Security in the Board Room

How CISOs can Earn a Seat in the Boardroom

Nick Gagalis | October 29, 2014

It’s been a slow but sure evolution for the modern-day CISO. When the position made its debut in the corporate world, the CISO was a firefighter, constantly battling security issues as they arose. CISOs were usually hired only after a security threat affected a given company. They weren’t given access or authority, so it was hard to break out of the firefighter role.

The next step for CISOs was to become more strategic about their actions. (This is where a great opportunity lies for many companies today.) Instead of simply reacting to problems, CISOs at forward-thinking companies started predicting where future problems might arise and crafted their plans accordingly.

To become the value-driven executive that the board wants to work with, CISOs must take one more leap: they have to show how their actions both prevent problems and contribute to the company’s bottom line. It’s no easy task, but the process isn’t all that complicated. Make your performance metrics relevant for members of the Board, and you'll win their trust.

How CISOs can Earn a Seat on the Board

Why is this important right now?

This Security Week article discusses how CISOs are still being shut out of the board room and often aren’t given decision making power. The circumstances have limited CISOs’ ability to become an integral part of the c-suite.

As one chief financial officer says, “It feels like we’re constantly spending more on security, but I have no idea whether that’s enough or even what it does.”

I spoke with several executives to discover what it takes for CISOs to prove their worth. Their suggestions are listed below.

The best CISOs:

  • Bridge the gap between technology and business.

  • Are pragmatic in their efforts, realizing that their company needs to grow, but can’t do so too quickly or it will risk over-exposure.

  • Work with and influence other executives so security is recognized as a people, process & tech initiative, not just a tech issue.

  • Get information security into the early planning phase of an initiative (as opposed to something that is tacked on in the later stages).

  • Shift the conversation from focusing on "what tools will make us more secure?" to "how secure are we now?"

  • Use context, stories, lessons, and answers to address issues.

How do they do it?

  • They encourage investments in personnel and technology resources via easy-to-understand data, shared with the proper context.

The Board’s Role

For CISOs and their companies to thrive, it takes involvement from the board as well. Boards must start taking responsibility for the cybersecurity of their companies. If not, there will likely be financial repercussions for board members that fail to place this issue as a critical priority in retaining and growing the value of a company (plus a knock to their reputations).

Boards also need to have high-level discussions around security and risk and treat them the same way as discussions about revenue performance, growth, investment, or other topics of interest.

The Good News

Things are changing for the better. 58 percent of board members admit that they should be doing more about security. If CISOs make it easy for higher-ups to understand the value of your plan, they will have the Board eager to approve it. They will earn a spot as an equal in the c-suite and finally get the support they deserve.


Suggested Posts

The Board’s Role in Managing Disruptive Risk: Enter Security Ratings

Today, disruptive risks are an area of focus for corporate directors worldwide. On a global basis, we face disruptions in areas like geopolitical volatility, economic slowdown, emerging technologies, cybersecurity threats, and climate...


Cyber Risk Considerations During the M&A Process

Data breaches are a constant in today’s headlines, but in recent years the risk has been front and center of some of the most significant M&A deals. In 2017, Verizon discounted its acquisition price by $350 million when Yahoo belatedly...


BitSight EXCHANGE Sound Bites: Reporting to the Board

In the months since BitSight’s inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together security executives from all...


Subscribe to get security news and updates in your inbox.