Just 14% of CISOs possess desired traits for cybersecurity-expert board positions: Report 

4 min read


Join top executives in San Francisco on July 11-12 and learn how business leaders are getting ahead of the generative AI revolution. Learn More

A recent collaborative study conducted by IANS Research Artico Search, and The CAP Group has shed light on the qualifications of chief information security officers (CISOs) within the Russell 1000 Index (R1000). The study reveals that a mere 14% of these CISOs possess the necessary traits to serve as board directors in the cybersecurity field.

Titled “CISOs as Board Directors — CISO Board Readiness Analysis,” the study assesses the competence of CISOs across the top 1,000 U.S. public companies by market capitalization, focusing on five key traits that are highly sought-after in candidates aspiring for board positions as cybersecurity experts.

The report delineates the essential traits expected of board candidates, evaluates the preparedness of CISOs for such roles, and provides recommendations for companies contemplating appointing CISOs to these positions. To identify the vital traits required in a cyber board director, the research team thoroughly analyzed the profiles of current CISOs serving as corporate directors.

“We identified five traits: infosec tenure, broad experience, scale, advanced education and diversity — as differentiators for CISOs seeking candidacy for cyber-expert roles on boards,” Nick Kakolowski, research director at IANS Research, told VentureBeat. “These traits combine to form the well-rounded background that can be attractive to boards seeking a cyber-specialist who can meaningfully contribute to business risk and governance conversations.”


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

According to Kakolowski, the increasing frequency and magnitude of cyber-incidents have brought cyber-risk into board discussions. He added that boards that fail to contextualize cyber issues alongside other business risks overlook a critical area of concern.

“Failing to get visibility into cyber-risk as a component of business risk can lead to public incidents that erode consumer trust and shareholder value,” Kakolowski told VentureBeat. “Another recent quantitative research by The CAP Group also found that 90% of Russell 3000 companies lack a single board director with cybersecurity expertise, which is concerning.”

To identify the traits essential for these director roles, the researchers collected data from publicly available sources such as LinkedIn, executive bios, speaking bios, press releases and interviews. A team of cybersecurity experts and data scientists from various disciplines analyzed the data to ensure its accuracy.

A lack of appropriate cybersecurity talent 

Public companies are preparing for forthcoming rule changes by the Securities and Exchange Commission (SEC) that will require them to formally disclose the cybersecurity expertise of their board members. In light of these changes, the study brings attention to a worrisome deficiency in cyber-comprehension among a majority of boards.

IANS Research said it initiated this research project in response to reports of boards facing challenges in identifying and recruiting for director positions cyber-experts with the necessary blend of business and technical experience.

The study found that only 14% of the CISOs in the Russell 1000 were considered ideal candidates for board positions, exhibiting at least four out of the five key traits identified by IANS. An additional 33% were recognized as strong candidates, possessing three out of the five board traits. A significant portion (52%) fell into the category of emerging candidates, demonstrating only one or two traits.

Moreover, the study highlighted that nearly half of the Russell 1000 companies lacked a director with cybersecurity expertise.

While IANS identified five traits as crucial for board-level CISOs, the study indicated that possessing all of these traits is not always a prerequisite. Notably, the study mentioned that a CISO with executive-level experience in a global company generating over $50 billion in annual revenue could still be a strong candidate, even with less than five years of CISO experience, if they have held roles outside the cybersecurity domain.

Identifying the right CISOs for cyber board positions

When discussing the five key traits, Kakolowski from IANS Research highlighted that cross-functional expertise and experience within large-scale organizations hold significant importance.

“CISOs possessing these traits are more likely to have been faced with opportunities that would push them to develop the soft skills and business acumen needed for board roles. That said, treating any trait as a silver bullet or severe point of weakness would be misguided,” explained Kakolowski. “What matters is being able to tell a career story highlighting unique experience and expertise that can add value beyond specialized cyber-knowledge.”

He believes the current disparity in talent and qualifications is primarily due to a lack of exposure. Kakolowski added that a significant portion of the board’s value lies in incorporating external experience into governance decisions. The breadth of experience enables informed decision-making on a broader scale, surpassing the capabilities of a specialized expert siloed to their specific domain.

“Businesses have historically kept CISOs in the tech silo, limiting their access to sophisticated business risk conversations,” he said. “This is changing, but CISOs hoping to make a jump to board roles should invest in developing their soft skills, working on cross-functional projects, and diversifying their resume to gain the breadth of executive-level experiences needed to stand out as strong candidates.”

Based on these findings, the report suggests various strategies for identifying suitable CISOs for board positions. These involve conducting a comprehensive search, prioritizing diversity, considering board certifications, exploring alternative options by seeking individuals with security experience who may not hold the CISO title, and identifying candidates with the desired “it” factor.

“We set the line for viability at possessing three of the five board traits — meaning we believe their background would be credible in a board context,” said Kakolowski. “But that’s just the starting point; we recommend boards cast a wide search net to identify individuals with diverse experiences and unique qualities that are intrinsically valuable for directorship roles.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.


Source link