[ ALSO ON CSO: Should your board of directors include a cybersecurity expert? ]
Attracting an expert
How can companies put their best security foot forward to attract top cybersecurity talent to the board? Companies often don’t look at their own cyber track record and vision for their security future before starting the interview process. Board advisers and cybersecurity pros offer five points to consider before interviewing a cybersecurity expert for the board.
1. How and how much will they contribute to the board?
Board members with security expertise often “feel they’re more of a checked box than a participating, core part of the board,” says Tammy Moskites, CISO at Venafi and former CISO at Home Depot and Time Warner Cable. Most high-level cybersecurity experts want to participate in all board activities and add value across the organization.
Some companies believe that the mere presence of a cybersecurity expert on the board will make a difference to shareholders, but in reality the board has no plans to leverage all of the expert’s knowledge, Moskites says. She once walked out of an interview for a board position when she realized the company’s intentions. “They said, ‘you really don’t need to be involved too much, but can you make these meetings four times a year?’ I said, ‘I don’t think this is a good match for us.’” In the end, the company never hired a CISO to the board, she adds. Moskites went on to sit on the boards of Qualys and Box, and she’s currently interviewing for another board position.
Cybersecurity experts also look for commitment to the mission. “If I’m going to contribute in cybersecurity, is the company, the board and the management team aligned in wanting to move forward in that area?” Vautrinot says. “You can tell early in the interviews if there has been significant consideration of these kinds of things.” She recalls her own experience as a candidate interviewing with Wells Fargo board members and discussing cybersecurity. “[The company] had completely looked at what its organizational structure ought to be, what kinds of capabilities should it be putting in place, what would be available now and what was going to be available in a few years, what was changing in the threat factors, and the regulatory environment that they had to consider,” she says. “You could see an intellectual and strategic commitment in the company to move forward in an area that you could contribute to, and you felt like you could make a difference.”
2. Plan to share the risk
Board members want assurance that risk will be shared. “The board can’t forego its responsibility about cybersecurity to the one director,” says Mary Galligan, director in the security and privacy practice at Deloitte. Galligan leads global boards of director through cyber awareness, cyber education and war gaming exercises. “You don’t want to go on the board as the cybersecurity ‘expert’ and have the other directors say ‘that’s your own responsibility.’ No other committee works that way. If you’re on the audit committee, for example, you’re as responsible as the CFO or any financial wizard on the board,” she says.
Sign up for CIO Asia eNewsletters.