Can Your Board Stand Up to Cybersecurity Risk?

Cybersecurity is a growing concern for large companies. Data breaches erode trust and can cost you millions. In the past year or so, several high-profile businesses — including X (formerly known as Twitter), LinkedIn, Roku, and Change Healthcare — have been successfully targeted.

Understandably, investors are growing more interested in how companies evaluate and handle cybersecurity risks. As a result, the SEC is now requiring companies to disclose the backgrounds of board members they position as cybersecurity experts.

If your business doesn’t have a board member with extensive cybersecurity experience, you’re not alone. Recent research has indicated that up to 90% of companies in the Russell 3000 don’t have a board member with a credible background in cybersecurity. 

The Russell 3000 includes the top 3,000 companies in the United States and about 96% of the country’s investable equity market. As you might imagine, then, this is a big deal for investors. 

So how do you go about adding a cybersecurity expert to your board? Consider training your Chief Information Security Officer, or CISO, for the job. Here’s how to tell whether yours is ready.

Why Adding Your CISO to Your Board Might Be the Right Move

In many ways, your CISO has begun unknowingly preparing themselves for the role. Here are a few reasons to consider promoting yours:

  • Your CISO is essentially already your unofficial go-to cybersecurity expert
  • Using a current employee is often faster and less expensive than an outside hire
  • Many CISOs can shift their technical focus to the whole-organization focus a board member needs to have

Nonetheless, you shouldn’t just blindly promote your CISO. First, take a look at the following considerations to ensure they’re ready to be a board member.

Is Your CISO Board-Ready? 5 Traits to Consider

Not all CISOs are automatically good candidates. Check some of the traits your next board member should possess:

1. Tenure and Experience

When you’re choosing a new board member, you don’t want a serial job hopper or someone who’s still learning how your company does things. Instead, you want someone who has been with your company for five years or more. The longer a candidate has been with you, the more familiar they are with the risks your business faces on a daily basis.

When you promote an existing CISO, you already know that you’re promoting a company leader who is a good fit for your organization. And because they are part of your existing leadership, you know that they already have the respect of the rest of the company.

However, experience with your company is not the only experience that matters. Cybersecurity is a field that evolves incredibly quickly, and you want a CISO who has demonstrated their ability to adapt to and learn about new threats and innovations. As a general rule of thumb, you should hire someone who has been in the cybersecurity field for at least 10 years.

2. Experience in Adjacent Fields

Board members don’t only need to be familiar with your company — or even your industry. The board understands how your company relates to others within the industry and outside of it. 

And if your company is like most other large organizations, your board members don’t just have backgrounds in a single position. They have often played many important roles during their professional careers.

When it comes to cybersecurity, you need someone who understands the knowledge behind cybersecurity theory and the experience to apply that knowledge. In many cases, it’s good to choose one who has experience related to (but not identical to) cybersecurity. 

For instance, check whether your candidate has worked as a technology consultant or in IT in general. Those backgrounds are solid indicators that they could be a good fit as your company’s CISO.

3. Advanced Education

Field experience is important in any cybersecurity role. But it isn’t the only thing that matters when it comes to both fulfilling job duties and winning the confidence of investors. 

In cases where you’re looking to add someone to your board, seek a candidate with an advanced degree. However, that degree doesn’t necessarily have to be in cybersecurity. Those with degrees in law, engineering, or technology can also fit nicely into the role.

Now that investors are requesting detailed information on the backgrounds of cybersecurity experts, having an advanced degree is more important than ever. When the expert you choose has both an educational and extensive professional background in a related field, your investors will be able to breathe a sigh of relief.

4. Scale

A cybersecurity expert who managed security for a small business won’t automatically excel at performing cybersecurity for a larger company. Handling cybersecurity at a lower level is completely different from handling it at scale. 

Ideally, you want your new board member to have experience as a leader in a scaled organization. A person who has had leadership roles in global companies or companies with offices in multiple countries  — especially as a C-suite executive — is ideal.

5. Diversity

Diversity shouldn’t be the only factor when it comes to hiring your board’s cybersecurity expert. However, it’s very much an area worth considering during your selection process. 

If your board is fairly homogeneous, bringing in a board member with a different background can shake things up in a good way. When someone with a different perspective evaluates a problem the board has been puzzling over, they might be able to offer a fresh approach or strategy that your other board members had not thought of.

Of course, this suggestion isn’t only limited to choosing your board’s CISO. Diverse boards can combine their strengths to become more effective problem solvers on a greater scale. Additionally, many investors prefer to invest in companies with robust DEI policies.

Getting Ready for the SEC’s New Legislation

For many CEOs, the prospect of finding a cybersecurity-savvy board member can be daunting. But try seeing the change in a different light — when your other board members can regularly consult with a cybersecurity expert, your company will be that much better protected from online threats.