Cybersecurity Board Director Candidate: Is That Board Interview Worth Your Time?
Board positions can be a great source of professional, intellectual, and social development. Though like all career opportunities, there can be gaps and challenges.
Board positions are an honor and important milestones for a segment of senior executives. They can also be a source of professional, intellectual, and social development. Though like all career opportunities, there can be gaps and challenges, in particular if your skillset is technical and in the cybersecurity realm. Board positions also come with personal and legal liability to be assessed and accepted. With the inevitable release of new SEC rules on cybersecurity; it stands to reason that many boards will start taking steps to search for new cybersecurity literate and skilled directors which could mean great opportunity for those with relevant skills. The emphasis is on the word “could.”
In an ideal world, boards would be ready, willing, and able to partner with new cybersecurity focused directors. Unfortunately, that won’t be the case a lot of the time. We’ve seen this movie before when there was resistance to finance focused directors pre-Sarbanes Oxley.  To know what to expect from your ecosystem and company and their readiness, review our prior article on the forthcoming SEC rules. It will help you with items 1&2 here.
1) Assess literacy for cybersecurity
2) Assess commitment for cybersecurity
3) Assess likelihood of successfully negotiating for improved cybersecurity board governance model
If you find a great board team that genuinely is interested in managing cyber risk, the following are some topics to broach either directly as you mutually interview for a prospective board position; or for you to assess openness and leadership capacity to negotiate for these upgraded governance elements:
Things to consider from Eric Svetcov, a CISO perspective:
“If there is one CISO/ex-CISO on the board (or at least a board advisor — non-voting CISO/ex-CISO present at each board meeting) and the board is willing to engage on business risks and treat Cyber risk as a business risk, I think that 90%+ of the battle is won.”
Eric suggests that you assess if you will have access to the CISO and that the following elements could be indicative of a positive and productive governance model. Are these dynamics present or is there the potential to negotiate for governance that prioritizes supporting cybersecurity from a risk management perspective?
“The problem that the board can address is in enabling the risk owners to be accountable for making risk-based decisions — and then if the CFO overrules the budget for managing the risk, the CFO ends up becoming the risk owner as they have chosen to interject their opinion into the risk based decision process and overrule the originally designated risk owner. The Board cannot leave the CISO unsupported — they need to make sure the risk owners are the actual accountable individuals regarding risk-based decisions — the CISO is not accountable for the risk (they are not the risk owner and have no control over budget approval beyond the request and communicating the business case.) It is impossible to be accountable for something when someone else controls whether you can implement the controls you have chosen. Likewise, the risk owner cannot be accountable if the CFO or CEO overrules the decision of the risk owner — in this case, the CFO or CEO becomes the de facto risk owner and is accountable if the risk that the control was designed to mitigate occurs and breach happens.”
What Most People Get Wrong About the CISO Role
Further, Eric’s view is that “the biggest problem with the CISO position is the mass delusion that the CISO is accountable for a breach (they cannot be). Either the risk owner or CEO/CFO will be accountable as the CISO cannot implement the controls the CISO wants without someone else’s approval and this veto eliminates CISO accountability. How can someone be accountable for something they do not control? The CISO can say we really need to perform both static code assessments and application vulnerability assessments at each release, but that slows down the sprint and introduces costs and the CFO doesn’t approve the budget. How can the CISO then be accountable for a breach when an application defect results in compromise of the application and extraction of company data?” Only in a world where the CISO is the designated scape goat would the CISO be considered accountable and fired.”
Identify if That Board Position Can be a Good Risk
There will be great board careers made from ambiguous, difficult, messy opportunities just like all career opportunities, in particular with respect to cybersecurity. Do you personally have the leadership skills together with the board to propel that board to the next step of improved governance. If you do, then that board position may be worth the risk.
What could a board member expect from a high functioning executive team and board on cybersecurity risk?
They might expect leadership (the risk owner) to be engaged collegially with the CISO, take the time to understand the risk and risk treatment options, and collaborate with the CISO to present the business case to the CFO/CEO to get the budget to implement an appropriate level of risk mitigation. The board members do not necessarily need to know about the detail, but they need to know that this process is occurring and if it isn’t, needs to explore how the board will make sure it occurs. Key to this is to clearly communicate that risk ownership lives with the business leader, not the CISO. And that the risk owner owns this decision and the CISO is her/his guide. Additionally, if the CFO/CEO overrule the risk owner and CISO budget submission, the CEO/CFO need to understand that they are taking away the risk decision from the risk owner and now the CEO/CFO is the new risk owner.
How could this look in practice?
For instance, a brick-and-mortar store wants to expand to online sales and sets up an online store. The business goal is to expand sales beyond the geographic boundary natural to any brick-and-mortar chain of stores — if you have no store in a particular area, you will have near zero sales for that area. With an online store, there are no barriers to selling anywhere in the world (except for legal issues and potential costs — such as shipping costs — that make selling your product uncompetitive). The CISO’s role in this project is to work with the organization to embed the required level of security into the online store solution to allow the store to operate while managing the risk to an acceptable level.
An Aspirational CISO-Executive Scenario
How could this be done? The CISO will have conversations with various stakeholders (most especially the business owner [risk owner] of the solution) and begin discussing compliance requirements and additional controls to manage risk to an acceptable level and the relative costs of doing so. Compliance requirements are typically hard requirements (although some business leaders will choose to skirt some compliance requirements to save costs — this is reality, the CISO will often fight this…as will the General Counsel and Chief Privacy Officer) that must be implemented. Additionally, controls will be discussed that further mitigate risk.
What to expect from a great CISO:
“A truly valuable CISO will know enough about the business and the risk appetite of the organization to be able to make good recommendations of likely controls that will be implemented along with ballpark costs. CISOs that are less familiar with the business and business strategy will potentially suggest controls that are both too costly and too onerous to be implemented. In both cases, the risk owner will have conversations with the CISO regarding controls and risk mitigation and will eventually choose a set of controls that make sense for the business and meet the risk owner’s interpretation of the risk retention threshold for the organization.
This conversation should be unique to every organization and will include the specific business needs of the organization. The board would ideally make sure that these conversations occur and are productive. ” — Eric Svetcov
“If they aren’t happening today, the board candidate needs to assess whether the organization is open to the conversations and can orchestrate them efficiently and usefully. The candidate should consider if they themselves possess all of the leadership, governance skills and relationships to execute the related workflows, and a clear understanding of a feasible roadmap and path to board and executive buy-in for said path.” — Sherri Douville
Some questions for cybersecurity board candidates:
1. Can the board candidate themselves bring the leadership and governance skills for the organization to engage in this manner on cybersecurity?
2. What support from the board would they need?
3. What would be the timing of initiating this after an initial listening phase of on boarding to a new board?
4. What steps could the board candidate take to build credibility and trust with the CISO, executive team, and board to lead this evolution?
Sherri Advises From a CEO/Board Perspective What Must Be in Place for Functioning CISO/C-Suite/Board Alignment
You need consensus on what the board expects from the CISO. You also need to find out if expectations and consensus are clear and if not if you have the skills and authority to drive buy-in on consensus expectations.
- How often do they meet with the board: ?Quarterly?
- What the board wants to see: Key initiatives + programs structure
- When to Involve the Board: Annual report of cyber incidents at agreed upon threshold
- What they want to know — Get ahead of things that will impact business and reputation
- Keep it Brief: Cybersecurity is one of many critical board topics
We hope this helps you filter and identify great board opportunities where you can make a real impact and continue evolving in all the ways board positions have the potential to provide.
At Medigram, we leverage a unique, industry-leading code of ethics for research, publishing, and overall in order to build trust and respect with all stakeholders. As a consequence, we’re pleased to release the results of this article’s plagiarism check because copying without credit is untrustworthy.