Going from CISO to the board may mean overcoming a stigma of being a “one-trick pony.”
With technologies like AI driving significant opportunities for growth and efficiency, threats like cybersecurity presenting major risks, and regulators and stakeholders pushing boards to be more engaged on technology governance – most boards could benefit from the been-there-done-that expertise of CISOs. Unfortunately, surveys continue to show that very few boards have directors with our background, they struggle with cybersecurity, and consider it one of their most challenging issues.
I have attended three seminars in the past year on trends in what boards are looking for in new members, hosted by both the National Association of Corporate Directors (NACD) and the Private Directors Association (PDA). All three seminars had panels that including board nominating/governance committee leaders, and all spoke about the priority of adding “Digital Directors,” i.e., directors with technology skills. Yay - progress! But wait - unfortunately, all three panels also spoke about how hard it is to find candidates that fit their needs.
There are many factors at play in that issue, but one is a worry that CISOs are single-issue leaders, e.g., one-trick ponies. Boards have a lot of ground to cover and cannot afford to dedicate a precious spot for a director who will not add value in multiple areas.
I am very biased, but I strongly believe many CISOs are not one-trick ponies. The modern CISO role for a medium or large company demands collaboration on goals with other business leaders, courage to speak up on key issues, and engagement on strategy across the organization. Modern CISOs are typically at the senior leadership table, meeting with the board, part of M&A activities, working closely with business partners, managing large budgets, and out in front of the workforce.
CISOs need to break the typecasting as one-trick ponies and demonstrate they are not mysterious denizens of the data center. The best way to do that – visibly building their role as partners with business units on new initiatives, speaking the language of the business, being strategic and pragmatic about how the organization addresses risk, and keeping the mission of the business central to security actions.
CISOs can also benefit from expanding their involvement in business support areas like budgeting and fiscal management, HR, and resilience planning. Participating in community service, mentoring, teaching, and other “extracurricular” activities also broadens leadership perspectives.
I have seen firsthand on two boards that digital directors have a major positive impact in multiple areas. CISOs should continue to build their versatility as well-rounded executives, prove the one-trick pony label is outdated, and help improve the next generation of boards.
Hold Fast and Stay True!
Paul and Doug, I could not agree more. Over the course of my IT career, starting in the early '80s (yes, the last millennium!), I watched the analogous evolution of the role from Manager-EDP to CIO. The same thing is happening now for CISOs (often, starting out as the infrastructure manager)! In a blog post, From Cyber Guardian to Boardroom Luminary – A Personal Story About CIO Evolution Parallels, with Career Advice, I provided some several specific career development considerations. They can be found here: https://bobchaput.com/from-cyber-guardian-to-boardroom-luminary-a-personal-story-about-cio-evolution-parallels-with-career-advice/
Paul, as you may remember, I’m one of those “digital directors”. While not a CISO I was a CIO (even before the role of CISO became common place). You describe a situation that CIO’s were in 20 years ago. Where their expertise defined them as “one trick”, it took a while for CIOs to start acting like executives ahead of their technical knowledge. CISOs must do the same. Demonstrate that they are true executives who happen to have a very critical technical skill.