Naming a cybersecurity expert to a company boardroom makes sense to many of us. Companies possess commercially valuable data and understand that cyber threats pose a significant risk to their budgets, operations, and reputations.
And for some of us, sitting on a board is the holy grail. There’s prestige and compensation.
But membership on a board comes with responsibilities and skills that aren’t automatically within our wheelhouse, so we’ve got to take a sober view of what would be expected of us. And having a CISO within its ranks isn’t the only way for a board to gain the knowledge it needs to review and challenge security-related proposals and decisions.
Public companies aren’t currently obliged to have cyber experts on their boards. The Securities and Exchange Commission recently drafted a proposal to ensure boards understand how security issues translate to an organization’s operational risk. They propose putting a qualified cyber security expert or someone with equivalent expertise on the board.
It hasn’t drafted a final text yet, and it’s unclear whether it will mandate the presence of a CISO on public company boards. If it does, that could open the floodgates to board membership.
But not every CISO is ready to join a board because membership carries heavy responsibilities and requires a broad business knowledge set.
If you’re a board member, you don’t just get to weigh in on your area of expertise. Like every other board member, you’re expected to weigh in on the various aspects that affect a business’s operation, like financials and operational risks, because you’re there to provide oversight.
Being on a board means having the necessary skill sets to function as a broad business generalist, which is what most board members are – former CEOs, CFOs, or people who have had broad business experience. Public boards have a limited number of seats. So, absent a mandate calling for a security person, board members will be people with more comprehensive general expertise who can help from a business perspective.
We’ve seen how the role of the CISO has transformed over the years. In its first iteration, it was super technical, and professionals were probably reporting deep down within the IT organization. Over the past decade, we’ve seen the CISO role rise to reporting to the CIO, a peer, or maybe the chief general counsel. The CISO role has gotten elevated, and with it, so has the requirement that a CISO can speak to a company’s business side.
In its third iteration, the CISO’s role would be to function at a senior executive level where you understand things like finance, product design and development, and operational risk. That requires training and or experience outside of technology. By this time, we have hopefully transitioned away from selling FUD or security theater, although some vendors still rely on this a bit too much.
It also takes time and networking to get on public boards. That’s why being known in your industry, having a personal brand, and contributing to the industry are essential. Maybe the path is to start with advisory boards of smaller companies. Non-profits are usually a good place, too.
Because boards must be conversant with a business on so many levels, having a CISO presence brings value. However, training the board to ask the right security-related questions is essential.
But If I were a CISO looking to join a board, I’d want to make sure I’d be ready to contribute as an actual board peer — and not just be a security wonk in the corner. Don’t get me wrong, I can still nerd out with the best of them, but we must also contribute at a higher level.
Having served on public and private boards, I can say that it is a great experience, but you must be ready to put in the work.
Disclaimer: The views are solely those of David Cass.