The growing importance of robust cybersecurity strategies in contemporary business operations is prompting companies to integrate security executives into their boardrooms.
According to Chris Steffen, research director at Enterprise Management Associates (EMA), it's becoming a common practice to promote Chief Information Security Officers (CISOs) to board positions. This shift recognizes that cybersecurity should not be a subordinate aspect of a company's tech priorities.
With risk management and regulatory compliance taking center stage in companies, CISOs are becoming indispensable as they oversee a majority of these security-related controls, Steffen added. As cybersecurity incidents are reported more frequently, it's essential for boards to show they're actively addressing these issues. The most effective way of doing this for many organizations is to place the CISO in a decision-making role on the board, he explained.
Nick Kakolowski, research director at IANS Research, agreed, highlighting the rising recognition of cyber risk as an essential part of business risk. Boards need CISOs to join these high-level discussions, but they must bring more to the table than just cyber expertise. They should also possess a broad understanding of business operations, as boards are likely to look for versatile skills rather than only cybersecurity specialization.
IANS Research recently partnered with Artico Search and The CAP Group for a study on CISOs' readiness for board positions. The study found that less than half of the CISOs are considered potential board candidates. It also revealed that 90% of public companies don't have a qualified cyber expert on their boards, indicating a significant gap in cyber expertise at the board level. Only 15% of CISOs display the broader qualities needed for board roles, such as a holistic understanding of business operations, a global outlook, and stakeholder management skills. An additional 33% possess a subset of these traits.
So, what extra skills should CISOs cultivate apart from cybersecurity knowledge to be potential board members? According to the research, CISOs should focus on three areas: soft skills, diverse business experience, and personal branding. They should develop strong emotional intelligence, expand their knowledge of different business models and strategies, and construct a compelling career narrative that highlights their unique executive expertise, Kakolowski recommended.
Effective communication skills are also crucial, Steffen noted. CISOs should be adept at explaining complex security issues in a way that non-technical board members can understand.
Larry Whiteside, CISO at RegScale and a board member of various organizations, added that good business acumen is vital for a CISO's effectiveness in the boardroom. This includes knowledge of business operations and revenue generation strategies. Additionally, a CISO must grasp risk beyond just the technological aspect, understanding the impact of compliance, regulations, fiduciary risk, operational risk, and technology risk on the company.
Steffen concluded that CISOs should recognize their roles and responsibilities within the board and the organization, avoiding overstepping their boundaries. Additionally, they should establish a strong professional network they can rely on for any emerging issues.