GUBERNA Directors Sparkle - Alex Driesen

With his vast experience in technology companies, Alex Driesen’s interest in working with technology startups, and providing them with good governance, has steadily grown. His background includes a blend of computer science, management and a passion for strategy and good governance.
Lynn Paine, Professor of Corporate Governance at Harvard, was a great inspiration to him in all this.

For 2022, the following topics should be on the table of directors everywhere: ‘War on talent’, permanent monitoring of value creation and value preservation in a VUCA world, increased attention to ESG topics, while it is also more than ever mandatory to install a sound cybersecurity policy.

Classic corporate governance often predominantly focuses on value preservation, while, in fact, the value of startups hasn’t been created yet

For the GUBERNA Directors Sparkle interview of January 2022, I have the honour of interviewing Alex Driesen, CEO, member of advisory boards and director. I met Alex during the GUBERNA Director Effectiveness course in 2017, so I’m really interested to hear about his experiences since then. He is also well placed to give some tips for directors in both startups and SMEs.

With my vast experience in technology companies (Barco, Zetes, Nallian), my interest in working with technology startups, and providing them with good governance, has steadily grown. Uest, Prosteps/Tilroy, Volta Ventures, Toreon, and now CEO at Toreon. My background includes a blend of computer science, management and a passion for strategy and good governance. Lynn Paine, Professor of Corporate Governance at Harvard, in particular, triggered my interest in the fine art of corporate governance at the time, and I am extremely grateful to her for that. Following on this inspiration and professional experience, I familiarised myself with the work of advisory boards and board meetings. 

At technology company Zetes, I had the opportunity to help a small Brussels-based SME grow into an international market leader in 18 countries with 1,200 employees and 250 million in turnover. Zetes was later absorbed by Panasonic through a stock exchange listing. 

At Nallian I got to know the startup/scaleup scene from the inside, felt the pain of the early stage entrepreneur if you will. With just a piece of technology and with the help of a venture capital fund, we managed to market a data-sharing platform for logistics at cargo airports worldwide.

At Toreon, an ambitious group of currently around 50 consultants in cybersecurity and privacy, I advanced from an independent board mandate to a CEO role.

• The pandemic and the lock-downs have put a brake on the natural rotation, while also making people question their priorities. At the same time, the ‘social glue’ within companies has slightly eroded. That’s a tricky cocktail. So, there is some catching up going on now. The prospect of an economic revival will make people shift gears and, as a result, rotation is likely to increase. 
• Increased focus on ESG. What is or is not socially accepted is evolving rapidly - so, anticipate.  And if you operate in an industry that is heavily dependent on energy prices ...
• The most important thing is the overall uncertainty. Nobody sees exactly where the pandemic is going, government debt has greatly increased again and this will probably have tax consequences, we are on the longest bull run ever but no one knows for how much longer, supply chains are in disarray and geopolitical tensions are rising. Today we live in a VUCA world (volatile, uncertain, complex & ambiguous) and the only certainty is that the future is uncertain. This means that we have to organise ourselves accordingly. In a predictable world, you would be boosting your internal strengths, getting better at what you already do. In a volatile world, the board of directors should definitely focus on the agility of an organisation. This requires not only a continuous questioning of the company's ‘purpose’, but also the continuous reconfiguration of the value chain, across organisations. In the past, the focus was on robustness. Taleb taught us to look for antifragility, to set up structures in a way that they can function better under stress. This can be achieved by basing organisations on fluid open networks and thinking in terms of adaptive value systems and ecosystems, rather than operating as isolated silos.
• Perhaps I am biased, but cybersecurity is a subject that should not be underestimated, even in the boardroom, kind of depending on how crucial digitality is in your operations. Every sector and organisation will be affected sooner or later and will have to deal with it.  Depending on the vulnerability, a cyber-attack, which is becoming more professionally organised, will have an impact, significant or not, on business operations and sometimes viability.

Many of the topics are similar, but there are some other priorities that dominate everything at times. Getting to the next funding round is such an example.

There are also quite a few fundamental differences. The view of long-term survival is one of them. In a startup, that is not necessarily the main driver. What do I mean by that? A startup is sometimes defined as an experiment, in which the initiative is tested to see if it has a chance of 'booming' in the long run. And if it does not have that chance, it is a matter of reaching that conclusion early on, having spent the least possible resources and stopping it.

