Join top executives in San Francisco on July 11-12 to hear how leaders are integrating and optimizing AI investments for success. Learn more
A recent joint study conducted by IANS research Find itemAnd The CAP group has shed light on the qualifications of Chief Information Security Officers (CISOs) within the Russell 1000 Index (R1000). The research shows that only 14% of these CISOs possess the necessary skills to serve as cybersecurity board directors.
Titled “CISOs as Board Directors — CISO Board Readiness Analysis”, the study assesses the competency of CISOs among the top 1,000 U.S. publicly traded companies by market capitalization, focusing on five key traits highly sought after by candidates striving for board positions as cybersecurity experts.
The report outlines the essential attributes expected of board candidates, evaluates the readiness of CISOs for such positions, and makes recommendations for companies considering appointing CISOs to these positions. To identify the vital traits required for a cyber executive, the research team thoroughly analyzed the profiles of current CISOs serving as corporate executives.
“We identified five characteristics – infosec tenure, breadth of experience, scale, advanced education and diversity – as differentiators for CISOs seeking candidacy for cyber expert positions on boards of directors,” Nick Kakolowski, research director at IANS Research, told VentureBeat . “These attributes combine to create the well-rounded background that may appeal to boards of directors seeking a cyber specialist who can make meaningful contributions to business risk and governance conversations.”
According to Kakolowski, the increasing frequency and scale of cyber incidents have brought cyber risk into governance discussions. He added that boards that fail to contextualize cyber issues alongside other business risks are overlooking a critical concern.
“Failing to understand cyber risk as part of business risk can lead to public incidents that erode consumer confidence and shareholder value,” Kakolowski told VentureBeat. “Another recent quantitative study by The CAP Group also found that 90% of Russell 3000 companies do not have a single board member with cybersecurity expertise, which is concerning.”
To identify the traits essential to these directorial roles, the researchers gathered data from publicly available sources such as LinkedIn, executive biographies, speaker biographies, press releases and interviews. A team of cybersecurity experts and data scientists from various disciplines analyzed the data to ensure its accuracy.
A lack of suitable cybersecurity talent
Public companies are preparing for upcoming rule changes by the Securities and Exchange Commission (SEC), which will require them to formally disclose the cybersecurity expertise of their board members. In light of these changes, the survey draws attention to a worrying lack of cyber understanding on the part of most boards.
IANS Research said it initiated this research project in response to reports from boards of directors regarding challenges in identifying and recruiting cyber experts for director positions with the necessary mix of business and technical experience.
The survey found that only 14% of CISOs in the Russell 1000 were considered ideal candidates for board positions, with at least four of the top five traits identified by IANS. Another 33% were recognized as strong candidates, with three of the five board characteristics. A significant proportion (52%) fell into the emerging candidate category and showed only one or two traits.
In addition, the research highlighted that nearly half of Russell 1000 companies did not have a director with expertise in cybersecurity.
While IANS identified five traits as critical for board-level CISOs, the research indicated that possessing all of these traits is not always a requirement. In particular, the study noted that a CISO with executive-level experience in a global company generating more than $50 billion in annual revenues can still be a strong candidate even with less than five years of CISO experience if they hold positions outside of the corporate world. cybersecurity domain. .
Identification of the right CISOs for cyber governance positions
In discussing the five most important traits, Kakolowski of IANS Research emphasized that cross-functional expertise and experience within large-scale organizations are of great importance.
“CISOs who possess these attributes are more likely to be confronted with opportunities that would drive them to develop the soft skills and business acumen needed for board positions. That said, it would be misguided to treat a trait as a silver bullet or a serious point of weakness,” Kakolowski explained. “What matters is being able to tell a career story that combines unique experience and expertise. emphasizes being able to add value beyond specialized cyber knowledge.”
He believes that the current disparity in talent and qualifications is mainly due to a lack of awareness. Kakolowski added that a significant part of the board’s value lies in integrating outside experience into board decisions. The vast experience enables informed decision-making on a broader scale, surpassing the capabilities of a specialized expert sequestered for their specific domain.
“Companies have traditionally kept CISOs in the tech silo, limiting their access to sophisticated business risk conversations,” he said. “This is changing, but CISOs looking to make the leap into board positions need to invest in developing their soft skills, working on cross-functional projects and diversifying their resumes to gain the breadth of executive-level experience needed to stand out as strong candidates.”
Based on these findings, the report proposes several strategies to identify suitable CISOs for board positions. These include conducting an extensive search, prioritizing diversity, considering board certifications, exploring alternative options by looking for individuals with security experience who may not hold the CISO title, and identifying candidates with the “it” you want. “-factor.
“We set the boundary for viability by possessing three of the five governance traits – meaning we believe their background would be credible in a governance context,” said Kakolowski. “But that’s just the starting point; we encourage boards to cast a wide search net to identify individuals with diverse experiences and unique qualities that are intrinsically valuable for board positions.”