Published: 01 Aug 2019
For many corporate boards of directors, cybersecurity issues are at the top of the agenda now. As risks and compliance issues multiply by the day, it's dawning on enterprises that adding a board member who's all about security is a good idea. What makes it a perfect pairing is that many CISOs, CIOs and other tech-savvy professionals are interested in joining boards themselves. Boards of directors and cybersecurity leadership: two important groups for whom a merger is in order.
But it's not enough to be security-savvy. Many security pros are most comfortable communicating in tech-speak. To convey security risks and investment needs to the board of directors, cybersecurity pros also need to be proficient in board-speak to tie technology issues directly to the needs of the business.
To get CISOs and other executives ready for a seat in the boardroom and make a solid business case for what companies need to protect themselves, Alta Associates founder and CEO Joyce Brocaglia in May launched BoardSuited, an education company that offers an online course designed to help professionals prepare for a board director's seat. Brocaglia's 35-year-old executive search firm specializes in placing cybersecurity professionals in high-level security positions, and the new online course -- developed with ePath Learning -- was designed for CISOs and other senior executives.
We talked to Brocaglia recently about how security professionals need to prepare for a place at the table.
This interview was edited lightly for clarity and length.
What prompted you to create BoardSuited?
Joyce Brocaglia: Over the years, I've had a unique opportunity to witness the evolution of the cybersecurity industry and the professionals that lead it. I've been asked by CIOs and CISOs how to get a seat on the board. Until recently, when someone asked me that question, my answer was, 'Well, you want a seat at the table, but you don't really have any table manners.' Then I asked if they really understood how boards work, and whether they had new skill sets that would get them noticed and nominated. Only a small percentage of people asking me about getting on boards were truly what I would call board-ready.
We're also seeing a new surge of interest in diversifying boards of directors, and companies are beginning to recognize the value of having someone with cybersecurity knowledge as a board member.
What motivates people to want to be on boards?
Brocaglia: People are asking about boards for a number of reasons. Some are late in their careers and see board service as an extension of that career and as a way to increase their longevity. But a lot of people are interested in getting on boards so they can use their technical expertise as a subject matter expert.
What do people interested in pursuing a board seat need to understand about preparation?
Brocaglia: What people have to recognize is that they prepare for every other part of their careers, and board service is no different. Most people are really good at preparing for the beginning of their careers. But I tell people that what got you here isn't going to get you there. The network and skills that got you your role as a CISO aren't the same skills that are [going] to land you your first corporate board seat. So a course like BoardSuited really provides the fundamental knowledge of how boards operate and how [CISOs can] best position themselves to be noticed and nominated for board service.
What we're really trying to do with BoardSuited is increase the diversity of skills, gender and age, and give people this training earlier in their careers so they have time to course-correct or fill in the gaps.
How did you create BoardSuited?
Brocaglia: I saw a need for it, and we spent the last two years doing research, interviewing and videotaping currently seated board members, CEOs and venture capitalists. We combined a very robust curriculum along with insights from seated board members and C-level experts that really teach learners how boards operate, what the roles and responsibilities are, and guide them in creating a personal roadmap to the boardroom. The course gives them tools and templates and lots of ways they could practically put together a strategy that's personal to them, and information on how to write their board CVs, their bios and create kind of a pitch statement.
Why is now the time to bring onto a board of directors cybersecurity professionals or other leaders with security skills?
Brocaglia: MIT did a study that showed companies with three or more digital-savvy directors have 7% higher profit margins and 38% higher revenue growth. Many companies' existing board members lack cybersecurity skills. This is an exceptional time for people with cybersecurity or digital transformation skills. There's a new kind of board member called a digital director that really provides support and oversight to a company's digital strategy and helps the company mitigate cyber-risk.
Are companies mandated to have security experts on the board of directors?
Brocaglia: Although there's no law yet requiring a cybersecurity executive to be on a corporate board, we might be leaning that way in the future. A bill called the Cybersecurity Disclosure Act was introduced in Congress in 2017 and in 2019. Basically, it would require publicly traded companies to disclose whether any of their board members had expertise in cybersecurity. If they didn't, they needed to say what they were doing to back that up. [Note: The bill would amend the Securities and Exchange Act of 1934 to promote transparency in the oversight of cybersecurity risks at publicly traded companies.]
We're also seeing many boards establishing cybersecurity committees that oversee a really broad range of cyber-related issues that companies are facing -- anything from incident response to insider threats to third-party risk. So there are lots of opportunities specifically for people with cyber or digital transformational skills.
Is it still considered new thinking to believe companies need a specific cybersecurity person on the board?
Brocaglia: I think it's new thinking. For a cybersecurity person to be considered for an advisory board is quite common. But if someone is a one-trick pony and deep into technology but without broader business acumen, they're going to be less attractive for a large corporate board. It's nice to have a voice of reason on a board, so if there's an incident or a technology decision that needs to be made, they are looked to for their guidance and expertise. But they have to be able to articulate that in a way that shows an overall understanding of business governance and strategies.