This seems, at least at first glance, to clash with the classical formulation of a corporate governance goal, i.e. value creation in the long term, with continuity of the company’. If you would see a startup as an experiment, the pursuit of business continuity per se is irrelevant.

Long-term value creation still stands, but as a unit-of-analysis we must look beyond the specific company. If you look at it from the perspective of all the different stakeholders, it is still good for LT value creation to stop a business that is not going to boom, because it will give everyone involved the opportunity to invest time and resources in new businesses that may have a chance to boom. Rationally this is true, but emotionally it is difficult to accept, and it usually takes a while before this rational position is shared by everyone on the board.

My expertise? Above all, bring perspective. My experience as a director is mainly in smaller 'tech' companies seeking to grow. These include startups, but also more mature, ambitious 'tech' companies faced with transformation (changing business model - often with cultural implications, or wanting to go international), and I can help them based on my experience at Zetes, for example.
I have seen it happen. The growth from an SME to a 30 times larger international listed player, and I have made all the possible mistakes in the course of it. I have been fortunate to take on various roles within Zetes, ranging from strategy and corporate development at HQ to regional leadership deep in the field, always in close cooperation with the CEO.
Combine that with the perspective of a Venture Capitalist, and the perspective of someone who has felt the 'early stage entrepreneurial pains' on the inside of a startup. These experiences, supplemented with a relatively broad theoretical basis and my preference for the Socrates method (I mainly ask questions), gives an insight into my attitude as a director. The people I work with tell me that this perspective and questioning sometimes helps them.

One of the topics of interest at board meetings today - think of the shutdown of Maersk, Asco, Picanol and others - is cyber-attacks. The Financieel Dagblad even wonders whether cybersecurity should be the most important topic in the boardroom? Indeed, 1.4 billion digital files have been stolen, an increase of 86% compared to last year. With your background as CEO of a cybersecurity consulting firm, I'm curious about your message to directors, about implementing a good cybersecurity policy?

You cannot prevent a cyber-attack with 100% certainty. At most, you can reduce the chance of occurrence, and limit the impact.  It is a bit like your home.  If I ask you whether your home is properly secured, you will probably answer in the affirmative.  However, engage a 20-strong SWAT with a tank and they are sure to get in. It is therefore important to assess who might be interested in getting in.

If you ask me about good cybersecurity policy, the first question is whether a cybersecurity policy is in place at all? You cannot imagine how many organisations have never thought about this, let alone installed one.

A quick way to find out is to ask the director about the incident response playbook  - what process will be triggered in case of a cyber incident?  If there is an inadequate response to this, it is highly likely that no one is serious about it.

There’s no use recruiting someone for this, because you have no idea of the ‘size of the challenge’, you don’t know what you don’t know. Therefore, it is impossible to know what profile (‘calibre’) you need.  That is why you should start by mapping out the situation, a quick assessment of where you are and where you should be in your specific situation (a baker and a bank have different digital vulnerabilities and accept different levels of risk). Weighing the risks against the acceptable risk level will give you an insight into the ‘gap’ that can be worked on.

Such an assessment will quickly give you an idea of the scope of the challenge, so you can decide what kind of talent to put in place to  work on those ‘gaps’. You do not necessarily need this talent in-house, nor necessarily full time (incidentally, worldwide there is a shortage of 1.5 million people with this kind of knowledge). Plenty of companies now offer this ‘as a service’. Various governments, including the Flemish government, encourage this approach by subsidising initial assessments and roadmaps for SMEs.

If anyone is serious working with this, the question is: how effective and balanced is the policy? To draw the parallel again with your home: security advisers sometimes come across houses where bulletproof glass has been installed on the 3^rd floor, while the front door is permanently open. In the digital domain, people are sometimes not even aware that there is a front door at all.

So here too, it starts with mapping:

• What is important for your business, what are your crown jewels?
  • You are going to secure your house differently if the Mona Lisa hangs in one of the rooms.
  • Do you have ‘mission critical’ systems that have to be up and running at all times? You are going to secure those rooms more heavily. Do you have (digital) assets to secure?
  • Do certain regulations impose fines if you fail to score well in some aspects? Pressure from Compliance.
• Where do you stand on the various dimensions that contribute to risk reduction?
  • In terms of ‘People, Processes (organisation, policies) & Tech’
• Where should you stand according to your risk appetite?
• So what is the 'roadmap' to close the gap?
• And what are the initiatives & investments you should make in the coming period to have the biggest return?

