Why Every Public Company Should Have an InfoSec Exec on its Board (Part 2 or 2)

Part 1 of this series sought to brace the board rooms of America for the monstrous rogue wave of regulation soon to threaten every seat at the table. In Part 2, we look more closely at what it takes for an InfoSec Exec to surf their way through the barrel and into a board seat.?

Recall, regardless of what regulators decide to do, I believe there should be an InfoSec Exec on every publicly traded company’s board.?Thanks to input received from the CISOnation, my minimum criteria for an InfoSec Exec board member has been refined to the following:

1. Currently in an active InfoSec Exec role

2. Working in a non-competing firm of similar size

3. Independent outsider who is NOT personally referred (or known) by a board member or officer of the company

4. Brings more than InfoSec expertise to the table

5. Battle-tested by having either experienced a major breach OR assumed a leadership role within an organization shortly after they experienced one

Let’s drill down further on each criterion while considering some of the insights I have received while formulating them:

1. Currently in an active InfoSec Exec role

The most common push back I receive from CEOs and Chairmen is they believe the InfoSec base is covered by an existing board member (or two) with a technology background.?Certainly, having such board members should heighten the awareness of the board as to the importance of rigorous InfoSec policies and adequate funding to carry them out.?However, a former CEO of a tech firm does not possess adequate current knowledge of InfoSec to guide the board or the organization’s top InfoSec Exec, as an InfoSec Exec board member would.?

One bank President I spoke with told me he prefers to cover the InfoSec Exec base with outside consultants in lieu of a board seat.?He named one in particular with whom they have been working for several years.?Mind you, my own firm has been providing IT consulting services for over thirty years.?So, I am all for bringing in consultants when doing so brings expertise that cannot be acquired by more effective means.?Such was likely not the case in this situation.??

While the bank’s InfoSec consultant reported directly to the board, he collaborated with their CISO on nearly a daily basis.?After a couple of years, odds are good that the relationship between the consultant and the CISO is either too cozy or acrimonious to adequately serve the board’s purposes.?Even if that is not the case here, most consultants are in it for the longest ride possible.?An InfoSec Exec on the board, however, is purely motivated to serve the best interests of the firm…period.?

2. Working in a non-competing firm of similar size

This one is less intuitively obvious than it may first appear.?For example, a manufacturer’s board may think an InfoSec Exec from a non-competing manufacturer would be a good fit.?Perhaps, but most manufacturers will face many similar InfoSec risks independent of their product mix.?So, this obvious move is effectively doubling down on known risks, while leaving the firm exposed to risks in other industries today that could be theirs to deal with tomorrow.?That is why I recommend filling your InfoSec board seat with someone from a different industry.??

As to the size firm the board candidate currently works in, number of employees is probably the simplest measure to use.?Since each additional employee clearly increases InfoSec risk, this seems sensible enough, though possibly not singularly sufficient.?Every additional customer also adds InfoSec risk.?The bigger the customer, the bigger their inherent risk.?So, for my board seat money, I recommend looking at both current number of employees and customers when considering an InfoSec board candidate.

3. Independent outsider who is NOT personally referred (or known) by a board member or officer of the company

Coming from one who earns a "Fixed Fair Fee" for placing InfoSec Execs on corporate boards, this sounds more than a bit self-serving.?Nonetheless, I am annoyingly adamant on this criterion.?Why??Because more than any other board member, the InfoSec Exec earns his/her seat by courageously telling fellow members what they need to know, but often don’t want to hear.?Most of the time, that should be in support of the firm’s internal InfoSec Exec, but occasionally it will require this unique board member to challenge that executive’s recommendations.??

An InfoSec board seat is not for the faint of heart.?It will prove very challenging for even the best of the best.?Personal or professional allegiance to any executive or board member could make meeting that challenge nearly impossible.?So, what did I tell the CEO of a $5 billion manufacturer who said he never brings anyone on his board who isn’t known and recommended by a top executive or board member??I told him that makes perfect sense for every seat on the board…except this one. He then spoke of one painful experience when he didn’t follow his own counsel and brought someone on the board with great credentials but no personality.?Someone who “sucked all the air out of the room”, he said.?To this I thought but did not say, thorough reference checking and a reliable emotional intelligence (EQ) test could have kept the oxygen in that boardroom.??

4. Brings more than InfoSec expertise to the table

Credit this criterion to the previously featured oxygen deprived CEO.?He said he didn’t want anyone on his board with a narrow background and focus as he assumes an InfoSec Exec would have.?As a preferred alternative, He suggested a local Founder/CEO of a wildly successful tech firm sold a few years back for a sum that took even my jaded breath away. Though I share the CEO’s lofty opinion of this local legend, I strongly disagree with his belief that having such a person on his board adequately covers the firm’s InfoSec risk. Even if the local legend was still the CEO of his former firm, his personal knowledge of InfoSec risk would not adequately cover it.?Frankly, it’s not even close.??

We’re talking about THIS risk…make that THE risk…the unicorn among risks…the mother of all risks…the not just another risk…but the single risk with the highest odds of destroying any organization in our country in the least amount of time.?The risk that is so great and so pervasive that the U.S. Senate is seriously considering mandates forcing it to be adequately covered at the board level in the interest of national security.?Yeah, that risk.??

Thanks, I needed that.?I do acknowledge that a pencil head and pocket protector would likely not go over well in most board rooms.?Broad business and leadership experience would be a definite plus, IF obtaining it has not significantly distracted the InfoSec Exec board candidate from being a true super star within their field.?Meaning, the boards of American companies will soon be seeking unicorn executives to adequately contain this unicorn risk.?Ever been unicorn hunting? No one said it was going to be easy.?

5. Battle-tested by having experienced a major breach OR assumed a leadership role within an organization shortly after one

Whoa CISOnation!?Please hear me out before shooting the messenger.?I realize that holding fast to the above criteria would eliminate many eminently qualified candidates.?While true that, “Nothing ever becomes real 'til it is experienced.”?(John Keats), it’s also true that experience is only valuable to the extent you learn something from it.?So, my search would initially focus on candidates who meet one of these criteria but would not eliminate those who don’t.

Obviously, a case could be made that the best possible candidates are those who have never been in an organization when it experienced a major breach.?If you’re considering a candidate with that profile, then simply ask him/her to explain how such an impeccable record came about.?Though few are likely to admit it, luck was a significant success factor in many cases.?Those who are truly good and not just lucky should be able to articulate what sets them apart.?A track record unblemished by breaches is nice, but not enough evidence of the candidate’s capabilities.?Drilling down to this level requires vetting by a peer InfoSec Exec, something we always do before submitting a candidate for consideration.

What about InfoSec Execs who suffered a major breach on their watch??Does this disqualify them from consideration for a board seat??Absolutely not!?These could be some of the best possible candidates but determining so requires peer review.?In such a case, I recommend?conducting the review early in the recruiting process.?If it’s determined that the candidate made too many mistakes in either causing or recovering from the breach, then you’re done.?The risk is too great that similar mistakes could be made next time around despite what were, no doubt, hard lessons learned…hopefully.?

That’s a wrap for Part 2 in this series.?Thanks to the CISOnation for their lively participation in Part 1.?Please continue to weigh in, while encouraging your C level exec and board member friends to do the same.?United We Stand Secure!?????