Even though there is a growing demand for cybersecurity expertise at the highest levels of business, a significant number of public companies lack even one qualified cybersecurity expert on their board of directors, according to a study by cybersecurity research and advisory firm IANS. In addition, the study found that just a little more than one in 10 CISOs have all the key traits thought to be crucial for success on a corporate board.
In its CISO Board Readiness Analysis study, IANS evaluated the qualifications of CISOs in companies listed on the Russell 1000 index, the stock market index for the 1,000 largest public sector companies in the US.
“The transition from executive leadership to board directorship is profound, and many struggle to adapt,” said Brian Walker, cybersecurity advisor to corporate boards, in a statement accompanying the publication of the IANS study. “Our experience shows that info-sec tenure, broad experience, scale, advanced education and diversity are the five key traits found in those who are able to successfully move from executive to board director."
To gauge the board-readiness of the Russell 1000 CISOs, the study sourced data from publicly available sources including their LinkedIn profiles, executive bios, speaking bios, press releases, and interviews.
CISOs lack board readiness
The study revealed that Russell CISOs lag significantly compared to CISOs who are currently on boards, with respect to the five key traits identified by IANS. While the Russell CISOs fell behind the existing board CISOs in almost all the traits, the most significant difference was in cross-functional expertise, where more than twice as many board CISOs had experience as other cybersecurity leaders on the Russell 1000 (71% compared to 32%).
Only 14% of the Russell CISOs were found ideal as board candidates, possessing at least four out of the five key traits listed by IANS. Another 33% were identified as strong candidates with three out of five board traits. A significant number (52%) remained as emerging candidates, possessing only one or two traits from the mix.
The study also noted that nearly half of the Russell 1000 companies lacked at least one director with cybersecurity expertise.
“Finding a CISO with experience as well as the other factors will be a challenge, as the whole concept of a CISO has really not been around in the space for all that long (about 20 years, give or take – before then, it was a sub category under IT/CIO),” said Chris Steffen, research director at analyst and consulting firm Enterprise Management Associates. “Keep in mind that there is a shortage of qualified InfoSec types everywhere, and at the leadership level most of all.”
Although IANS identified five traits as important for board-level CISOs, the study found that possession of all board traits is not always required. For instance, “a CISO with executive-level experience at a global company exceeding $50 billion in annual revenue, even with less than five years of CISO experience, can be a strong candidate if they have had one or more roles outside of cybersecurity,” the report said.
Additionally, the study also noted an “it” factor that no metric can fully capture. This basically means that in many cases, directors have a unique combination of individual traits, rather than an overwhelming single “superpower.”
With these findings under consideration, the report recommends a mix of strategies when looking for board-ready CISOs. They include casting a wide search net, prioritising diversity, considering board certifications, have a plan “B” to look for potential non-CISO candidates with security experience, and look for the “it” factor.
“Security considerations rank extremely high on the minds of executive leadership, and having a seasoned professional to lead the security program has changed from a 'nice to have' to a 'must have' position,” Steffen said. “With that said, getting outside help is probably not a bad idea for these positions. Those on the BOD that are going to interact with the candidate should talk to them, but also someone with a strong security background [should do so]."