Step 3: Prioritization

Identify the IT subjects most relevant to the company

Once the board’s IT oversight approach has been decided, the group charged with this responsibility needs to prioritize which IT areas are most relevant to the company. Summarized below are the most common contemporary IT topics to facilitate this prioritization. Also included are a few board considerations for each topic; an expanded list appears in the unabridged version of the Guide. Each of these topics may not be relevant to every company.

IT Subject Board Considerations

Data security – Cybersecurity is a major challenge for many companies. Successful cyberattacks can cause significant damage to a company's business and reputation.

Understand the company’s perceived level of security risk, comprehensive security strategy, and the controls designed to mitigate the risk.

Determine how management tests resistance to attacks.

Ask management about the company’s IT security resources and whether the security spend level is appropriate.

Mobile computing – Mobile is ubiquitous and presents huge market opportunities. Devices are more affordable and provide significantly greater access to company data by employees and others.

Understand the role mobile is playing in the changing global economy and evaluate the appropriateness of a mobile strategy.

Understand the company's policy for allowing employee use of personal mobile devices to access corporate data.

Discuss how the company's mobile policy is communicated to employees and how they are trained in its implementation. 

Data privacy – Many companies keep sensitive customer data. The efficacy of the company’s internal and external privacy policies may be critical to avoiding big problems.

Understand how the company protects sensitive data from the risk of theft.

Understand the company’s internal and external data privacy policies.

Ask management about privacy policies related to any data exchanges with third parties.

Social media Social media is an essential tool for many companies and for their customers and employees. Directors should be aware of both rewards and risks involving how the company and its employees use social media.

Take interest in how the company and its competitors use social media to engage customers, develop markets, and recruit talent.

Understand whether the company knows what is being said about it on social media platforms.

Discuss how employees use social media at work and what safeguards exist to protect the brand.

Cloud services and software rentals – Using the Internet to access hosted computing power that can often lead to lower cost, faster implementation, more flexibility, and greater accessibility. But it is not without risk. Many companies are using, or plan to use, cloud strategies.

Ask management about the pursuit of cloud strategies and cost-benefit considerations.

Discuss security and privacy risks associated with using the cloud, including backup and recovery.

Inquire about existing regulations and compliance risks of cloud computing.

Streamlining business processes using digital means – Many companies are leveraging IT to enhance their performance. Advantages can include operating and workforce efficiencies, lower costs, and integration of supply chains and distribution channels. Companies are also finding ways to analyze large amounts of information and use it to their advantage.

Ask how executives are leveraging IT to enhance communications.

Understand the use of data analytics to give the company a competitive edge.

Consider whether the board could benefit from the use of tablets, smart phones or web portals.

After considering various IT subjects that are part of technology today and asking the right questions, the board members responsible for IT oversight should decide which topics deserve the most attention. They should prioritize those topics for specific focus to efficiently use their time.