From Board Advisor to Board Member: Evolution of the Modern CISO

Jamey Cummings | November 16, 2021

The role of the modern-day Chief Information Security Officer (CISO) has continued to become increasingly indispensable to companies with each passing day. As robust enterprise cybersecurity programs become a more prominent component to the well-being of organizations, C-suite leaders and board members are increasingly depending on CISOs’ advice and input. This has been magnified with the expansion of remote work and persistent expansion of cyber threats, ranging from denial of service to ransomware attacks. These challenges have revealed again and again how a strong cybersecurity structure and team must be in place for the security posture and success of any business.

Boards must be increasingly cybersecurity savvy to effectively engage their CISOs, especially in light of growing threats. As a result, cybersecurity expertise has moved up the long list of criteria against which new potential board directors are evaluated, and CISOs are beginning to earn seats at the table as corporate board members.

Criteria for Becoming a Board Member

So how do CISOs take that final leap to the board room? Below are a few fundamental qualities stakeholders consider when evaluating candidates for these coveted Board Director roles.

Credibility beyond information security.

For CISOs in-depth knowledge of security is necessary but insufficient to position themselves credibly as potential board members. They must acquire breadth of experience and seek exposure to all aspects of the business at all levels of seniority. Exceptional CISOs develop strong communications across all aspects of their business, including finance, HR, and legal departments as these areas overlap in matters of security and privacy.

Impeccable communication skills.

Technical jargon is not a native language to most executives outside of the IT function. CISOs must use this as an opportunity to translate the importance of cybersecurity into actionable measures. This open line of communication advocates for the invaluable role of a CISO and why they are an irreplaceable entity in the company. As leaders understand the implications of their message, they not only begin to recognize the value of CISOs but depend on their expertise.

Strong business acumen.

CISOs need a well-rounded understanding of the entire business. For example, if a business had to close its plant for 48 hours to implement a recovery strategy after a ransomware attack, the CISO should be able to explain the immediate and longer-term business ramifications of such a critical decision.

The Pathway to Become a Board Member

Broaden experience and expand your skillset.

The more exposure CISOs gain in areas outside of technology and security, such as M&A, product management, and other interdepartmental activities, the more their skillset diversifies, increasing the demand for their caliber of talent. If CISOs play a key role in acquisition diligence and integration, for example, it is important that they understand how cyber risk fits into the overall enterprise risk landscape and that they can effectively evaluate the maturity and capabilities of the acquired company’s security posture and practices. Furthermore, CISOs are increasingly engaged by their market facing colleagues to help address customer questions and concerns related to their security credentials.

Translate cyber risk into business impact.

The importance of this ability cannot be stressed enough. CISOs worth their salt understand how to quantify risk into data and analytics. Take the abstract concept of risk and translate it into comprehensible data in order to effectively articulate potential impact that not addressing those risks may potentially have on financials and current business plans; spell out trade-offs that will need to be made when making busines decisions related to cyber risks and communicate the potential implications to the financial bottom line.

Invest in relationships and your communications skills.

Executive communications and relationship building are fundamental skillsets CISOs need to hone to better position themselves as potentially viable candidates for board opportunities in the future. Seek out opportunities to actively participate and articulate your business views in as many high-level, strategic discussions at the executive leadership and board level as possible. Additionally, it is very much worth the time and effort to find mentors willing to invest in your development as you continue to navigate your career and the path to positioning yourself to be considered for board opportunities.

Gain other board experience.

Although many of the expectations and requirements for serving on a board of a non-profit or a startup are not as high or stringent as they are for serving as a director on the board of a publicly traded company, there are still benefits to be gained from such experience. For one, it can help you to become more comfortable serving in more of an advisory and strategic capacity as opposed to focusing on operational responsibilities. Additionally, it can provide opportunities to interact with, learn from, and build relationships with fellow board members who may also sit on public boards.

With the rise of cybersecurity threats, a trusted partner in the search for CISOs is a must for any company. We hope highlighting these considerations will aid your ability to join your first boardroom as you prepare to make your career progression. And when the time is right, consider partnering with an executive search firm that can help you take those first steps with ease.

Special thanks to CyberWire’s Rick Howard and Major General Zan Vautrinot for helping to inspire this article in their recent podcast with Jamey Cummings.

You can listen to the conversation via the link below.

PODCAST: From Board Advisor to Board Member: Evolution of the Modern CISO
(length: 46:56)