5 Key Traits for Cyber Experts on Corporate Boards

June 6, 2023 – New Securities and Exchange Commission (SEC) rule changes are expected to require public companies to formally disclose the cybersecurity expertise of board members, as well as the board’s governance practices in overseeing the cybersecurity risk for the company. The added transparency resulting from the new rules will give shareholders a clear understanding of a board’s cybersecurity expertise, according to newly released report from IANS Research and Artico Search. On most boards, cyber understanding is insufficient. Recent quantitative research by The CAP Group revealed that 90 percent of Russell 3000 companies lack even a single board director with cybersecurity expertise.
“This highlights the opportunity to remedy this potential skill shortage in 2023 and beyond,” the study said. “In response, many companies will likely be compelled by the market to appoint a board director with proven cybersecurity expertise. CISOs appear to be one logical pool of candidates to fill this gap, but the question arises as to whether CISOs possess the qualifications to serve as effective board members. Additionally, there are questions in the market as to how many credible board-ready CISOs are available for this role.”
To address these concerns, IANS Research, Artico Search, and The CAP Group collaborated on a research study that evaluated the qualifications of CISOs in companies listed on the Russell 1000 Index, against the characteristics of credible cyber director candidates for corporate boards. (These characteristics were referred to as “board traits” throughout the report.) They sourced this data from publicly available sources, including data from LinkedIn, executive bios, speaking bios, press releases, and interviews. The report also cross-referenced this data against self-reported information from IANS’ and Artico’s annual CISO Compensation and Budget study.
5 Key Traits for Cyber Experts on Corporate Boards
To determine the essential board traits of a cyber board director, the report examined the profiles of CISOs who currently hold corporate directorships.
1. Infosec tenure. Deep domain expertise with firsthand experience in cybersecurity is vital for providing a critical eye to the effective management of cybersecurity risk. This core strength allows a director to ask the right questions and challenge assumptions. Tenure as CISO and in cybersecurity were used as key indicators in the study’s analysis.
Related: Cybersecurity is the No. 1 Risk Leaders Can’t Ignore
2. Broad experience. Effective board directors adopt a holistic view of the business and can connect the dots between functions and risk. Directors with cross-functional experience are better equipped to engage in holistic, strategic board-level discussions because they think about the business holistically, rather than a single function, said the report. Prior experience in non-cyber roles, such as founder, strategy executive, commercial leader, or noncyber strategy consultant, is indicative of this trait.
3. Scale. Board members must be capable of dealing with organizational complexity and navigating a broad range of stakeholders. The size and global nature of the CISO’s current or recent company serve as indicators of this trait.
4. Advanced education. An advanced degree for board members enhances the board’s credibility with external stakeholders and is viewed as indicative of critical thinking and analytical skills. The report used relevant advanced degrees in disciplines such as, but not limited to, tech, engineering, business, and law as criteria for this trait.
5. Diversity. Boards are interested in candidates from diverse backgrounds for a variety of reasons including SEC diversity guidelines. Recruitment efforts for board members are able to favor self-identified females and underrepresented minorities. To evaluate this trait, the study relied on self-reported data.
“Board discussions are distinctly different from executive leadership discussions because boards focus on governance and risk guidance,” said Steve Martano, partner and executive recruiter in Artico Search’s cyber practice. “We identified these five specific traits because to serve as an additive board member, one must bring a unique combination of domain expertise and strategic governance, as well as a pedigree that advances the prestige and diversity of the board makeup. In today’s world, boards are seeking diversity of experience and thought, and expanding board opportunities to underrepresented groups.”
The Evolving Role of CISOs
Competition for top chief information security officers is growing fierce as companies seek to protect themselves from potentially crippling cyberattacks. Newly released compensation data from IANS Research and Artico Search shows how this role continues to transform and mature. Let’s take a closer look!
