The SEC is finalizing rules that will require formally disclosing the backgrounds of board directors who companies want to position as cybersecurity experts. But as I’ve written previously, up to 90% of all Russell 3000 boards lack even a single director with credible cybersecurity expertise. To put the shortage of cyber-ready board members in the corporate world further into perspective, consider research published in July 2022 by SpencerStuart: Out of the “456 new independent directors who joined S&P 500 boards in 2021” a mere 18 (3.9%) had “experience leading a function such as cybersecurity, IT, software engineering or data and analytics.”
Finding board-level cyber experts is no small feat—and will likely require some creative combination of recruiting new cyber-savvy directors, engaging outside expert advisors and upskilling existing directors and officers.
While the SEC is demanding the release of resumes for those already on boards, companies without qualified board members in this area will have to identify the right candidates quickly. As company leaders try to fill these roles, they should consider one potential source of cyber-savvy directors: chief information security officers (CISOs).
Adding CISOs to Boards
In essence, CISOs already act as in-house cybersecurity experts. There’s a common perception that CISOs are overly technical; that they aren’t necessarily suited to transition from a largely operational focus on minute details to broad, strategic concepts. But given the breathtaking shortage of boards with even a single director with true cybersecurity expertise, company leaders should seriously consider CISOs for the job. CISOs can bring the technical expertise and knowledge that boards need to successfully steer companies in the right direction, technology-wise. This too is a gap—2022 research from Deloitte revealed that 38% of board directors and 42% of C-suite executives think that a “deficit in technology fluency on the board” is one of the top five challenges to “board oversight of digital, cyber, and new technologies.”
To gauge the viability of CISOs as board directors, my firm continued researching the issue. This time around, we analyzed Russell 1000 (R1000) companies in partnership with IANS Research and Artico Search. Our aim was to assess this CISO population objectively, moving beyond conventional wisdom and anecdotal opinions.
The Five Key Traits of Board-Ready CISOs
Our analysis identified the roughly 6% of R1000 CISOs who are already serving as board directors (board CISOs) and what traits contributed to their success. Those board CISOs shared five common traits.
Security tenure: A minimum of five years as a CISO and 10 years or more in security at large.
Broad experience: Experience outside security in functional roles, general IT roles or non-security consulting roles.
Scale: Leadership roles in multi-geographic or even global organizations.
Advanced education: An advanced degree in technology, engineering, business or law.
Diversity: CISOs from underrepresented groups who can help fill blind spots and support the meeting of diversity goals.
Roughly 14% CISOs Could Be Good Candidates
Based on the five key traits of successful board CISOs, our analysis revealed that only 14% of the R1000 CISOs could be strong candidates who possess four or five of the key traits. Beyond this group, another 33% possessed three of the key traits, making them relatively strong candidates.
If all of the 14% were to successfully be recruited onto boards—which is highly unlikely—the overall shortage of cyber-savvy directors would fall from the original estimate of 90% to 76%. Unfortunately, this would still put three out of four companies in a position where they lack a single director with cyber expertise. And while there may be some additional candidates with fewer of the key traits that we believe are vital, those additional candidates will likely not move the needle very much. So the bottom line is that CISOs can help, but not fully solve, the problem. Companies seeking bona fide cyber expertise who don’t manage to enlist CISOs will have to expand their search to other sources: business leaders at cybersecurity firms, CIOs with significant cyber expertise and external non-director expert advisors.
Soft Skills are Vital
Company leaders looking to add CISOs to their boards should screen for two key traits: breadth of experience and advanced education. These two qualities are the biggest challenges for R1000 CISOs at large.
Diving deeper into the numbers, our analysis showed that 71% of board CISOs have broad experience, as opposed to an average of 32% across all organizations within the R1000. Similarly, 62% of board CISOs have advanced education, while 38% have similar education levels across the full R1000. Board search criteria often include both these characteristics as key differentiators and should continue to do so.
But soft skills are still vital. Boards tend to consist of highly talented and successful people who work closely together. Conversations are often nuanced. Topics are strategic and ephemeral. Collaboration requires clear, on-point discussions to make tough decisions. In addition, there is an expectation of polish and gravitas in such a setting. Given all of this, CISOs need to have strong communication, collaboration and decision-making skills in addition to strong technical skills. Unfortunately, soft skills are difficult to measure. Company leaders should do their best to evaluate CISOs for their interpersonal skills during the vetting process.
Start Now: Board-Savvy CISOs Won’t Last Long
Companies considering adding CISOs to their boards must act swiftly. Many CISOs will be interested in becoming board directors, but there are far fewer available than needed, meaning they are likely to quickly secure board roles. And given that being a CISO is a highly demanding job, most CISOs will likely be constrained to only one board role (and realistically, supporting even a single board will likely be a stretch for them).
R1000 companies seeking board-ready CISOs should start the search process now to increase the likelihood of getting a knowledgeable cyber expert on their board who will help them fulfill the new SEC requirements on the horizon.