Rona Bunn is CIO for the National Association of Corporate Directors (NACD), where she facilitates digital orchestration and leads information technology, data, and digital experience. A two-time Technology All-Star award recipient from Women of Color in STEM, Bunn previously served as CIO at the US Department of Commerce, International Trade Administration. She currently serves on the board of directors of the IT Senior Management Forum (ITSMF) and has held executive board positions at the National Society of Black Engineers (NSBE), Washington DC Metro Area Chapter.
After the show, we spent some more time talking about the mission of NACD and her advice to CIOs and CISOs who aspire to join a board. What follows is that conversation, edited for length and clarity.
A lot of opportunities were available to you. Why did you choose to go to NACD?
I was intrigued by the chance to drive a major transformation that will ultimately make a big difference in how the organization conducts business and responds to customer needs. I saw that there was a good core of people with the desire to transform at NACD, and that I could really help them get to the next level. That was important to me in the next role. So while other opportunities were much larger, this was one to use all the things I’ve learned during my career in business and technology to help the organization meet its goals.
Also, it’s the mission. I always want to feel like I’m doing good, no matter what I’m doing. If you unpack NACD’s mission, you realize that what we do is very important to society. We ensure that board directors can be effective in their roles, and that they have the tools to be able to govern through the rapidly changing business environment. As a critical part of the governance ecosystem, we impact the economy, social welfare, and all of those people who rely on these organizations to deliver the outcomes they need. Investors rely on the board to ensure they get the return they expect. And citizens and employees rely on the board to ensure the management team will treat them right and have their best interests in mind. That is a ‘doing good’ story.
How does the NACD help its members prepare for and manage cyber risk?
Cybersecurity oversight is a shared responsibility across the whole board. Because there may be other strategic needs for the board’s composition, it may not be feasible for boards to have cyber experts sitting on the board, as they only have a certain number of seats. Therefore, we have programs to educate all directors on cybersecurity.
We have a formal Cyber-Risk Oversight Certificate Program for our members, created in partnership with the CERT Division of the Software Engineering Institute at Carnegie Mellon University and Ridge Global. We’ve had more than 700 directors earn the certificate in this program through an ACB, and we continuously update it for changes in the environment. We’ve also published, in partnership with the Internet Security Alliance (ISA), the 2023 Director’s Handbook on Cyber-Risk Oversight. It’s the fourth edition, and been distributed to our 23,000 members and made available to the public. The handbook, which is endorsed by the Department of Homeland Security and the Department of Justice, guides directors on board-specific cybersecurity oversight and is one of our most downloaded publications.
For CIOs and CISOs who aspire to be on boards, what do they look for?
CIOs and CISOs have a prime opportunity now to start practicing and learning about engaging in boards as an executive participant in board meetings. The board wants to engage in value-added discussion. Tech leaders must go beyond focusing on preserving technology assets and enabling operational efficiency—that’s an old conversation. They must create multi-dimensional engagement with the board, and center things around opportunities to lead in business growth through technology, innovation, products and services, and spin-offs to the existing business.
CIOs and other CISOs also have an opportunity to educate the board, both on emerging technologies that will help the organization grow or manage threats, and on technology-related risks to the operations, strategy, cyber issues, and, depending on the industry, regulatory commitments. We know only about 42% of boards have representation from cyber-savvy leaders, so there’s an opportunity to educate and bring awareness to the risks around that.
Senior technology executives should also focus on technology’s strategic value. This is something we don’t necessarily do well as CIOs—look at the interconnection between the value of technology and cyber investments, and the ability to execute our strategy. There isn’t enough conversation and thought going into making sure we get everything in line to truly execute the strategy. You have to unpack the other capabilities needed besides the technology to ensure success, and the CIO should illuminate that for the board and other executives.
Accessing the performance of the current technology investments is another area that would provide value for the board. Asking questions such as:
- How well are they performing?
- Are we getting to the end of life?
- What are the finance implications of maintaining those investments?
