security

Cybersecurity experts have become targets for board seats – CNBC


  • The need for strong cybersecurity programs is a vital part of doing business today, and a good reflection of that is adding security executives to boards.
  • Businesses are becoming more aware of cyber risk as a component of business risk “and need chief information security officers to be part of board-level governance conversations,” said Nick Kakolowski, research director at IANS Research.
  • Yet only 15% of CISOs have broader traits required for board level positions, such as a holistic understanding of the business, a global perspective, and ability to navigate a range of stakeholders.

Yuichiro Chino | Moment | Getty Images

The need for strong cybersecurity programs is a vital part of doing business today, and a good reflection of that is adding security executives to boards.

“The trend is for [chief information security officers] to be elevated to the board of directors,” said Chris Steffen, research director at analyst and consulting firm Enterprise Management Associates (EMA). “It is no longer acceptable for the security role to be subordinate to other technology priorities that the company might have.”

As risk and regulatory compliance become more visible in an organization, many of the initiatives and controls will be security related, Steffen said. “Addressing those controls usually falls to the CISO,” he said.

With security incidents “a part of nearly every evening news cycle, the board of directors needs to demonstrate that they are taking those considerations seriously and addressing them,” Steffen said. “For many organizations, one of the easiest and most effective ways of doing this is to elevate the CISO to a position of responsibility and authority on the board.”

Businesses are becoming more aware of cyber risk as a component of business risk “and need CISOs to be part of board-level governance conversations,” said Nick Kakolowski, research director at IANS Research.

Readers Also Like:  Optus And UniSA Appoint Dr Mamello Thinyane New Chair of Cyber ... - Tech Business News

“CISOs have an opportunity to function as cyber experts, but it will be critical that they broaden their experience as boards will likely seek individuals with a breadth of experience for cyber expert roles, not necessarily security specialists,” Kakolowski said.

A recently released report on CISO board readiness conducted by IANS Research in collaboration with Artico Search and The CAP Group, found that less than half of the CISOs stand out as board candidates.

The research also showed that 90% of public companies lack even one qualified cyber expert, showing a significant cyber board supply-demand gap. Only 15% of CISOs have broader traits required for board level positions, such as a holistic understanding of the business, a global perspective and ability to navigate a range of stakeholders, with another 33% having a subset of those necessary traits.

So, what skills do CISOs need — aside from cybersecurity expertise — to be considered credible board members?

Based on the sample of the CISOs queried for the IANs research who are already serving in board roles, the researchers recommend three areas for CISOs to focus on if they want to serve as cyber experts on boards.

“First, build soft skills,” Kakolowski said. “Boards are close-knit working teams of highly talented and successful people, where the conversations are often nuanced and require a high emotional intelligence to navigate.”

Second, CISOs should look to diversify their business experience to broaden their knowledge of varied operational models and corporate strategies, Kakolowski said. Finally, branding is critical. “Being able to form and tell a compelling career story that demonstrates unique executive expertise creates an ‘it’ factor that can help an individual stand out from other high-performing security experts,” he says.

Readers Also Like:  Internal audit leaders are wary of key tech investments - Help Net Security

Having good communication skills is vital, Steffen said. “Being able to explain complex security-related topics to lay people is difficult, but it’s a critical skill” for serving on a board, he said. “The other members of the board likely will not be technical, and the CISO will need to be able to explain security related topics so they can understand the importance.”

A key component of communication is knowing your audience, said Larry Whiteside, CISO at RegScale, a provider of governance, risk and compliance tools, and a board member of several organizations including the Cloud Security Alliance, Ember River and the University of South Florida.

“For a CISO, the ability to communicate directly with people not like themselves in a way that’s clear and concise means the world,” Whiteside said. “Many CISOs have grown up as technologists and are accustomed to speaking very technically. And that’s not a bad thing for the right audience, which is usually the cybersecurity or IT team. However, in a boardroom, speaking in a language and utilizing terms that the board will understand is crucial to getting their point across in a meaningful way.”

Possessing good business acumen is also important for a CISO to be effective in the boardroom, Whiteside said. That includes having knowledge and understanding not only of the business, but of how it operates to generate revenue. “The reason for this is that all companies are unique in one way or another,” he said. “There may be a large set of similarities, but that uniqueness is often the one thing that is a key differentiator to a company’s success.”

CISOs also need to understand risk to speak to a board. “Their understanding of risk must expand outside of just technology,” Whiteside said. “There are so many issues surrounding compliance and regulations that are evolving on a regular basis, and a CISO must understand the risk those mandates impose on their company.”

Readers Also Like:  Kennesaw State-born fellowship aims to make Atlanta a ... - Kennesaw State University

In addition, CISOs must understand business risk. “This includes fiduciary risk, operational risk, and technology risk rolled into a bigger equation,” Whiteside said, “factoring in the overall impact to the company’s bottom line revenue, culture or people, whichever the company chooses [as] its most important asset based on that particular risk scenario.”

CISOs need to understand their role and place on the board, and keep in mind all of the areas they are responsible for in the organization, Steffen said. “It is possible, and likely, that they may have responsibilities outside of the realm of information security — compliance being one of those,” he said. “So they need to understand how best to contribute, while not overstepping their bounds.”

Finally, CISOs should have a good network of professionals in a variety of disciplines. “Most security professionals know that it is very difficult to achieve mature organizational security without help, either from third parties, vendors or those informal relationships among industry peers that can point [them] in the right direction,” Steffen said. “A CISO needs to have a strong address book to call on for anything that may arise.”



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.