Why Every Public Company Should Have an InfoSec Exec on its Board (Part 1 or 2)
Brad Lindemann
CEO/Tech Exec Recruiter...trustred tech talent advisor...serving Tech Execs my entire career
A monstrous rogue wave of regulation will soon hit the boardrooms of every publicly traded company in America. Those who catch it, could be in for the ride of their lives. Those who don’t, may find themselves standing in the backwash wondering what hit them. This post is about riding that wave to a better and brighter future for your company.
Every CEO and Chairman of a publicly traded U.S. company should be aware of Senate Bill S.536 – Cybersecurity Disclosure Act of 2017 intended “to promote transparency in the oversight of cybersecurity risks at publicly traded companies”. The details of the bill first introduced on March 7, 2017 don’t matter nearly as much as the dreaded “T word” (transparency) contained in its introduction.
Like it or not…for better or worse…the federal government will demand increasing degrees of transparency regarding the oversight of cybersecurity risks within publicly traded companies. Why? Because they correctly (in my opinion) perceive such risks to be a matter of national security in far too many cases. Bummer. Before shooting the messenger, please know as King-for-a-Day, I would abolish 80% of the federal regulations before my first White House luncheon, but not this one should it become law.
A brief dive into the weeds of this bill reveals something all publicly traded company board members should be aware of. Section 2(b)(1) within S.536 says:
“to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience”
Meaning, our beloved Uncle Sam with both his and our best interests at heart, is fast coming to believe proper cybersecurity risk mitigation requires board level expertise. Uncle believes this so fervently he’s determined to make it a legal requirement. And I for one believe he will succeed…and hope he does. However, that is not why I support the spirit and intent of Senate Bill S.536.
I believe there should be a seat on every publicly traded company’s board occupied by an outside, independent and currently active cyber security executive. Why? Because a primary purpose of any board of directors is to mitigate risk and cybersecurity represents a significant (and increasing) risk to every company. No exceptions. Boards that minimize or ignore this fact assume risks that should be unacceptable to shareholders and will soon be unacceptable to regulators.
Mine is not a gloomy forecast, however. Companies stand to benefit greatly by being proactive in securing a top-flight cybersecurity executive for their board. Those who wait and see will see their candidate pool diminish quickly. The bigger the company, the bigger this problem becomes. A Fortune 100 firm should be seeking someone from a non-competing firm of similar or greater size. The viable candidate pool for such a firm is already very limited. There’s much to lose by waiting and much to gain by acting before the government forces you to.
Recommended by LinkedIn
I further believe that adding a cybersecurity executive (a.k.a. CISO) to the board should be the single most cost-effective risk mitigation move any company can take. In the short run, the company may need to create an additional seat for the CISO. Over time, however, the board should be reconstituted and could revert to its original number of seats. By simply not replacing the next member set to roll off the board, the cost of the new CISO seat is nil. Keep in mind, many CISOs (particularly those in larger firms) bring much more than cyber security expertise to the table.
What would be the primary responsibilities of a CISO board member?
Firms searching for a CISO board member should look for someone:
I’m tempted to add “battle-tested major breach experience” to the above list, but that would unfairly punish candidates who have done an exemplary job of avoiding major breaches. The challenge lies in determining if such candidates are very good at their jobs or just very lucky. Such challenges and the need for absolute independence from all fellow members and executives is among the many reasons to consider hiring a firm specializing in cybersecurity executive board member searches…a firm like Ambassador Solutions.
But wait, let’s flip the script before starting that search. Every public company should encourage their top cybersecurity executive to be on at least one board of a non-competing company of similar size. The experience gained by doing so could prove invaluable to his/her employer. And please, don’t force your CISO to burn PTO days while getting an invaluable education at another company’s expense. If you feel you must, have your CISO attend one less industry conference in exchange for the four days per year board duties will likely require. Now that’s a tremendous value proposition, don’t you think?
Speaking of tremendous value propositions, you will be very pleased with ours. To schedule a 15 minute CISO search discovery call, Contact us today to catch the wave tomorrow! Read Part 2 of this article.
REALTOR
5y😳😂🤣😊
Executive Director, OmniSOC | Occasional CISO
5yI'm going to offer a counter here to those who have commented that having a cybersecurity expert on the board is a bad idea, because consultants/advisors are more manageable and the board can't bring on a director from every area of expertise. While I don't think it's necessarily wise for every board to obtain a cybersecurity-experienced member, I do believe that it is crucial to get more cybersecurity professionals onto boards. As a matter of fact, I'm going to argue that the fears mentioned here about CISOs coming to board meetings wanting to talk about firewall rules and SQL injection is exactly why we need more CISOs on boards. A good CISO is half technologist, half executive. At best, any individual comes into this role with one of those two backgrounds. I, like the apparent majority, came in from a technical background. I expected to be a complete neophyte at the executive side of things when I began as a CISO, and I still am in comparison to some of the brilliant CEOs, COOs, CFOs, and CPOs I have observed. However, I'm absolutely killing it compared to many of the CISOs I know. Last year at a CISO/CIO/CTO only extension of an information security conference, I attended a panel on CISO-board relations. After opening remarks I asked a question: given how time and energy intensive it can be to maintain good board relationships, did the panel have any advice for me as I went from being a fractional CISO of three organizations managing three boards (and individual relationships with directors on those boards) to four to five organizations with their own boards? Suddenly, the panel and everyone else turned to me in shock. "Board members talk to you outside of board meetings?" a panelist, a fellow CISO, asked incredulously. At the panel, I was a bit flustered. It took me a moment to realize that several of the people around me were imagining that I'd gotten into a secret country club somewhere and was getting drunk with the board while playing golf. From my perspective, information security is important; if board members won't take the CISO's calls or answer her emails, I've done something wrong! I'm not special, or smarter than my colleagues. I have exposure that they don't. I'm a bleeding heart open source software and education fanatic, so I've been dragooned onto a handful of small nonprofit boards over the years. Because I have been a board member (including next to more experienced board members), I have an idea of the scope and level of things a board cares about. A board isn't a scary, alien construct to me. I know when something is worth putting in the quarterly report to the board, when it's worth mentioning in a side conversation to the only board member who cares about a niche subject, and when it's important enough to pick up the phone. I know how to bring things down to principles my board understands, like risk, instead of getting lost in technical details. My boards are thankful for this communication because I keep them from being blindsided. If boards want to stop being blindsided by lurking cybersecurity issues, information security professionals need to learn to talk to boards. This won't happen by merely demanding it. I've been called "a unicorn" because I came in to my first CISO role with this skill. Fixing this communication disconnect starts with getting CISOs board experience so that they can start passing the lessons learned down the chain of succession to future CISOs, VPs of security, and so on. Hire all the consultants you want, but until CISO-board relationships are fruitful and built from a solid foundation of the right kinds of communication, the board will not understand the cybersecurity posture of their organization and related business risks. Until CISOs understand the nature of a board, they won't manage that communication effectively.
Non Executive Director @ VisionR | Interim/Contract Consultancy Services
5yCompletely agree as it is becoming increasingly more important to put a security focus at board level. Unfortunately this is a complex area which needs suitable skills to understand and articulate the challenges and risks which public and, indeed, private companies face in relation to protection of data.
IT Security
5ySecurity people need to stop pushing for this, it's not good governance and it's not going to happen. If a Board needs specialist skills or understanding, it should call in advisors to assist when they need them (for example, during any Cybersecurity discussions as part of a Risk committee). If we had to have a dedicated Board member for every specialist topic discussed by a Board, there'd be 40 people on the Board.