Everyone even peripherally involved with corporate governance, compliance, or risk management knows that corporate boards need more CISOs to help them navigate today’s cyber-saturated world. Even better, plenty of CISOs are at least open to the idea of serving on boards.
That’s good news, but it raises an important question: Just what type of experience should a CISO have to be a strong candidate for a board seat?
It’s not enough to put “cyber experience” at the top of your LinkedIn profile and then wait for the recruiters to call. CISOs need specific types of experience, both technical and operational, to gain the perspective and judgment that boards want to see. Only then can you be a credible candidate for board service.
Start with the technical
Of course, CISOs are desirable for their technology expertise – but not all cyber experience is created equal. Certain experiences will be far more valuable for board service than others. For example…
Managing a crisis. Boards always want directors with experience in crisis management, for two reasons. First, they want directors who can help lead the organization through a crisis in that moment: when systems are down, employees are confused, investors are calling, and headlines are staring up from your laptop or newspaper. Even more valuable, however, are board directors who can anticipate potential crises because they’ve already endured those moments at other organizations.
For better or worse, CISOs do confront plenty of crises on the job. So, when that data breach or ransomware attack does strike, pay attention to how the crisis happened and what your response was. Ideally, perform an “after-action report” once the crisis is over, to understand what your team did well (forensics, breach disclosure, external communications, and so forth) and what improvements could be made to policy, procedure and/or controls.
Building risk management systems. Beyond the crucible of crisis management, boards also want CISOs who know how to build risk management systems. After all, the board’s foremost job is to oversee risk management. It typically does this by meeting with the management team to review reports about risk. Director candidates who grasp the art of building risk management systems – who understand what a risk management system is supposed to do, and can ask penetrating questions about the systems management presents to the board – will have a leg up on others.
Developing KRIs and KPIs. Along similar lines, CISOs should also have experience developing key risk indicators (KRIs) and key performance indicators (KPIs) related to network performance, potential cyber intrusions, the security posture of technology vendors in your supply chain, and the like. That insight into how a “normal” business IT system should behave, and which red flags to watch for most closely, will be crucial for boards working in our highly regulated, highly integrated, highly digital world.
Build your business skills
Even with all the above said, CISOs need more than technical expertise to jostle their way onto a corporate board. They also need business acumen.
For example, CISOs should have ample experience dealing with CFOs and CEOs. Those executives account for a large number of board directors already, so you need to understand their perspectives and speak their language.
In practice, that might mean being able to understand the cost-benefit analyses that guide decisions on corporate investments or knowing how to quiz a management executive about budget requests; that’s what CFOs do. You also need to understand how financial and operational priorities support strategic goals; that’s what CEOs do.
As one board director among many, you’ll only be casting one vote when the board decides big strategic questions – but as a CISO on that board, and quite possibly the only CISO on the board, you will be able to suggest how the board “adjusts” its strategic choices given the cyber risks the organization faces.
For example, say management wants to adopt an outsourced sales model, so it can expand overseas with third-party sales agents. Would you be able to veto that idea because it brings considerable new security risks? Probably not. But you will be able to tell the board, “Hold up; this will bring considerable new cyber risks, and we need to be sure management has an answer for that” – and then lead that discussion.
Also remember that as a CISO, you’re likely to end up on the board’s risk committee, handling any number of risk management concerns: cybersecurity risks, yes; but also compliance risks, ESG risks, and other non-financial risks that merit the board’s attention. (Financial reporting issues are the purview of the audit committee, which has plenty of work already.) What experience is good for service on the risk committee? Working closely with the compliance officer and handling crises.
Yes, it’s also who you know
We’d be remiss if we didn’t also state the obvious: another important part of the path to board service is your professional network. Use it to the fullest extent possible.
That means asking other board directors what they do, and who they know. It means getting involved in professional associations such as the National Association of Corporate Directors, which has local chapters across the United States. Put out the word to recruiters, who at the least would normally be happy to have your resume on file.
Consider serving on nonprofit boards – many of which work on tight budgets, and are desperate for skilled board directors, especially those with IT experience. Your fellow directors on that nonprofit board might also be serving on other boards, and suddenly your network becomes a bit larger.
That journey to board service might take time, but then again, look on the bright side: cybersecurity issues are here to stay. Boards will need CISO perspective for a long, long time.
To learn more about NAVEX solutions for cybersecurity and risk management: