CISOs on the Board

Listen to article

A survey finds CISOs can bring needed technology experience to board.

Matt Aiello

As part of its 2022 Global Chief Information Security Officer Survey, executive search company Heidrick & Struggles looked deeply into the role of the CISO, examining compensation, stress levels and the need for diversity. One aspect of note in the report was CISOs’ interest in board service. The survey found that 56% of respondents saw board membership as their ideal next role, but just 14% currently sit on a corporate board. Matt Aiello, a partner at Heidrick & Struggles, spoke to us about not only the chasm between interest and participation, but also the value CISOs bring to public company boards and the reasons he thinks the numbers of CISOs on boards will continue to increase.

Directors & Boards: The survey found that over half of CISOs surveyed have an interest in becoming board members. What do you think it is about the board role that CISOs find to be of particular interest?
Matt Aiello: CISOs often have a mission mindset, and board service is an opportunity to take their mission and skill set to the highest governing level of an enterprise to oversee risk, influence strategy, and ultimately help build trust with stakeholders. It is the most meaningful way to impact an enterprise that isn’t their own. It can also give CISOs broader exposure to the business, geopolitical and strategic risk conversations that are not usually a part of the CISO role. 

DB: What specific value do you believe CISOs bring to public company boards?
MA: Every board needs to understand cybersecurity and the associated risks. Right now, boards are very often bringing their CISO into the boardroom for updates. In fact, 88% of CISOs said they report to their board at least once per year, but only about 4% of current CISOs sit on boards. We’re already seeing CISO demand and compensation rise and their reporting structures evolve, and we expect the number of CISOs on boards to increase as companies increasingly focus on and invest in cybersecurity. 

DB: The survey finds that boards frequently prefer directors with previous board experience, and many CISOs lack prior experience. Are there steps CISOs can take to overcome this limitation?
MA: CISOs should get on a governing board of some kind as soon as they can — anything from a nonprofit, school board or the governing corporate board of a start-up. They should prioritize that over advisory boards – which CISOs are often asked to be part of – because advisory boards are not responsible for managing risk and protecting shareholders. CISOs should also invest in relationships with executives that they’ve worked with in the past who are on boards to seek counsel on how they joined a board, and how to best prepare to serve in that capacity.

DB: The report says, “In the future, we expect more companies to consider adding CISOs to their boards.” What are the factors that you think will drive boards to add CISOs in increased numbers?
MA: Increasingly, boards are considering the value of having a seasoned CISO on the board or access to the expertise the board needs – through advisors – that can help ensure the board is thinking about cyber as part of the enterprise corporate strategy, not as an ad hoc concern. Our data shows only 14% of all CISOs sit on a corporate board, or both a corporate board and an advisory board, which signals that there is still room for this role to evolve. The SEC’s proposed cybersecurity rule changes could have a huge impact on corporate boards, as boards would need to account for how much they understand the cybersecurity state of the company.  

Boards have several mandates that CISOs fit nicely into. Perhaps the most obvious responsibility is to evaluate and manage enterprise risk. CISOs can provide value by chairing a tech risk or cyber committee, maintaining healthy relationships with the CISO/CIO/CTO, and educating other board members on good questions to ask to ensure risks are being evaluated, ranked and mitigated. 

The second area a CISO can affect is strategy. Cybersecurity companies (i.e., firms that sell software/hardware/services to CISOs) would most readily benefit from a CISO on the board, as they bring the customer perspective. However, cyber is increasingly being folded into the corporate strategy of nearly every company as they embrace the concept of customer trust. Trust combines cyber, privacy, ethics and other areas to ensure customers know that their data, finances, and goods and services are in safe hands. Also, many CISOs have training and networks in government and national intelligence organizations to support understanding geopolitical trends impacting the company.

Other related article