the board in 2003. Mattel tapped Noreena Hertz, an economist, author, and professor at University College London, to join its board. Alphi Capital founding partner Thecla Sweeney was added to the Dollarama board. Marsh McLennan appointed Judith Hartmann, former deputy CEO and CFO of Engie, and Ray Young, former vice chair and CFO of Archer-Daniels-Midland, independent directors.

In Brief

- Presidential historian Douglas Brinkley joined Morning Edition today and shared a balanced view of the Trump indictment, explaining why it may lead to a positive story about presidents not being above the law and how Trump fits into the outlaw folk hero narrative.

- The tech giants that have recently laid off thousands of employees have also drummed up excuses to explain away their behavior, but Fortune’s Geoff Colvin finds holes in their stories and their new faith in “efficiency.” Mass layoffs, he says, are a corporate confession of poor management.

- Marc Benioff has joined the tech CEOs shedding employees this year, a bad look for a leader who made ohana, or family, his company culture motto. But the Salesforce chief insists he can remain empathetic while cutting costs in his company's next era.  

-  You’ve heard about ChatGPT, but what about Meta’s BlenderBot? Have you talked to Google’s Bard? The Atlantic’s bot explainer introduces readers to nine generative A.I. platforms. 

- Responsible Investor interviewed a prolific anti-ESG proposal filer and essentially asked, “Why are you doing this?”

Editor’s Pick 

Should you feel alarmed by A.I.’s advances and join the chorus of voices calling for a giant pause on its development? I wish I could say that the Guardian’s recent interview with computer scientist Jaron Lanier answers that question for you. But I can say that it will make you think.

In the piece, Lanier explains why he doesn’t believe humans are in competition with A.I. and says he’s not afraid that bots will take control of our world. What does he envision?

Here’s a snippet:

“‘From my perspective,’ he says, ‘the danger isn’t that a new alien entity will speak through our technology and take over and destroy us. To me the danger is that we’ll use our technology to become mutually unintelligible or to become insane if you like, in a way that we aren’t acting with enough understanding and self-interest to survive, and we die through insanity, essentially.’”

Read the full piece here, and try to sleep soundly this weekend.

This is the web version of The Modern Board, a newsletter focusing on mastering the new rules of corporate leadership. Sign up to get it delivered free to your inbox.

Read More

CEO DailyCFO DailyBroadsheetData SheetTerm Sheet