Becoming a member of the Board of Directors can be considered the capstone of a successful corporate career, but doors to the boardroom have previously been closed to CISOs. This has changed recently, but many CISOs still find that a boardroom seat requires a leap rather than a step – a leap they find challenging because the credential gap from the C-suite to the boardroom appears to be very large. We will discuss how this gap may be closed, but first examine if CISOs should become Board members.
Should CISOs be Board Members?
The Board of Directors is responsible for the long-term success of the enterprise i.e., they must ensure sustainable growth in stakeholder value. As such, they must provide strategic direction which includes risk mitigation. A CISO should be on the board only if they can establish that their significance to both strategy and risk mitigation requires their active involvement rather than functioning in an advisory capacity. This raises two questions: can any CISO provide such value and, if yes, can this individual CISO provide such value?
Let us consider the first question: Can any CISO add value to strategy and risk mitigation at the Board level?
The answer will depend on the kind of impact a cyberattack can have on an organisation:
- The chairman of a multinational retail chain operating across more than a thousand worldwide locations revealed that a cyberattack could have destroyed the company
- A cyberattack on a lab services provider resulted in a cost of £32.7 million, more than seven times its annual profit
- 47% of businesses struggle to attract new customers following a cyberattack due to impact on reputation
- A cleaning products manufacturer stated that the impact of a cyberattack more than offset the benefits of pricing, cost savings and supply chain optimisation
- A 160-year-old firm with 730 employees had to shut down following a cyberattack
Cybersecurity becomes a key area of responsibility for the Board when cyberattacks can have such consequences. It is not enough for a CISO to advise the Board; the CISO must be a member of the Board and take charge of cybersecurity at the governance level to be able to protect the organisation from devastating cyberattacks and regulatory action. Yes, CISOs should be Board members.
The importance of including cybersecurity experts in the Board is recognised outside the cybersecurity community as well. While regulators don’t universally mandate placing a cybersecurity expert on the board, thought leaders, governance bodies, and investors increasingly see it as a best practice. Cyber expertise at the board level delivers better risk oversight, strategic guidance, and alignment with stakeholder expectations.
Despite this compelling need for cybersecurity-related expertise on the Board, why do CISOs struggle to become Board members? Being a Board member requires diversified credentials, which we will discuss next.
How CISOs Can Become Board Members
An individual CISO can project themselves as being worthy of a seat on the Board by acquiring and showcasing the skills and attributes that would make other Board members trust them and view them as an equal.
- Business Knowledge – A Board member is expected to be a steward of the business and not oversee a function, even if they do possess deep domain expertise. CISOs should expand the frontiers of their knowledge beyond cybersecurity or technology, and become familiar with the business landscape in the context of their organisation’s industry as well as the broader commercial environment. Experience in entrepreneurial ventures or as a strategic consultant will improve the CISO’s credentials. CISOs should be able to provide strategic insight into risk management and compliance, and improve governance in the context of internal and regional regulations and customer stipulated standards
- Inter-departmental Collaboration – Cybersecurity applies to all digitally-enabled functions in an organisation and CISOs will need to collaborate and build relationships with all departments in their organisation to be able to demonstrate to the Board that they have buy-in from across the enterprise for the initiatives they propose, and that they understand how various facets of a business impact strategic outcomes and the synergies that exist between them
- Industry Reputation – The stature of Board members enhances the stature of the organisation, and therefore CISOs can improve their candidature by augmenting their status within the organisation and the industry by establishing themselves as thought leaders by speaking at conferences, having their perspectives featured in respected media, and building a social media presence that broadcasts their competence. A track record of working on complex projects and successful crisis management will allow the CISO’s work to speak for them and boost their reputation
- Board Interaction – CISOs must ensure they use every interaction with Board members as an opportunity to demonstrate they belong on the Board by sharing opinions and providing advice that reflect the concerns and priorities of Board members
- Strategic Networking – Applying the principle that a man is known by the company he keeps, CISOs should ensure their network includes notable contacts who can open doors and influence perception in their favour especially among Board members. When interacting with Board members, CISOs should ascertain whom they are influenced by and ensure they network with the same, or similar, individuals
- Soft Skills – Board members should be able to view the CISO as ‘one of us’ which requires CISOs to demonstrate their ability to build relationships with Board members and critical external stakeholders, such as media representatives and regulators, and thereby prove they will be a valuable, and valued, addition to the Board. CISOs should also strike the right balance between being assertive and aggressive, and be persuasive without being combative when their opinions are challenged
- Personal Brand – CISIOs should work towards being sought after as a Board member which requires developing a personal brand that emphasises their professionalism, integrity, high standards, critical thinking, and wisdom
Being a Board member is more than just an elevated designation – it is a sign that an individual has transcended being an employee and is among a select group of high accomplishers who are regarded as trusted captains of the organisation and its stakeholders. The Board is not out of reach for CISOs, but requires focused and intentional effort for the gap to be closed.
