How CISOs can Earn a Seat in the Boardroom

Nick Gagalis | October 29, 2014 | tag: Security in the Boardroom

It’s been a slow but sure evolution for the modern-day CISO. When the position made its debut in the corporate world, the CISO was a firefighter, constantly battling security issues as they arose. CISOs were usually hired only after a security threat affected a given company. They weren’t given access or authority, so it was hard to break out of the firefighter role.

The next step for CISOs was to become more strategic about their actions. (This is where a great opportunity lies for many companies today.) Instead of simply reacting to problems, CISOs at forward-thinking companies started predicting where future problems might arise and crafted their plans accordingly.

To become the value-driven executive that the board wants to work with, CISOs must take one more leap: they have to show how their actions both prevent problems and contribute to the company’s bottom line. It’s no easy task, but the process isn’t all that complicated. Make your performance metrics relevant for members of the Board, and you'll win their trust.

How CISOs can Earn a Seat on the Board

Why is this important right now?

This Security Week article discusses how CISOs are still being shut out of the board room and often aren’t given decision making power. The circumstances have limited CISOs’ ability to become an integral part of the c-suite.

As one chief financial officer says, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”

I spoke with several executives to discover what it takes for CISOs to prove their worth. Their suggestions are listed below.

The best CISOs:

  • Bridge the gap between technology and business.

  • Are pragmatic in their efforts, realizing that their company needs to grow, but can’t do so too quickly or it will risk over-exposure.

  • Work with and influence other executives so security is recognized as a people, process & tech initiative, not just a tech issue.

  • Get information security into the early planning phase of an initiative (as opposed to something that is tacked on in the later stages).

  • Shift the conversation from focusing on "what tools will make us more secure?" to "how secure are we now?"

  • Use context, stories, lessons, and answers to address issues.

How do they do it?

  • They encourage investments in personnel and technology resources via easy-to-understand data, shared with the proper context.

The Board’s Role

For CISOs and their companies to thrive, it takes involvement from the board as well. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company (plus a knock to their reputations).

Boards also need to have high-level discussions around security and risk and treat them the same way as discussions about revenue performance, growth, investment, or other topics of interest.

The Good News

Things are changing for the better. 58 percent of board members admit that they should be doing more about security. If CISOs make it easy for higher-ups to understand the value of your plan, they will have the Board eager to approve it. They will earn a spot as an equal in the c-suite and finally get the support they deserve.


Suggested Posts

3 Ways CISOs Can Brief Executives and Board Members on Cybersecurity IT Governance

Cybersecurity incidents are on the rise, and the monetary setbacks for victims are considerable. The average cost of a data breach in the U.S. has soared to nearly $8.6 million, and these costs are expected to grow by 15% over the next...


5 Shocking IT & Cybersecurity Burnout Statistics

No one should be surprised to learn that IT and cybersecurity jobs can be extremely stressful. Now, a convergence of trends has, in many cases, brought this stress to a breaking point.


Most Urgent CISO Skills 2020: Reporting, Avoiding Burnout, More

Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in...


Get the Weekly Cybersecurity Newsletter.