Chief information security officers generally work to cultivate the security of their organization’s computers, website, and applications, working alongside cybersecurity and IT team members. The role of a CISO used to be mostly tactical, with the officers fully responsible for protection against cyber threats, but today the position is more about conducting and aligning strategic planning so that an entire organization can properly prevent threats as a collective.
Although publicly traded companies aren’t moving to add cyber experts to their boards, there is evidence that CISOs would actually excel in board directorships. This month, IANS Research, Artico Search and The CAP Group released a report evaluating the qualifications of CISOs across the Russell 1000 Index (R1000), listing key traits for credible candidates.
The results indicate that 14% of R1000 CISOs — or roughly 1 in 7 — stand out for possessing the necessary traits for a position on a board of directors. It is notable that this report comes as the Securities and Exchange Commission (SEC) is working to finalize new rules concerning cyber expertise and transparency.
Of course, one of the reasons the SEC and others are calling for more CISOs on boards is precisely so they can bring their unique domain experience to broader business discussions on boards. But it’s also clear from the research that the best candidates will be able to bring other skillsets to the table.
“Technology and cybersecurity expertise alone are insufficient for board directorships,” stated Brian Walker, CEO and cyber board advisor at The CAP Group, in a press release. “Board directors operate at a strategic level and in most boards, there is no room for ‘one-trick ponies’ since adding a new director for every complex domain of expertise isn’t scalable.”
Key criteria for a CISO to excel on a board
A few key pieces of criteria a CISO should have to succeed on a board include, among other factors: infosec tenure, cross-functional expertise, the ability to scale, and an advanced education.
Having infosec tenure means the individual would boast, as the report states, “deep domain expertise” of approximately five years as a CISO and 10 or more years of experience in information security. Possessing this know-how helps with both asking the right questions and challenging entrenched assumptions.
Relatedly, broader business experience is an additional key requirement. The report states that CISOs who have experience in noncyber functional roles — such as being a company founder or consulting on strategy — are strong candidates for board seats, as their skills are wide-ranging.
This leads straight into the next prerequisite: having scale. Say a CISO has experience as the head of information security at a large, global organization—that could show that they have a comprehensive and inclusive perspective and are capable of navigating a wide array of stakeholders.
In order to succeed in a board of directors seat, a CISO would also need advanced education, as this factor “enhances the board’s credibility with external stakeholders,” according to the report, and is “indicative of critical thinking and analytical skills” that would certainly aid an individual on a board.
Diversity is also critical
Diversity is another — and perhaps the most important — trait for a CISO to have if they are looking to join a board of directors.
As Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice, said in the report: “To serve as an additive board member, one must bring a unique combination of domain expertise and strategic governance, as well as a pedigree that advances the prestige and diversity of the board makeup.”
Indeed, as the report states, the rationale for the diversity criteria is that each board member would bring their own different or new perspectives to the table, which would help the group to identify blind spots and avoid potential pitfalls. Diversity in a new board member might mean that they perhaps identify as female, a person of color, or from another underrepresented group (and this aligns with SEC rule 5605(f)). “In today’s world, boards are seeking diversity of experience and thought, and expanding board opportunities to underrepresented groups,” Martano added.
Boards of directors are ready for CISOs
While the June report states that CISOs’ “readiness for board roles varies widely,” data does show that, as Martano put it, “there is a large portion of the population of CISOs who could emerge as board-ready in the next several years.” Both boards and CISOs would “benefit from aligning on expectations for a board-ready cyber expert,” preparing the CISO community to help meet long-term board needs.
In order to best ready themselves to join boards, the report recommends that CISOs should identify the five aforementioned key traits in themselves. They should also assess their soft skills, analyze any gaps in their resumes, and strengthen their career narratives by working on maintaining personal brands and cultivating diverse networks.
For companies looking to consider CISOs for board roles, the report suggests they begin with the Russell 1000, as well as cast a wide search net, make sure to prioritize diversity, and not require board certification, as only about two percent of top 1000 CISOs are board-certified, so that may shut out promising talent.
Freelance journalist Jessica Beebe is the author of this article.