Boards of Directors are more involved than ever before in discussions and strategy around their companies’ cybersecurity and the solutions needed to prevent being the next big headline.
The questions they are asking are no longer as simple as “are we secure?” but more to the tune of “are we doing all we can to minimize or transfer risk, and what do we do in the case of a breach?”
Boards also want to know if there are scorecards that measure company security posture, whether the company is compliant with the most recent regulations, and if they have the security controls to demonstrate compliance.
This sea change also means Boards have new options: Do they act as change agents for cybersecurity? Do they get hands-on as decision makers? Is IT security so vital to the business that it should have direct representation on the board itself, as in a Security Director?
Many Boards have taken the first steps, for example requiring quarterly cybersecurity briefings - some being directly presented by the CISO or VP of Risk Management - rather than relying on the occasional or ad hoc updates. When it comes to actual board representation though, most companies subscribe to one of the following beliefs:
For many companies, the first two statements might be perfectly appropriate for now. In fact, most boards are opting to act as change agents, but only for risk transfer - recommending or requiring cybersecurity insurance for their organization.
But other companies have taken the leap. Sally Beauty Holdings, Huntington Bancshares, and others have specifically added board members with deep cyber backgrounds. What has changed that’s driven that choice? Should all boards be considering doing the same?
The answer is both yes and no. But if you think it’s a ‘yes’ for your company, or are on the fence, here’s a framework crafting a recruitment strategy and making a more informed choice:
First and foremost, the candidate has to be a fully functioning board member! Ideally, they would already have served on boards of similar companies and would have been active in one or more committees (but ideally risk or audit) and be effective across the same broad set of board functions as other members. This person will need to have all of the critical board interpersonal skills that support and define leadership: ethics, integrity, crisis management, and more.
Ideally, any candidate should be required to not only have technical and cybersecurity expertise, but also financial, operational and executive level experience (C-Suite preferred).
Second, make sure the board member is a complement and a cultural fit with the executives in charge of executing cybersecurity (CIO, CISO, Risk Officer). The last thing you want to do is engage a Director who creates conflict or sends the wrong message to the existing officers and executives. Ensure that the boundaries set for the board member adequately deconflict any overlap.
Also, their cybersecurity domain expertise should be specific to the types of risk that would being the most damage to an organization. So, the board and the executive team need to do some technical diligence and soul-searching about which type of cyber risk is most important to your organization:
Based on which type of cyber risk is most critical to your organization, you can next begin determining which type of cyber expert you need. Do you need someone who can be a proxy for the CISO? Someone who can be on Capitol Hill all the time who knows about policy? A SOC and APT guru who’s defended against nation/state attacks? Or do you need a cyber-training HR specialist who increase workforce in security awareness?
The table below is an example of how you might match your needs with the ideal candidate profile:
PROFILE 1: SUPER-CISO
PROFILE 2: RISK MITIGATOR
PROFILE 3: REG/LEG Expert
Former Multi-Time CSO/CISO
Previous Board background
Business Continuity Specialist
Focus on Incident Response
Cyber Risk Transfer
Data Privacy expert
Cyber Legislation Expert
There are several ways your company can go about seeking out the right candidate for what your organizations requires.
Start your long-term search for this board member now, as it may take many months to find the candidate with the right qualifications, cultural fit, and of course the availability to take the spot. You can expect that there will be a great deal of competition in the marketplace for the top candidates, given that the prerequisite skills are in short supply.
A short list of action items in the meantime: