How CISOs can make themselves ready to serve on the board

Spurred on by impending regulatory requirements and global cyber risks, corporate boards of directors are actively on the hunt for cybersecurity expertise. As a result, corporate governance experts believe that well-rounded CISOs will soon become a hot commodity for board recruitment.

However, not all CISO resumes are created equally. Newer CISOs without a lot of experience in the boardroom may need some time to bolster their risk management experience and communication skills before they’re even remotely ready for a director role. And even the most experienced security executives may need to make a concerted effort to broaden their skills and corporate governance expertise to help them meet the demands of directorship.

This is why CISOs interested in getting ready to serve on a board will need to take a strategic tack to their professional development. Doing so means seeking out the right mix of new experiences, governance education, and networking to burnish their reputations and attract the attention of boards with open seats.

“It’s a path paved with sweat equity,” says Bob Zukis, a professor at USC Marshall School of Business and CEO of Digital Directors Network (DDN), which helps companies improve digital and cyber risk governance. “There are no shortcuts to the boardroom.”

CISOs looking at board roles need more than cybersecurity experience

The last decade or so has been a hard-fought battle for CISOs in simply gaining the ear of their boards of directors, let alone joining their ranks. But as increasingly more security leaders have stepped up their value as risk advisors and learned how to help the business navigate the cyber risks of digital transformation, the role of CISO has leveled up in the corporate hierarchy.

Now, over half of CISOs present performance updates to the board on at least a quarterly basis, according to The State of CISO Influence 2023 from security consultancy Coalfire. That report shows in the past two years the percentage of CISOs reporting monthly to the board jumped noticeably from 18% to 28% of security leaders.

But governance experts and regulators believe that even the most regular reporting from security leaders isn’t enough for boards to fully grok their cyber risk exposure. There’s growing global momentum for public company and corporate boards to also start recruiting directors with relevant cybersecurity expertise, which is part of a broader trend of boards seeking recruits with any kind of technical expertise. A recent study from leadership consulting firm Spencer Stuart reported that about a third of ‘next-gen’ directors aged 50 and younger have technology backgrounds.

Chenxi Wang, a longtime cybersecurity expert and venture capitalist is part of that wave. She was recruited to the board for MDU Resources Group, a US-based energy and construction materials firm, back in 2019. She says the company was attracted both by her cybersecurity acumen and her connections with the high-tech industry in general.

“As a pretty traditional and longstanding company, they are actually very conscientious about bringing diverse mindsets and backgrounds to the boardroom,” she tells CSO. “And they wanted someone who’s connected with the West Coast high-tech industry to give them that perspective that a Midwest energy company may or may not have exposure to.”

While much of this momentum for CISO directorship recruiting is happening organically, it’s also being accelerated by impending requirements from the US Securities and Exchange Commission (SEC). The SEC will effectively name and shame companies for a lack of cybersecurity competence with forthcoming rules that will force public companies to disclose whether any of their directors have cybersecurity expertise. SEC regulators will require disclosures to be very detailed about the nature of the director’s experience in cybersecurity.

Just sending existing directors through a couple of security awareness classes will not cut it for this regulation, Zukis says, explaining that “the SEC wants applied experience — people that have been in the job before.” He also believes this regulation will have global impact. “As the SEC goes, so goes the world on these issues. As the SEC takes the lead from a regulatory perspective on these issues, other markets follow,” he says. “This push to have cyber expertise as a disclosure requirement in the boardroom will have all boards on the brink, saying, ‘Why are we still pretending that we don’t need this director in the room?'”

As organizations have these discussions, CISOs, security auditors, security analysts, and other risk officers are going to start looking a whole lot more attractive for director roles. “I think that mature CISOs, the ones that really have both the business viewpoint and also the technology viewpoint are the ones that I think are really ready to step into the role of a board member to guide companies from their experience, not only as technology leaders but as a business leaders,” Wang says

However, simply having security experience isn’t going to make every CISO a board shoo-in. That ‘mature’ qualifier is a big caveat.

How ready to join the board is the average CISO?

Longtime CISO Dawn-Marie Hutchinson says there’s probably too much variability in the CISO role to say whether the ‘typical’ CISO is ready for the board. “Consider the vast discrepancy between job descriptions, compensation, reporting lines, and consistent access and communication with the board. It is hard to say if as a class we are ready,” says Hutchinson, who currently serves as group CISO for UK-based BAT. She’s also a certified director by the National Association of Corporate Directors (NACD). She doesn’t yet serve on a corporate board but does act as a director for a non-profit board. “The role of the director is to oversee not to manage, so the more operational/tactical the CISO is in their role, the more difficult the adjustment to an oversight function they may experience.”

According to Mark Pfister, CEO and chief board consultant for M.A. Pfister Strategy Group, a professional board consultancy, his firm has seen a big recent uptick in CISOs working through its International Board Director Competency Designation (IBDC.D) training and certification program. He reports there’s currently a “high demand and low readiness level as it relates to CISOs’ ability to smoothly transition to the board room.”

At the same time, though, there are a lot more qualified CISOs ready for the board than the corporate world gives them credit for, says Zukis. This observation can be backed up by the results of a study out this month from IANS Research, Artico, and The CAP Group. This study made headlines because it reported that only about 14% of CISOs in the Russell 1000 were the perfect board candidate possessing all (or close to all) of the traits that boards today seek in their directors: deep domain expertise, advanced education, cross-functional experience in business governance, experience in global enterprises, and diverse backgrounds. Dig further, though, and the study actually shows that a full 47% of CISOs possess three or more of those key traits for directorship.

“It’s like any professional functional area. Not all audit partners or CFOs are ready for the boardroom either,” Zukis says. “So, there are some CISOs that are ready, willing and able right now–more than they’re given credit for. And there are some that can get there with the right development, coaching and mentorship. And then there’s some that will need a lot more experience and development to be there.”

Corporate governance issues and procedures training

Even those CISOs with deep pools of expertise in cybersecurity and tons of experience working with different lines of business may still need additional development and education on corporate governance issues and procedures. This is where executive training and certifications can potentially come into play to help them get up to speed.

Perhaps one of the most well-known certification and education programs on this front is the NACD Directorship Certification. Hutchinson said it was a good refresher for her on governance learnings that she initially picked up in her MBA education, obtained earlier in her career. “It was a good reminder as to the purpose of the BOD, specifically as we expect new rules from the SEC,” she says.

But that’s just one of many specialized programs available to CISOs looking to fill in the knowledge gaps and strengthen their governance chops. Business schools like Northwestern Kellogg, UPenn’s Wharton, and Columbia all offer corporate governance executive programs.  Internationally there are also classes and programs like INSEAD’s International Directors Programme, Corporate Governance Institute’s Diploma in Corporate Governance, and Institute of Directors’ Chartered Director Programme, as well as the aforementioned IBDC.D.

Meantime, Zukis’ DDN is seeking to specifically help CISOs and other technology experts with a comprehensive masterclass on boardroom readiness for tech executives, one of the only programs globally focused on this niche.

Taking classes like these provides CISOs the opportunity to understand the full scope of responsibilities for board governance, says Bob West, CISO for Palo Alto Networks and a veteran security practitioner who is systematically building his career track for an eventual spot on a public board. Even with a lengthy and robust resume as a security practitioner and consultant, and an MBA, he’s still taking the time to boost that with executive training courses. He’s currently working through a board director prep course through KPMG and last year he says he took the governance course through Wharton.

“That really helps provide another lens for when you step into the boardroom for a meeting: ‘Here are all the things you need to care about,'” he says. “I think those types of courses are very helpful for people in general. It gets you part of the way. Maybe just enough to be dangerous.”

Building the right mix of professional experiences 

While directorship courses and certification can provide a needed boost, nothing trumps the school of hard knocks. All the experts agree that before considering executive educations, CISOs should first ensure that they’re regularly encountering professional experiences that expose them to business-level decision-making.

One of the biggest professional gaps uncovered by the IANS study is in cross-functional expertise. The research showed that only about a third of CISOs have broad experience with strategic board-level decision-making, standing in stark contrast with CISOs who currently hold board positions, of which 71% have that cross-functional box checked.

“Applied experience is always worth more than theoretical experience. CISOs who can broaden out their role, broaden out their perspective, broaden out their value proposition across the organization, will be served much more from that applied experience,” says Zukis. “The secondary path is the classroom and the executive education. That stuff is good, but it doesn’t replace having been there and done that.”

The most obvious first step in that route to relevance is for CISOs to be sure they’ve built solid relationships with their own board directors and are learning from those experiences. “CISOs that aren’t having regular engagement, and arguably a relationship with the board will need to build that experience before ascending to the seat,” Hutchinson says.

For CISOs currently stuck in more tactical positions, the way to get there is to start finding ways to take responsibility and track a broader set of enterprise risks beyond just the typical cyber threats. This is probably one of the most important ways CISOs can ready themselves for a board position, says Wang.

“I think a CISO should consider a journey to be the chief risk officer of the company. That would be a really great thing to do, whether you have the title or not,” Wang says. “In doing so, you’ll get experience working with different business units and different perspectives — including legal, compliance and so on. These interactions will prepare you to have the right mindset and experiences for serving on a board.”

Making lateral moves across industries may not be a bad idea either, she says. “If you’re CISO for a particular industry and you move to a different industry, you’ll get exposed to a different set of risks, which is great for expanding your horizons,” Wang says, explaining that she knows several CISOs who have greatly bolstered their experience by jumping to different industries. “They really have a very enriched view on cyber risks and other risks as a result.”

Broadening perspectives could also potentially be achieved by pivoting into consulting and making forays into vendor land to build out business expertise, like West has done. He’s had a number of stints as CISO at financial services organizations but has also buttressed that with years of consulting and management experience at Deloitte and Ernst and Young, which he says has helped him learn the “right way” to communicate with directors.

“The more that you can bulk up on business strategy and overall business operations, the better. That becomes tremendously helpful because you don’t just want to be a one trick pony on a board,” he says. “You don’t want to be the person that’s adding value for 10 minutes out of the whole day. You want to be able to add value throughout the board’s discussions.”

He’s also building experience through serving on nonprofit boards. The most valued of those experiences is his work for USA Track & Field Foundation, where he explains he’s been serving alongside a number of high-powered CEOs from organizations like American Express, Blackstone, and NASDAQ. “Where I’m going with that is that they’re used to a lot of rigor in their boards (at their day jobs),” he says. “So that’s been very, very instructive in understanding how disciplined boards function.”