Top strategies: How CISOs can become board-ready – Source: www.cybertalk.org

EXECUTIVE SUMMARY:

Corporate boards are actively searching for CISOs who demonstrate technical expertise, but who also possess strong leadership skills, can communicate complex concepts to stakeholders, and who can align risk management, cyber security and overarching business strategies.

The growing momentum is driven, in part, by forthcoming SEC rules that will force public companies to state whether or not anyone on their board has cyber security expertise.

However, there is “high demand and low readiness level as it relates to CISOs’ abilities to smoothly transition to the board room,” according to the Pfister Strategy Group. In this article, we’ll provide valuable insight into fundamental strategies that can help CISOs build strong foundations for board participation.

Key highlights

• Many CISOs need to transition from tactical work to strategic work. These CISOs can expand the scope of their roles and prioritize security alignment with business enablement initiatives.
• By assuming the Chief Risk Officer role, CISOs can gain governance capabilities, robust knowledge, and conceptual frameworks that can enhance and advance board-level discussions.
• CISOs can also increase board-readiness by enrolling in executive-level education programs and through active engagement with industry associations.

From tactical to strategic

Right now, many CISOs occupy tactical positions. A CISO who is accustomed to primarily focusing on cyber and technology risks may need to “open the aperture” and focus on broader enterprise risks.

In taking action around this, CISOs may wish to develop and implement a comprehensive risk assessment and work on a corresponding management framework that speaks to operational, financial, compliance and reputational risks. Known risks can then be prioritized and triaged based on their potential impact to the organization.

Further, CISOs can strengthen their skills by creating greater alignment between cyber security, risk management, and business objectives. Thinking in this way will enable CISOs to grow accustomed to how senior-level executives frame decision-making.

Broadly speaking, taking on the aforementioned types of projects and developing the corresponding knowledge and skills will prepare CISOs for C-level questions and conversations when they enter board rooms.

Assuming the Chief Risk Officer (CRO) role

Formally or informally, CISOs may wish to take on the role of the Chief Risk Officer within a company to expand horizons. The cross business-unit dialogues that take place will introduce CISOs to new perspectives – especially as they pertain to legal, compliance, and reporting.

This transition can also result in a more risk-aware operational culture, ensuring that risk management is a key piece of organizational decision-making and strategic planning processes. Everyone will become more accustomed to putting risk at the center of the conversation.

In assuming the Chief Risk Officer role, CISOs can gain governance capabilities, knowledge and intellectual frameworks that can enhance and advance board-level discussions.

Gaining comprehensive perspectives

There are a myriad of ways in which CISOs can gain comprehensive perspectives and advanced education that will enhance their credibility with board members and senior stakeholders.

For example, CISOs may want to enroll in executive education programs that are offered by reputable business schools or professional organizations. Programs like these cover topics such as corporate governance, strategic management, finance, leadership and more.

Active engagement with industry associations also enables CISOs to engage with leaders who can offer new insights and perspectives around enterprise risk management. Engaging in discussions is often one of the best and fastest ways to learn and grow.

More information

In essence, broad business experience is nearly a requirement in order for CISOs to join boards and to be considered board-ready. CISOs who have more experience with enterprise-wide initiatives, in non-cyber functional roles (CRO, for example), and/or who have worked to expand the foundations of their knowledge bases are prime candidates for board seats.

For more insights into cyber security leadership and the board of directors, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.