Increased cyberattacks and regulatory pressure have prompted calls for boards to step up their expertise and recruit cybersecurity experts into the boardroom. However, despite the long debates in the US and Europe by regulators, today, only 12% of boards have a subject matter expert in cybersecurity.
Thus, let us dive into the issue of what kind of expertise boards need and how both boards and experts can start to prepare themselves.
Requirements for the Boardroom
Serving on a board in itself is a very demanding job. The two main jobs are executing strategic oversight and managing the risk of the business. Human resource oversight, financial auditing, and Governance are all part of the former two and the regular tasks. Merges and acquisitions, IPOs, and crisis management come into play every once in a while.
Overall, the boards execute an advisory and oversight role. The day-to-day operations are up to the chief executive and the management.
Consequently, you find that board members are most often generalists who have a broad range of experience in managing companies, as well as with financial and legal experts. Additionally, most board members have exceptional people skills and are experts in lifelong learning.
State of Cybersecurity Experts
If you look at most cybersecurity departments today, they are on the smaller side, even within the IT community. Often, you find that there is at most one management level between the CISO and the front-line worker. Sometimes, the experts might even report directly to the CISO.
While the small teams contribute to the very agile environment needed to prepare for and react quickly to the changing landscape, it also means that CISOs often focus less on the overall business than their sales and finance counterparts. They also work in a high-stress environment, often leaving little time for cross-department projects and communication.
However, one overlooked aspect is that CISOs are often excellent at learning and filtering information. With the world of cybersecurity changing rapidly, that shouldn’t be a surprise. However, we might not speak enough about it.
The Reluctancy of Boards to Invest
Thus, the difference between the general requirements and the day-to-day life of a CISO shows why so few are making the jump. The average age of the CISO is 52, which often gives the perception that they may not have enough experience yet.
However, boards are also an issue. In many cases, boards are reluctant to remove members to change a focus and often wait out the mandatory retirement age. Thus, it is challenging to get onto a board unless someone is a proven business leader with board experience.
The steep learning curve, unique cultures, and the step from management to oversight contribute to the reluctance to invest in newcomers.
How Boards Can Still Pay it Forward
Yet, even with limited seats available, boards can still develop talent and step up their cybersecurity game.
- Advisory boards are one of the best tools available to a company. They can help get outside talent in front of management and into the boardroom without changing the board’s composition. They are also a great tool to attract younger talent and nurture them to take over a board of directors position soon.
- Mandatory learning opportunities and talent matrices are already part of numerous boards. Adding Cybersecurity and IT talent into the mix can add at least a minimum oversight to the emerging topic. Programs like NACD’s cyber risk certificate can help directors appropriately enhance their skills.
- Temporary size changes for a board are also a good solution, especially for private companies during transitions. They enable the board to add additional voices and expertise while retaining the experience of older board members until the newcomer is well-versed in the procedures.
Candidates should not be worried
While many boards haven’t added social security experts, time and regulations will change the situation. However, experts don’t need to wait. Networking still fills most seats in the boardroom. Thus, building your network will still help.
Enhancing the skills with business expertise and strategic initiatives will make the candidacy more interesting. Upskilling doesn’t have to wait for board seats to open.
While boards in the coming years will need to find additional expertise, change comes slowly, and it pays to be ready for it. Establishing an advisory board can help the board prepare candidates for the step-up. It will also help candidates to gain the first experience. While no one likes to wait, time will bring changes for boards and experts ready to take the chances.