Editor's note: Also read "Rewiring Boardroom Cybersecurity," a new playbook that lays out tangible actions for boards to strengthen cyber-preparedness and protect organizations from current and emerging threats.
Corporate boards are quickly realizing that cybersecurity is no longer an occasional topic of discussion, but an issue they can’t afford to overlook. Pressure from investors, regulators, and consumers, along with an uptick in cyberattacks over the years, is also propelling a new wave of previously untapped executives to be considered for a board seat: executives with a cybersecurity background, such as CISOs, cybersecurity general managers, former military members, among others. But are they ready for board service?
To bridge the gap between desire and ability to serve on a board, aspiring board members with a spike on cybersecurity will need to embark on a transformation journey.
For any executive, stepping into a governance role requires two fundamental things: a mindset shift from execution to oversight and a broader set of skills than your main area of focus. Because cyber experts, such as CISOs, have rarely been considered for board roles in the past, they don’t necessarily fit the typical board director mold. Little to no exposure to the board, organizational reporting structures, and a sole focus on cyber and IT issues are some of the barriers that have prevented most of them from developing a broadened business lens over the years, hindering their ability to step into a corporate directorship role. Yet, they have one of the most challenging jobs in an organization, being on duty 24/7 and held accountable—and even fired—when significant incidents happen.
Executives with a background in cybersecurity want to rise to the boardroom, and more opportunities will become available overtime, especially as regulations increasingly call for added expertise and as the threat of a cyberattack looms over every single company. Drawing from our experience working with boards and cybersecurity executives over the years, this playbook offers practical insights to enhance your readiness to land your first corporate seat.
1. Get Exposed to the Board
First and foremost, get board exposure. If you are a CISO or an executive working on cybersecurity issues, there are several ways to do that. One is by making the case to your direct supervisor, and especially the CEO, for hosting cyberattack simulations and tabletop exercises to your company board. The Cybersecurity & Infrastructure Security Agency offers a comprehensive set of tabletop exercise packages and tools to help CISOs and cybersecurity professionals conduct the exercise. These activities benefit the company by enhancing preparedness and resilience in the case of an eventual attack and help to keep lines of communication open between you and the board. Additionally, you should present to your entire board on cybersecurity issues regularly, beyond the risk committee which you may be more familiar with. By standing in front of the members and getting exposed to how they think and the questions they ask will help shape your own readiness for when board service arises.
2. Tap into Your Intellectual Curiosity
Boards don’t hire “one issue” candidates. If you’ve had little exposure to your company board and often feel you lack insight into the business strategy, tap into your intellectual curiosity. Think strategically about how cybersecurity and strategy are interlinked and what this means for your role as your company looks to grow, innovate, and conduct business as safely as possible. Map out the executives you are going to start engaging with and seek business intelligence. Having these high-level conversations in an ongoing basis will not only give you a broader outlook on where the company is headed but will make other executives include and seek your insights on these business conversations. We know many companies struggle to find an optimal reporting structure for their cybersecurity executives, namely CISOs: some report to tech, some to operations; others aren’t even at the C-Suite, but at the director level, but tapping into your intellectual curiosity and having these conversations will make you more knowledge about the business.
3. Engage with Other Departments
Now that you are becoming a business autodidact and have a clearer picture about what cybersecurity means for your company’s goals, it’s time to engage with the various company departments. Get involved with product managers to understand the underlying business aspirations for a new product. Start liaising with the marketing team to understand the consumer and how the brand is positioned in the market. Proactively seek out the knowledge to be well versed in the business world and the competitive dynamics of the business. “One issue” candidates don’t get appointed to boards, so ensure you are partaking in governance and strategy aspects of the business too.
4. Become an Innovation Enabler
As you navigate other departments and understands their scope of work, it is now time to apply that insight to your day-to-day operations. A successful cybersecurity executive will act as an innovation enabler while keeping everyone involved safe. For example, if marketing wants to engage with customers utilizing data, you will encourage them to do so while ensuring a high-level of security. There’s another layer you need to implement here: empathy for colleagues. You will act as a team player whose goal is to stay ahead of the competition, but if a project poses a big security risk, you will act with empathy to be understanding of the ultimate business goal and develop the optimal solution while keeping the company and its ecosystem safe.
5. Be a Storyteller
Cybersecurity can get very technical very quickly. A large part of your job is to champion the issue in a simple way and motivate employees to embrace good digital hygiene and act as the company’s human firewall. To be successful in enhancing cybersecurity preparedness, you need to be dynamic and have the storytelling skills to inspire people to be individual stewards of the company’s digital assets and systems. Apply your creativity and inventiveness to develop compelling ways to train and keep people hyper aware on cyber risk while keeping things simple. The same applies to the boardroom: Directors don’t need technical insights into cybersecurity. Their job is to ensure business continuity in the case of an incident, minimize disruption, comply with regulation, and safeguard investors’ interests as fiduciaries. Boards need less on technicalities and more on the implications of not paying enough attention to cybersecurity. At the end of the day, humans appreciate stories that are relatable, compelling, and have a message that resonates. Applying storytelling into your daily job will help you as you navigate your path to the boardroom.
6. Join Cybersecurity Networks
The next step on your journey to board-readiness is to expand your network beyond the company. You’ve built strong relationships internally. Now it’s time to step out of your company and proactively build relationships in the broader ecosystem. Galvanize your peers in the industry to share information and get smarter together. For example, after the security breach at Target in 2014, large retailers like Macy’s, Kohls, and others were being constantly hit by the same cyber gangs. Retail CISOs realized they needed to form a consortium to exchange information—this was one of the first group of CISOs to come together and share information. Joining a cohort of leaders like yourself, and by having these productive and important discussions, you can have a glimpse of what a board dynamic could look like as well.
7. Become an Advisor
Part of enhancing your board profile is becoming an advisor to other companies. Now that you’ve transitioned from a cybersecurity-focused expert to a more holistic business-minded executive, it is time to use your skills to benefit other organizations too. Sitting on advisory boards will be an important part of your development journey here. It will generate further business exposure and you will have more macro level insights on what other industries are facing.
8. Download our “Path to the Boardroom” Guide
After following the steps above, it is time to kickstart your board seat search. Drawing from our work with 600+ boards annually, Egon Zehnder developed The Path to the Boardroom, a real-world guide to help you find your first corporate directorship. From starting your search, to interviewing for a directorship, to getting off to a good start as a new board member, this guide will prepare you to confidently take a seat at the boardroom table.
Keep in mind that these are practical suggestions that you can embed into your routine as a cybersecurity professional, but no pathway to the boardroom is like the other. Each executive has a unique set of challenges and experiences that make their board journey unique. Egon Zehnder is here to support executives and organizations along every step of the way. Learn more about our Cybersecurity work.