Why CISOs are Excellent Candidates for Board Service

In March of 2023, the SEC proposed new requirements to address cybersecurity risks to the U.S. security markets. Then, in July of 2023, the SEC issued its final rule requiring improved disclosures about cybersecurity risks, governance, and incidents by publicly traded companies. Since then, numerous articles have been authored about this rule's impact on businesses, corporate board operations, and the cybersecurity community. ?I responded to several articles written about how CISOs were not ready to serve on corporate boards and shouldn’t be viewed as a source for boards to mature their cybersecurity knowledge. I felt that many who were negative about this discussion were missing the point, which is that the CISO role is unique. The role doesn’t just have one set of skills and experiences but a vast collection of them, as noted in Rafeeq Rehman's excellent resource, the CISO MindMap.

Obviously, not every executive serving as a security leader has experience in all the domains listed on this mind map. It would surprise executive teams, however, what many of us, with ten-plus years of experience as CISO, can bring to the table to help our companies if provided the opportunity. My original purpose for this article was to discuss why CISOs should serve as independent directors if given the chance. While putting my thoughts together, I realized it might be better to tell a story. Everyone likes a good story, and this is about how a CISO realized something was missing and the path he took to get answers. As I tell this story about myself <smile>, I will touch on how I became business aware as a security executive and provide resources that peers and I have used to integrate business knowledge and experience into our career paths.

Every story has a beginning; mine was in 2007, as my military career ended. Like many veterans, I transitioned into a role working for the federal government. Over the next six years, I served as a Deputy CIO, CISO, Network Architect, Auditor, and Privacy Officer. It was an incredible experience, but around 2010, I realized while attending executive staff meetings, budget meetings, and strategy sessions that many of my fellow executives spoke a language I was struggling to understand, and that language was “business.” This led me to join San Diego State University’s Executive MBA program and graduate in May 2013. During my two years in this MBA program, I took classes and became very involved in San Diego’s startup community. Here, I was initially exposed to advising startups – which I still do today - and working with their executive teams. This exposure would make me realize that understanding how businesses work helped me mature how to protect them and my security program's impact on daily business operations. ?

This realization in 2013 has had a profound impact on my career. I perceived then that cybersecurity was, at its core, a business service that used technology, people, and processes to manage enterprise systemic risk. As a business service, that made me a business leader within my organization; however, I didn’t feel like one then. I knew I needed to change, which led me to CISO roles at the City of San Diego, Webroot Software, and my current employer, SoftBank Investment Advisers. In each, I still found my original observations about business and cybersecurity true. In fact, I noticed that the more senior I became, the more imperative it was for me to understand business and develop the soft skills required to collaborate with my peers and communicate with my executive team and board of directors. In 2010, I had over a decade of experience in IT and cybersecurity with numerous technical certifications. I thought I was at the top of my game as a security leader, and it was just a matter of time before I progressed to more prominent CISO roles. However, looking back now through the lens of experience, I understand that what was holding me back was that I lacked an understanding of where my security program and my role fit into and supported business operations. It was this feeling that something wasn’t right that led me to complete my MBA and understand that achieving the title of CISO wasn’t the professional ceiling in cybersecurity but one of many steps that I could take, as noted in an article I published in March of 2020 titled, “I’m a CISO, what’s next?”

So, what does this have to do with the new SEC rule about cybersecurity? Not much at face value, except that many of us who serve or have served as CISOs, with years of experience, are business aware. We know we must partner with our business, collaborate with internal business units and external stakeholders, and develop a strategic view to be effective. Now, this doesn’t mean that all of us are ideal candidates for board work, but if we have the skills and experience a board is searching for to mature its team, we should be given a chance to serve.? Much of this personal and professional growth is the direct result of serving as the senior security executive for companies in different roles over time and completing continuous professional education. So, using me as a CISO lab rat, I will discuss my current role as a CISO and the many hats I wear to support my employer and its strategic operations. I will also discuss the education resources I continuously take to stay business-enabled. As I mentioned, not all CISOs are interested in working with corporate boards, so my example is just that of a security executive who has chosen to walk that path and has worked to gain the necessary skills and experience to be a competent board member.?

Experience – Very few CISOs ever have just one job (Current role as Global CISO, 4.5 years and counting – 18 years total experience as a CISO)

• Cybersecurity Operations (see CISO MindMap) – managing security operations, deploying security platforms in a cloud-first SaaS cloud environment, incorporating zero-trust in all operations.
• Physical Security (16 offices worldwide) – managing physical security across all global offices, up-leveling current physical security platforms to provide one enterprise view across all offices.
• Due Diligence (M&A, New Investments, Acquisitions) - Cybersecurity and Business Continuity due diligence on potential investments (over 600+ companies to date), reviewing companies for security gaps and briefing investment teams on issues and risk exposure to the fund.
• vCISO (portfolio company assistance) - Provide virtual CISO services for the 400+ portfolio companies. Services include Strategic Planning, Policy documentation, Risk Framework consultation, Security Program planning, implementation, and specialized services in preparing Board presentations and IPO roadshows and audits.
• Audit (Cybersecurity/Business Continuity – Federal and International Regulators) – partner with Internal Audit, Compliance, and Risk to manage relationships with external auditors and regulator entities.
• Compliance, Legal, Risk, and Procurement – collaborate and assist with investigations, contract review, data/privacy requests, and new technology review. Conduct and prioritize risk assessment findings and align results to strategic business goals.

This is an example of some of the services I provide in my current role. My positions at my previous employers were similar. I have never known anyone in a true CISO position who only did the technical requirements. Cybersecurity today is so interwoven into a company’s Information Technology stack and business operations that it's common now in CISO job interviews to question the candidate on how they would collaborate with peers and stakeholders who are not technology-centered. I have even seen where it was requested that a CISO job candidate discuss their strategic view of building and leading a cybersecurity program and how they would integrate it to support new business initiatives or solve an M&A issue. The main point I am making here is that when boards are looking for a new member with technology experience, CISOs bring that experience and risk management, governance, privacy, data protection, and cybersecurity as well. So, with today's threats and the extensive use of technology in business, it makes sense to recruit a CISO provided they are business aware, which leads us to our next point of discussion.

In response to the articles about CISOs not being board-ready, I pointed out that CISOs were ideal candidates if they had done continuous education and had previous experience. We shouldn’t just be recruited; we must do our homework to be well-rounded executives and bring a portfolio of skills and knowledge to a board to support its short-term and long-term goals. Below is not an inclusive list of resources; I am just providing them as an example and would expect a security executive to tailor them to her professional portfolio as required.?

Continuous Professional Education & Board Experience

• College Courses

§? MBA – there are too many to list here; I honestly chose to do an MBA versus a degree in cybersecurity as I already had ten years of experience in security and knew I needed to be business literate to grow professionally as a senior security executive.

§? MS – Risk, Privacy, Strategy, etc. – I have seen many of these types of degrees become available. I would recommend this type of degree to peers from non-technical fields with business experience who have transitioned into cybersecurity. It's all about balance and adding the required knowledge to mature as a business executive.

§? Executive Certificates – for those interested in doing a series of classes to uplevel your knowledge in a subject matter, these types of executive certificates have become popular, and many schools and professional organizations offer them.

·???????? Corporate Director Certificate

·???????? Virtual Director Professionalism

·???????? Business Essentials for Executives

·???????? Data-Driven Decision Making

·???????? Cyber Risk Oversight Certificate

·???????? Corporate Governance

§? Single-Topic Courses – just like executive certificate programs but shorter and less expensive <smile>. I have done a couple to round out my knowledge on a subject.

·???????? Preparing to be a Corporate Director

·???????? Finance for Non-Finance Managers

·???????? Director Proficiency: Financial Oversight

• Professional Groups/Community – I believe in being part of a community and getting involved. These are just several organizations focusing on executives serving on boards or advising executive teams. These communities offer events, education, certifications, research, and opportunities to network and support peers.

§? DDN

§? NACD

§? PDA

• Certifications – multiple organizations offer certificate programs or professional certifications. Two certifications I have done to prepare myself for board work are listed here. QTE is a technology and risk-focused certification. NACD.DC is focused on full board operations, with cybersecurity and risk management being two of the fifteen domains covered in this certification.? ?

§? QTE

§? NACD.DC

• Board Service Experience – this is the most challenging part as you have taken classes, but you now want to work with boards; where do you start?

§? Non-Profit – this can be your local community center, youth-focused groups like a football club, little league, or Boy Scouts. This can also be faith-based, or programs run at your local community college or university. The critical point to remember is you must volunteer time, be a member of the organization, and be willing to serve.

§? Professional Organizations – many of us are members of professional organizations if we work in the cybersecurity field. The local chapter of your professional organization of choice has yearly elections for people to join their boards, and sometimes, they have positions open and are looking for people to volunteer. Taking a local seat on a chapter board can lead to seats on the national board; it’s a great place to start and gain experience working together as a board team.

§? Startups – as a CISO, you may attend local meetups and incubator events in your area where you meet new companies. Some companies are looking for investments, and others are searching for advisors to help them mature. You may not be interested, but many of us who have served on public boards started as advisors and board members on private ones first.

§? Board Advisor – corporate boards have several committees that hire experts to advise them as subject matter experts. Being an advisor to a committee is an excellent way to begin working with corporate boards. It provides you with a window to see how they are run and how they work to support the business.

§? Entrepreneurship – I have seen this happen several times recently where CISOs start their own companies or are members of founding teams and sit on their boards. Again, this is another path you can walk as a security executive.

I want to finish my story with a quote by H. Jackson Brown Jr., “Earn your success based on service to others, not at the expense of others.” Serving on a corporate board isn’t for everyone; gaining the required education, skills, and experience takes time. I hope you have enjoyed this article; I felt it was important to discuss how board service can be another opportunity for security professionals and that we shouldn’t be discounted because we are not ready – because we are, we just need to do our homework and be willing to serve. ?

***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners?Bill Bonney?and?Matt Stamper?on the CISO Desk Reference Guide Volumes 1 & 2 and the Executive Primer. I have also authored The Essential Guide to Cybersecurity for SMBs and Developing your Cybersecurity Career Path. All are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the?CISO Desk Reference website.?