CISOs on Boards Starts with CISOs at the Senior Officers Table
George Kurtz, the CEO of Crowdstrike, spoke at the RSA Conference last week and said, “From the lens of a company CEO, every board needs a CISO.” He went on to say, “In the next decade, every company will have a CISO on their board – or wish they did.”
I have seen the value George spoke about. I’m a technical advisor to the board of a large critical infrastructure entity, and technology and security issues are among the top agenda items every meeting. I find that I work behind the scenes with company IT and security leaders, and ask questions and bring up points in their meetings that no one else on the board would know to ask. I even had the chairman of the board come to me after a meeting and say, “Thank goodness you were here to bring that up.”
Considering how important technology is to business innovation and efficiency, the scale of new technology-driven opportunities and investments like AI, and the continual growth of impacts from cyber threats, the boards for large companies (especially those in critical infrastructure industries), can gain great value from having “digital directors.” In reality, though, very few company boards have CISOs. Just 9% of companies listed in the Russell 3000 Index have information security expertise on their board.
The decision whether to add a CISO to a board is not just based on the business’ cyber risk, it is also based on what a CISO can contribute. Technology and cyber are critical issues, but the list of issues boards must consider is much broader, and no board can dedicate a scarce seat to a director who only adds value in a single area. I have spoken with dozens of board members, including several who chair Nominating/Governance committees that focus on the selection of new directors, and a fear I consistently hear about CISOs is that we are that dreaded “one-trick pony.”
Position for future board service by starting with your reporting structure
Some CISOs have taken a zigzag career path and have experience in areas outside of IT and security, but for those of us who have risen through the IT/Security organization, the one-trick pony label may be influenced by our reporting structure. I have long been a proponent of Information security reporting separately from IT, due to the inherent conflict of interest and to position InfoSec on the middle tier of the three-tiered model for business risk management. Separate from that discussion, I believe being a step below senior leadership reporting to the CIO, and part of IT, also hurts a CISO’s future opportunities to serve on boards because they are viewed as IT-siloed.
Being at the senior leadership table not only provides better visibility across the spectrum of business initiatives that could create security risk, but it also exposes a CISO to the wide range of business strategy discussions, perspectives, and decisions being made at that table. That makes them better CISOs and is also fantastic training and broad business experience for serving on a board.
Getting to the senior leadership table
It’s easy, right? Chances are your company has never had a CISO at the senior leadership table, so it takes some trail blazing.
The starting table stakes are obviously being a really strong CISO – showing a deep and strategic understanding of technology, data, and cybersecurity; strong management and development of your people and teams; and implementation of a thoughtful strategy that protects your business. Delivering value.
Two traits that help take your chances to the next level are business acumen and executive presence. Understanding and speaking the language of business, partnering with and influencing business leaders, having a strategic business orientation, and having a record of integrating security to help make business strategies and initiatives successful. Continuously making those contributions will make business leaders want you at their table.
It takes time, and the level of risk for your business is a major factor, but my advice is don’t settle for the traditional reporting model if it is suboptimal. Position yourself and seek the opportunity to serve on the senior leadership team to reduce business risk, improve your performance as CISO, and better position yourself for board service in the future.
Serving on a board is an opportunity to magnify your career’s impact and bring about changes that will improve the level of cybersecurity across a business and even industries. Every CISO should consider it a next career step, and I am hopeful that George Kurtz’s prediction comes true. Look at your reporting structure – is it helping or hurting you getting there?
Hold Fast
Stay True