Why a CISO should be on your board.
Welcome to Cyber Security Today. It’s Wednesday, June 7th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
I’m away for a few days, so this podcast doesn’t have news briefs as usual. Instead I want to summarize a report released this week on the suitability of chief information security officers to be on boards of directors.
Why? Because the Securities and Exchange Commission has proposed requiring publicly-traded companies doing business in the U.S. to disclose the cybersecurity expertise of board members. What better way to show it than by putting an independent CISO on your board?
There are five traits boards should seek in candidates, the report suggests:
–first, experience in cybersecurity. The report suggests looking for people with at least five years of experience as a CISO
–second, broad experience on the business side of a company;
–third, experience working in information security for a large organization;
–fourth, holding advanced degrees in technology, business or law;
–and, fifth, to make sure the board has diverse views, pay attention to enlisting qualified women and minorities.
Finding candidates with all five traits won’t be easy. OK, finding the perfect candidate for any job isn’t easy. It will be even harder to find a CISO who has earned a board certification by passing programs offered, for example, by the National Association of Corporate Directors.
But a CISO who, for example, has a history of regularly meeting with the boards of firms they worked for as well as other members of the C-suite, would be a strong candidate.
The report urges companies to cast a wide search net for candidates and be ready to compromise. It may not be hard to find a CISO with over five years of experience, but harder to find one with a business degree.
Another possibility are people who are business leaders of cybersecurity companies, or tech leaders who haven’t been CISOs but are knowledgeable about cybersecurity.
Finally, the report says companies shouldn’t forget to look at a candidate’s soft skills. Can they provide governance guidance? Do they show empathy? Are they good listeners?
This report was done by IANS Research, a Boston-based cybersecurity research firm. There’s a link to it here. You will have to give a name and email address to get the report.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon
