In today's business landscape, it is imperative to prioritize robust cybersecurity programs, and a good reflection of that is adding security executives to boards.
Chris Steffen, a research director at Enterprise Management Associates (EMA). Observes a growing trend of elevating chief information security officers (CISOs) to board positions.
The previous notion that security roles play second fiddle to other technology priorities is no longer acceptable.
Steffen explains that organizations pay increasing attention to risk and regulatory compliance.
Many initiatives and controls revolve around security. It falls upon the CISO to address these controls.
Security incidents are continuously making headlines. Boards of directors must demonstrate their commitment to addressing these concerns.
One straightforward and impactful approach for companies is elevating the CISOs' position on the board, granting them responsibility and authority.
Recognizing cyber risk as an integral facet of overall business risk. Businesses now require CISOs to engage in governance discussions at the board level actively. Nick Kakolowski from IANS Research emphasizes that CISOs have an opportunity to serve as cyber experts during these conversations.
It will be crucial for them to diversify their experience beyond technical expertise alone. Boards are seeking individuals with a breadth of knowledge when they consider candidates for cyber expert roles.
Recent research conducted by IANS Research highlights findings regarding qualifications for board positions among CISOs. Less than half of all CISOs exhibit strong aptitude as board candidates based on their skills and qualifications. The study also reveals that 90% of public companies lack even a single qualified cyber expert on their boards. Indicating a significant disparity between demand and supply in this regard. Only approximately 15% of CISOs possess the necessary traits required for board-level positions, such as a comprehensive understanding of business operations.
A global perspective, and adeptness in navigating diverse stakeholders. Soft and cybersecurity skills are essential for CISOs to be considered credible board members. In order to serve as cyber experts on boards CISOs should focus on three key areas. According to the sample of CISOs queried for the IANs research who already hold board roles. Firstly. CISOS need to develop soft skills. Boards are made up of highly talented and successful individuals who work closely together. The conversations within these boards can be nuanced and require a high level of emotional intelligence to navigate effectively.
Secondly, CISOs should diversify their business experience to gain a broader knowledge of various operational models and corporate strategies. This will help them better understand the complexities of the business world.
Lastly, branding is critical for CISOs looking to serve on boards. Creating a compelling career story highlighting their executive expertise sets them apart from other security experts. Good communication skills are vital in this regard. Being able to explain complex security-related topics in a way that laypeople can understand is key. Larry Whiteside, CISO at RegScale and board member of several organizations. Emphasizes the importance of knowing your audience when it comes to communication. Communicating clearly and concisely with individuals who may not have a technical background is crucial for a CISO.
Overall by focusing on developing soft skills diversifying their business experience, and honing their communication abilities CISOs can enhance their credibility as board members in cybersecurity. A CISO needs to tailor their language to their audience, especially in a boardroom setting. At the same time, technical terms may be appropriate for the cybersecurity or IT team.
The board members must understand the point being made. A CISO must possess good business acumen to communicate effectively in the boardroom. This includes not only knowledge of the business itself but also an understanding of how it generates revenue. Each company has its unique qualities that contribute to its success, so this understanding is key. A CISO must also have a comprehensive understanding of risk beyond just technology. Compliance and regulatory issues are constantly evolving, and a CISO must grasp the risks these mandates impose on their company.
In addition to technological risk, CISOs must consider fiduciary and operational risks when evaluating the overall impact on the company's bottom line. They need to understand their role and responsibilities as a board member and ensure they stay within their bounds.
Furthermore, having a strong network of professionals from various disciplines can be beneficial for CISOs in seeking guidance and expertise. According to Steffen. Many security professionals know that attaining high organizational security is only possible with assistance. This help can come from various sources, such as third parties, vendors, or informal connections with peers in the industry who can offer valuable guidance. Steffen also emphasized the importance of a CISO having a robust network of contacts that they can rely on to address any potential issues.