Lack of CISO representation on corporate boards is a big oversight and a missed opportunity for companies, believe experts.
COVID-19 obviously introduced a new level of complexity as CISOs were tasked with securing a remote workforce and mitigating risks and threats. As the enterprise network became more porous, the unprecedented pace at which CISOs have had to adapt has fundamentally changed the way they addressed all security needs across the enterprise. However, a new research report released by Marlin Hawk, reveals certain shocking gaps in way the CISO role is currently functioning in the boardroom, in terms of reporting lines, knowledge gaps, diversity and inclusion and other areas, suggesting a lot more needs to be done by enterprises for CISO to become a key driver of business transformation and lead the change in the post-pandemic world.
New working practices create greater risk for CISO
Good news is that given the various solutions that have been put into place to enable a secure remote workforce, many CISOs see the benefits to sustaining it, such as access to better and more diverse talent. Many organizations find that a location-agnostic approach to hiring increases the candidate pool and raises the bar on the type of talent they can attract.
“The CISO role has become an interesting mix of digital and physical security,” notes Aman Raheja, CISO of US-based health insurance firm Humana. “The combination created new risk for CISOs, who had to architect solutions to ensure access to critical services and ways of working.”
Additionally, as remote work evolves into a more permanent, hybrid model for enterprises, changes in working and purchasing habits have emerged as a key differentiator for the Board. They frequently consult the CISO on a broad range of topics, which now includes things like investment decisions tied to real estate.
CISOs in high demand but tough to retain
The turnover rate for CISOs is incredibly high and, not surprisingly, often tied to compensation, a poor work culture, and a lack of resources. The study shows that 67% of those interviewed were hired by a new company, which translates to a poor job of retaining and promoting within. While over half of the CIOs assumed a new role during the pandemic, while just over a third took on an expanded role at their current place of employment.
Given the need for vigilance in the CISO role, high turnover rates do not necessarily pose a problem if organizations have a robust pipeline of cyber talent in place to respond in the event of an exit.
“There are so many industries recognizing the importance of technology as a result of the pandemic, and therefore the importance of CISOs, thus creating much more demand,” said Jason Mallinder, Group CISO, Credit Suisse. “As this demand continues to grow, the demands on CISOs continue to evolve, including the talent agenda becoming ever more challenging.”
To that end, these security officers reported a discrepancy between a slated successor and the candidate who is named to the role. This breakdown in the succession planning process is likely due, in part, to a lack of exposure by potential successors to the Board. And despite this current failure, several cybersecurity executives interviewed believe that a succession plan is vital.
Overall diversity and inclusion (D&I) is lacking
On top of incredibly high demand, internal tensions exacerbated by the pandemic have created a need for CISOs who have soft skills to communicate across the business and manage distributed teams.
“The CISO’s number one responsibility is providing an independent voice,” notes Craig Froelich, CISO, Bank of America. “The role requires self-awareness and humility; good CISOs are willing to admit to themselves and others when they don’t have the same set of fresh eyes as day one.”
When it comes to diversity, a number of organizations have made significant improvements. Still, several have yet to tackle the issue of how to integrate diverse talent into their structure.
For instance, women account for 14% of information security leaders, and non-white candidates account for just 21% of CISOs at large global enterprises. This disparity needs to be addressed, but the issue is often compounded beyond equivalent roles across other functions in an organization.
Lack of influence/representation at the board level
Perhaps the most worrying trend is that despite the fact that cybersecurity has emerged as a key priority for many corporate boards; representation of CISOs at the board-level is low. The report reveals that only 1% of Boards include an executive that has spent the majority of their career as a CISO. Rather, information security leaders typically transition to the Boards of IT security providers, security platform companies, technology companies, or move to government posts. This distinct lack of cyber security oversight on the Boards of Fortune 100, FTSE 100 and other major listed organisations, is concerning.
Lack of CISO representation on corporate boards is a big oversight and a missed opportunity for companies, the study notes. On the contrary, research reveals that helping your CISO gain a Board seat can have positive impacts on talent development and serve as a tool for retention.
Many CISOs emphasize the importance of at least including CISOs on advisory boards, which is where security executives tend to sit. CISOs may also chair the risk and controls committee for IT subsidiaries or technology companies where their employer holds a majority stake. Regardless of whether cyber talent is represented on the board, CISOs attested to the value of educating the board on how to ask insightful questions related to cyber security.
“The size of the boardroom table continues to grow, as governing a modern corporation continues to become more complex and less rooted in the purely financial lenses of the past,” says James Larkin, Partner at Marlin Hawk. “If companies aren’t ready to add another seat (for the CISO) to their Board, then councils and committees must bridge this gap until they are – be it internal or advisory adjuncts to the Board. Starting with a cyber security and customer trust committee is a good first step. Technology governance, data privacy, customer trust, and cyber risk are all starting to feel like different flavors of the same governance issue, and the issue is growing, not shrinking.”
The Future CISO
Digitalization has spurred the rapid growth of the CISO role in a relatively short period of time. Five years ago, information security was the core of the role; today, the CISO’s mandate extends out into areas like business risk, operational resiliency, product design and technology architecture.
“There is a technology strategist role that is continuing to emerge,” says Glenn Foster, CISO at TD Bank Group, “It goes beyond the security stack more broadly into questioning trust in our legacy technologies and where we need to make investments to mitigate against those risks. Where the CIO would traditionally be leading conversations about operational efficiency, you now see the CISO championing them too.”
Within industries that have greater financial and reputational risk, data security, and data monetization have naturally pooled within the CISO’s mandate. In the technology industry, questions about the use of customer data have fueled organizations to establish a clearer link between digital trust and data privacy by expanding the CISO role into that of a Chief Trust Officer.
To be successful in the role today, cyber chiefs need to be more than just good technologists. Business leadership and talent management are now on par with subject matter expertise. CISOs need to able to lead large, distributed teams and be capable of influencing across multiple facets of the enterprise, including the CEO and Board.