CISO’s - the pathway to becoming a Board Member

CISO’s  - the pathway to becoming a Board Member Image 1
CISO’s  - the pathway to becoming a Board Member Image 2

As digital transformation and cybersecurity become an ever-increasing focal point of the modern Australian enterprise, terms like “every company is a technology company” or “protecting our IP is our lifeblood” rings true. ASX listed and private organisations are increasingly acknowledging the need for their company board composition to include CISO (and/or CIO) skillsets as cybersecurity has become the enabling success factor for digital transformation across a wide array of industries. Going one step further, the SEC in the United States has recently proposed new rules that would require U.S. public company boardrooms to disclosure corporate directors with cybersecurity expertise.

Technology and specifically cybersecurity expertise is especially lacking at the board level in Australia. In fact, a recent report* found that approximately 70% of non-executive or independent directors came from CEO, COO or CFO/Senior Finance experience, with no mention of technology experience representation. As the number of cyber security breaches increase and damage to brand (and board) reputation increases, organisations must take more serious steps to include technology experts on their boards. This is however a relatively rare skillset within the ranks of most corporate boards, both in Australia and overseas.

Australian boards need to include CISOs (and CIOs) at the helm of their leadership who can provide advice on moving forward with digital transformations and the inherent cyber threats accompanying change initiatives and how to prepare for the future. As board members, CISOs (and CIOs) can be effective when explaining how changes to their infrastructure can increase growth and reduce risk, as well explain the organisation’s risk posture and the relative impact of potential breach scenarios. Most importantly they can elevate the conversation to ensure understanding, more informed decision-making, or total business alignment, which is especially crucial during a crisis when companies need to move even faster.

So what makes a CISO attractive to corporate Australian boards and what areas do they need to focus on to elevate their career to the board?

Broaden experience and expand your SKILLSET.

The more exposure CISOs gain in areas outside of technology and security such as M&A, product management and/or other interdepartmental activities, the more their skillset diversifies and increases demand for their scope of talent. For example, if CISOs play a key role in acquisition diligence and integration, it’s important that they can articulate how cyber risk fits into the overall enterprise risk landscape and effectively assess the maturity and capabilities of the acquired company’s security posture and practices. CISOs are also increasingly engaged by company leadership to help address customer questions and concerns (PR/Communications) related to their company’s security credentials.

Translate cybersecurity risk into business impact.

This is a high priority topic. CISO credibility is directly underpinned by their ability to understand how to quantify risk into data and analytics. Take the broad concept of risk and translate it into useable data that effectively pinpoints the negative impact that occurs (if not addressed) to financials and business plans. What are the trade-offs that will need to be made when making business decisions related to cyber risks and potential implications to the financial bottom line?

Invest in relationships and your communications skills.

Two of the key fundamentals at the executive level is communication skills and relationship building. CISOs need to continually refine these to better position themselves as potentially viable candidates for board opportunities in the future. Seek out opportunities to actively participate and articulate your business views in as many high-level, strategic discussions at the executive leadership and board level as possible. Or are you currently doing the rounds as a speaker at various industry forums? Finding a mentor willing to invest in your development is definitely worth the effort in order to navigate your career and the path to positioning yourself to be considered for board opportunities.

Seek out other board experiences.

Although many of the expectations and requirements for serving on a board of a non-profit or a start-up are not as high or stringent as they are for serving as a director on the board of an ASX Listed company, there are still benefits to be gained from such experience. For one, it can help you to become more comfortable serving in more of an advisory and strategic capacity as opposed to focusing on operational responsibilities. Additionally, it can provide opportunities to interact with, learn from, and build relationships with fellow board members who may also sit on public boards.

Credibility beyond information security.

For CISOs in-depth knowledge of security goes without saying, but this knowledge alone won’t catapult you into a board seat. You need to acquire breadth of experience and find exposure to all aspects of the business at all levels of seniority. Exceptional CISOs develop strong networks across all aspects of their business, including finance, legal, HR and PR departments as these areas typically overlap with matters relating to cyber security, risk, remediation and public response.

Outstanding communication skills.

CISOs must use this as a golden opportunity to translate the importance of cybersecurity into actionable measures (and counter measures). This open line of communication advocates for the invaluable role of a CISO and why they are an important skillset to both company and board. As company leaders increasingly understand the security implications of their decisions, they not only begin to recognise the value of CISOs but depend on their expertise.

Strong business acumen.

CISOs must have an appreciation and understanding of the entire business. For example, if a business had to close its operations for 48 hours, address a ransomware attack and provide a recovery strategy, the CISO must be able to explain the immediate and longer-term business ramifications of such a major decision.

The Decipher Bureau effect – We hope this provides some insights to anyone seeking their first board seat as you prepare for your next career progression. Alternatively, for an organisation seeking to conduct a confidential search for CISO talent, reach out to one of our specialist team members for a confidential discussion and market assessment

(*Source: Securityweek.com: “Why Companies Need CISOs and CIOs as Board Members”