CIOs should partner with CFOs to understand and quantify their operational performance, asking questions such as:
- Does the performance threaten success?
- Does it maintain competitiveness?
- Does it maintain relevance and understand risks?
Those are areas that the board wants to engage in.
In light of a lot of misconceptions, what’s the reality of a board commitment?
I hear all the time, ‘That’s going to be my retirement gig. I am going to get on a board and make $250,000 a year, and I’m going to show up four times a year and life’s going to be great.’ But the reality is, if you’re going to be on a board, you’re committing to those stakeholders—whether they’re investors, citizens, or employees. You also have a fiduciary duty to be responsible in the decisions and guidance you give to regulatory agencies, and the executives who run these companies.
It requires due diligence. Otherwise, there can be legal and financial implications. You must spend time understanding the industry in which the company operates, and the environment, and get to know the leadership team. If you don’t know about the industry and what those levers are that make the organization successful, you won’t be able to contribute effectively in the boardroom, much less give valuable input for evaluating risk or providing advice. You also need to keep abreast of all aspects of day-to-day change in the business environment, especially if you’re in a highly regulated industry. And it takes time to do that research.
Further, if you’re on a board, chances are you’re on at least one committee, maybe two, and that means you’re going to more than just four meetings a year. You may advise or oversee the executive team work through serious situations, and you have to do research to understand the issues. We help with that at NACD, but board directors have to study in order to understand how recent events need to be discussed and dealt with in the boardroom.
People might think a board role is going to be 16 to 20 hours a year, but realistically it may require 10 times that. This is one of the reasons why it’s difficult to get on a board while you’re working. There is a considerable time commitment to be an effective board member while you have to continue running your organization.
What does the path look like for a technology executive who wants to get on a board?
I boil it down to three things: experience, exposure and education. Your executive experience is great but it’s not governance experience. One way to get experience is by joining a nonprofit or small private board. You want to get a seat on a board that’s actually governing, though. The litmus test for a governing board is a board that hires and fires the CEO and holds the executive team accountable for strategy and risk management. You have to find the right board that gives you that governance opportunity.
You have to get exposure. To get on a board, you must be in the governance circle. Search firms look for folks, but they’ll only find you through networking. NACD is the largest network community of public, private, and nonprofit board directors who aim to expand their network of peers.
The last piece is education. You need to know what boards do, how they govern, and what the various committees are. You also need to know how to manage finances. If you’re a CIO, you may not dig into the finances, but you surely need to understand them if you’re going to be a board member and provide the right guidance and oversight to an organization.
What kind of education does NACD provide to prepare to be on a board?
The current programs we have are designed for executives in, or right under, the C-suite. We provide education to those at the director and VP level, and aspiring leaders who want to be on a board one day. But our programs are designed for those who are ready to transition, because it’ll be difficult to get a board seat if you don’t have C-level experience.
That said, there are really two buckets. Those currently on a governing board can become a member of NACD and pursue the NACD Directorship Certification. As part of the certification program, you’ll work through case studies that apply the concepts you’re going to learn through our extensive study guide. You’ll also get guidance from our advisors, and there are defined study groups you can join to help as well. It’s our goal to make the NACD Directorship Certification the standard certification for board directorship.
For aspiring people who’ve never been on a board, we offer the NACD Accelerate program that provides a path to the NACD Directorship certification. Through the program, participants receive two years of membership in NACD and can participate in education and networking events in board director communities. There’s also the foundational course, Virtual Directorship Professional, a boardroom fundamentals online training course with immersion into boardroom practices, which is about 15 hours of on-demand learning. The program provides a great start to understanding what boards do.
Getting that first board seat is like the challenge college grads often face: You need experience to get the job, but you need a job to get experience.
It’s difficult, and that’s why a lot of people take that first step on a nonprofit board. There are great organizations that can use the skills we have to offer. You’ll get hands-on experience and you can make a big impact on an organization. It’s a win-win.
For more insights from Bunn’s leadership playbook, tune in to the Tech Whisperers podcast.