“The transition from executive leadership to board directorship is profound, and many struggle to adapt,” said Brian Walker, CEO and cyber board advisor at The CAP Group. “Our experience shows that these are five of the key traits found in those who are able to successfully move from executive to board director.”
CISO Readiness for Board Roles Varies Widely
IANS Research, Artico Search, and The CAP Group also assessed a representative sample of Russell 1000 CISOs to gauge the board readiness of that pool of potential candidates. Here are the findings:
• 14 percent are ideal candidates, possessing at least four out of the five board traits. Two-thirds of these CISOs have cross-functional experience and nearly all work at large global firms. They are highly educated and most meet diversity criteria.
• 33 percent are strong candidates, meeting three out of the five board traits. Nearly all have served as a CISO for at least five years and have at least a decade of cybersecurity experience. Most have experience dealing with the complexities and scale of large companies, and half have advanced degrees in tech or business. However, they have notably lower percentages for diversity and cross-functional experience than the pool of ideal candidates.
• 52 percent are emerging candidates, checking the box on one or two board traits—in most cases, a combination of infosec tenure and scale. This group has far fewer CISOs with cross-functional experience, advanced degrees or diversity criteria.
“Our data shows there is a large portion of the population of CISOs who could emerge as board-ready in the next several years,” said Mr. Martano. Both boards and CISOs would benefit from aligning on expectations for a board-ready cyber expert, preparing this CISO community aggressively to help meet long-term board needs.”
Related: The Hunt for Cyber Technology Leaders Heats Up as Risks Multiply
“Our prior research indicated that 90 percent of Russell 3000 companies lack at least one director with cyber expertise,” said Mr. Walker. “This new analysis indicates that, at most, half of Russell 1000 companies could reasonably expect to leverage CISO expertise at the board level. But that still leaves nearly half of Russell 1000 companies searching for board-level cyber expertise.”
Recommendations for Companies Considering CISOs for Board Roles
When it comes to adding cybersecurity expertise to a company’s board, there are several options to consider, including engaging outside board-level experts, recruiting existing directors with proven cyber experience, or upskilling current directors with cyber-specific governance skills. However, for companies considering the CISO route, IANS Research, Artico Search, and The CAP Group offers these key factors to keep in mind:
• The Russell 1000 is the right starting point. This is a good starting point for identifying potential CISO candidates. CISOs in the R1000 are likely to have the requisite cybersecurity expertise necessary for a board role. These public companies are far-reaching, diverse, and generally report a high level of cyber accountability.
• Cast a wide search net. Following the SEC rule change, many companies will launch a search for cyber board candidates. Qualified candidates are scarce, especially those considered ideal, and active CISOs are not likely able to take on multiple board seats. In these conditions, searches should be cast wide and candidates with a variety of profiles should be considered.
• Prioritize diversity. If diversity is a key priority for the board, then companies should be prepared to compromise on other requirements, such as non-tech expertise or career history at large global companies. Candidates who are diverse will be in high demand and those who possess other qualifications will be even more sought after.
• Consider board certification a nice-to-have. While board director certification is a desirable qualification, adoption levels of such programs among CISOs are low. Therefore, companies should consider it a “nice-to-have,” rather than a hard requirement for the time being. Companies should also consider offering board program enrollment for newly appointed directors to help them gain the necessary skills or desired accreditations.
• Look for the “it” factor. When looking for candidates, it’s important to consider the “it” factor by looking for unique qualifications among the shortlisted candidates, including those with diverse backgrounds and experiences that may bring a fresh perspective to the board.
• Have a plan B. CISOs are not the only the pool of prospective candidates, and boards may have to wait several years while CISOs in the emerging candidate pool upskill. In the meantime, boards can recruit other business leaders out of cyber companies or other tech leaders less deep in cyber but with enough exposure to be credible.
To read the full report from IANS Research, Artico Search, and The CAP Group, please click here.
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; and Stephen Sawicki, Managing Editor – Hunt Scanlon Media