A good cybersecurity policy actually boils down to drawing up a ‘roadmap’ of risk mitigation for the priorities that have the greatest marginal benefit, while being fully aware of what the residual risks are and whether they are in line with the organisation's objectives. There are plenty of frameworks, often sector-specific, to help with this. (e.g. NIST – Identify / Protect / Detect / Respond / Recover, CIS-18, ISO27001, …)

• At the very least, that someone within the organisation feels responsible for the cyber domain. Someone who adopts the role of Chief Information Security Officer (CISO).
• That there is a structured and ‘comprehensive’ plan of action.
• That you have an overview of the risks, and that you can agree with the decisions made. This also adequately defines the threshold above which the board meeting is involved.
• That you understand the implications of your choice.
• That Compliance is sufficiently respected
• And above all that the culture is moving in the right direction. The majority of incidents start from the action of an employee.

A good cybersecurity policy remains ‘tricky business’. Cyber risk has its own characteristics (of a ‘black swan’) and is often not well understood by the board. It is everywhere and nowhere, while it can completely cripple your business. The effect can indeed be so great that it wipes out a company.

If you really want to excel, this recommendation can be supplemented by the following elements:

Make CS a regular item on the board’s agenda and deal with it in a language that every board member can understand. Education about CS supports this. Let the CEO report on cybersecurity himself instead of outsourcing it entirely to the CISO.  He can be supported by the CISO for details, similar to support by the CFO. This line-of-business ownership is important to embed CS culturally. If necessary, supplement this with external parties who inform the board directly, by analogy with a classic external auditor. Create a dedicated cyber risk committee. This may sound like wishful thinking, but for an increasing number of organisations it is becoming a necessity:

• Gartner predicts that by 2025, 40% of boards will have set up a cyber committee.
• GM, for example, has one. This may seem strange for a car company, but it is more than necessary when you are dealing with ‘driverless cars’, internet of things, e-commerce...

‘Last but not least, it is up to the board members themselves to set a good example in cyber-hygiene: make sure no one has your password and/or that it is not easy to crack, work in a secure environment... !

I have made a selection of five tips. Five that have stuck after interactions with some very experienced management experts:

1. Take your role seriously and adopt it actively. You cannot weigh everything equally, but try to make a real difference on three or four points in every board meeting. (with thanks to Raf De Caluwe)
2. ‘Challenge when things go well, help when things go not so well’. I see too many directors who are sticking to just one side. (with thanks to Luc Bertrand)
3. Try to stay in the ‘zone of sustainability’ by looking at everything through the 3 lenses, i.e. economics, law & ethics, and have an eye for diversity (not only ‘gender’) (with thanks to Prof. Dr. Lynn Paine)
4. Be very aware of your biases and compensate for them in your decisions (thanks to Barend van den Brande from Hummingbird, a very successful Belgian Venture Capitalist)
5. Keep the purpose in mind at all times. The ‘why’. Why are we here, what are we trying to achieve. This is often where the answers can be found. (with thanks to myself).

A few things came together that prompted me to take the step to become a director.  First of all, Lynn Paine aroused my intellectual curiosity about corporate governance with her few dozen increasingly nuanced cases on the subject.  These case studies invariably seem trivial at first, until you apply a set of lenses to them in order to arrive at a balanced view, a view that is necessary in order to continue operating in the 'zone of sustainability'.  Then, during my time at Zetes, I aimed for a broader impact and when I landed back in Europe after a long-term mission in Africa, I dived into the startup community in my spare time. It starts innocently by helping a friend of a friend to set up his first financing, but before you know it, you are walking around with a few stakes and a few mandates and I have committed myself to a venture capital fund. That startup community is an addictive environment. There is a lot of youthful energy circulating there, which you sometimes just have to channel to get results. From there, this was quickly expanded to include more mature companies in a quest for added complexity, which is why I now focus on typical technology SMEs with ambitious shareholders and big plans, whether they involve a complete overhaul of business models (and accompanying new culture) or internationalisation.

GUBERNA and the GUBERNA Directors network support me in my 'lifelong learning' and also as an HR network. I am someone who likes to supplement his practice with a theoretical foundation to fall back on from time to time. Not to apply this theory dogmatically, but as extra lenses to look at reality. The more of these lenses you have, the richer your image and the better your decisions. This is so with diversity in a group, just as it is with diversity of viewpoints within your own head. In the GUBERNA Directors network, you have access to many interesting people who share the same passion, who can sharpen your vision and who can put you in touch with interesting opportunities.