JC's Column /

Why would you expect your current CISO to sit on the Board?

JC Gaillard's column on cybersecurity

Research suggests only 14% of CISOs appear to have the skills required but does it really matter?

 

A recent survey by IANS Research highlights that only 14% of CISOs appear to have the skills required to sit at Board level.

The findings have been widely relayed on social media and commented on as if they were a surprise, but frankly why should we be expecting anything else?

Most CISOs I come across are still technologists by background and by trade, and their personal development over the past decade has been heavily conditioned by the constant firefighting of cyber-attacks.

Those are not the type of situations where you can be expected to build up the type of political acumen, management experience and personal gravitas that would be required to be credible in senior executive positions.

In these columns, we have been writing for years about the need to elevate the role and look for a different profile for the CISO to allow board-level engagement to take place.

That’s the only lesson I would take from the IANS survey: It does not make sense to expect most current CISOs to take a seat at Board level, and it could even be counter-productive to elevate arbitrarily unprepared individuals to that type of position. They have a role to play elsewhere in their organization, and there is nothing wrong with that.

If you want to inject cyber competence at Board level ahead of forthcoming SEC reporting obligations (that’s the background of the IANS piece), you should look elsewhere: There is no reason to expect that the first person you should consider appointing at Board level to cover cybersecurity matters should be your current CISO.

First of all, it is key to acknowledge that cybersecurity is not – and has never been – a purely technical discipline: That’s the first message the Board needs to hear and acknowledge.

Cybersecurity is fundamentally cross-functional, and its values have to permeate through all corporate silos.

This is not just a matter of culture and awareness, but critically, a matter of control and governance: That is in essence the spirit of the SEC regulatory intervention in that space.

In that sense, the executive carrying the topic at Board level should be a control-minded individual credible at driving cross-functional execution, respected by support and business functions and capable of facing regulators with sufficient gravitas.

It is a dated and dangerous view to consider that the same individual should also have a deep technical understanding of the underlying matters.

Dated, because – as mentioned above – cybersecurity was never a purely technical subject;

And dangerous, because you might end up looking for a profile that simply doesn’t exist, waste time and end up appointing a useless “jack-of-all-trades”.

What is required here is true leadership, in particular if cybersecurity maturity is deemed to be low and transformative efforts are required across the business.

The Board is a governance body; it has a duty of oversight: What needs to be embodied at Board level is the value of controls and key governance and reporting mechanisms ensuring the actual execution of protective measures across the firm.

Nothing else: The Board needs to own the topic in its own way, at its own level, in its own language.

It can rely on the expertise of independent directors, bring in additional ones if needed, or specific ad-hoc expertise, but is not the place for deep technical debates and the cybersecurity technical knowledge must be structured and developed elsewhere in the organization.

At Board level, embodiment is key: There cannot be any doubt across the firm that cybersecurity is on the Board’s agenda, and it needs to be reflected in the role titles of relevant Board members and the composition of their portfolio.

Having a Chief Security Officer position, for example, at that level sends that type of message and is increasingly what many firms should be considering, instead of pushing up their CISOs into untenable positions.

 

JC Gaillard

Founder & CEO

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.