6 Things to Look for in a Cyber Expert for Your Board of Directors
A board of directors has the power to shape an organization significantly, which means it is also responsible for managing security. With the global cost of cybercrime expected to rise to $13.2 trillion by 2028, selecting a cybersecurity expert to sit on the board of directors should be a top priority for any company.
The benefits are numerous. An expert will:
Prove to be indispensable when there's a cyber issue. Often, a board of directors takes a while to understand the problem. An expert will grasp it immediately. They can explain it to fellow board members and start guiding the executive team.
Assist in up-leveling the company’s collective security posture. Suppose your board of directors has the cyber chops to help your CEO navigate the evolving threat landscape. In that case, your business can get ahead of the next attack with strategic risk management for today, tomorrow, and the future.
Provide essential strategic cyber guidance to executives when dealing with complex cyber operations, like digital supply chains or international geo-political cyber processes (as many cybersecurity experts are proficient in overseas cyber operations).
But how should you do it? What qualifies as cybersecurity “expertise” in this context? And how do you evaluate a candidate against the specific needs of your board?
Here are three essential components that make a cyber expert a good fit for a board of directors:
Extensive industry experience
Deep leadership experience
Skills that strengthen and complement the current board
If you noticed, none of those criteria include technical cybersecurity qualifications. Why? We assume that a cyber expert being evaluated for a seat on the board will have a broad working familiarity with cybersecurity concepts like attack surface management. In fact, this is our first of six criteria cited below. But they needn’t be a subject matter expert in a particular area to succeed in this role. More critical is the ability to think strategically and creatively, build strong relationships, and motivate and lead others in the context of cybersecurity.
This article will expand on these points. They are infused in the six most important criteria for selecting a cyber expert for your board of directors.
What Your Board of Directors Should Do
Let’s start by reviewing the roles and responsibilities of a board of directors. The list is extensive, but it provides a solid basis for figuring out where cyber expertise fits in.
Set an organization’s purpose and mission
Help set the strategic vision
Approve or appoint high-level positions (CEO, CFO, etc.)
Guide and lend insight to officers
Evaluate officers’ decisions
Introduce officers to key external personnel (sales prospects, cyber experts, etc.)
Identify and evaluate organizational risk (operational, financial, regulatory, reputational)
Serve on sub-committees
Set executive compensation
Help manage financial resources
Evaluate dividend policies and payouts
Recommend stock splits
Recruit new board members
Promote the organization in public and private forums
Oversee mergers and acquisitions (if applicable)
Establish and maintain a strong corporate governance framework
Devise an orderly succession plan for key leadership positions
Ensure stakeholder and shareholder interests are upheld
Communicate financial performance and strategic direction to shareholders and the public
Where Cybersecurity Fits In
If you look closely, the first seven points are directly linked to the driving force behind an organization and its focus. They show the board of directors has a role in guiding the company in the right direction. That directive must include cybersecurity.
Amidst the growing cyber threat landscape, security is now table stakes in all organizations, not just the Global 2000. Cybersecurity is no longer something that you can do reactively. It needs to be woven into the fabric of your business at all levels, from operations to culture to financial and strategic planning.
A cybersecurity expert on the board is an investment in a company’s security and future. It opens up a dialogue between the board and executive officers about safety, risk, and regulations, ensuring cybersecurity is a paramount focus.
But it is vital to get the right expert on the board. In evaluating candidates, you want a clear understanding of the value their expertise will bring, given the specific makeup of the current board.
To do this, focus on the following six criteria. Keep in mind that these points are not created equal. Some carry more weight than others. As such, we made the following tiering system:
Highly Encouraged = Essentially a requirement.
Ideal = Tough to find, but in a perfect world, you want it.
Nice to Have = Kewl, but not critical.
1. Broad Experience in Cybersecurity [Highly Encouraged]
Target an expert with a wide range of cybersecurity experience, not just someone focused on a narrow field. Your cyber expert on the BoD should have a comprehensive understanding of the latest cybersecurity technologies, tools, and best practices.
This knowledge will enable them to provide informed guidance on technology investments in several areas, not just a few. The objective is to help your organization remain current with evolving threats. Those threats will be seen in several areas (your supply chain, attack surface, proposed mergers and acquisitions, international relations, employee operations, etc.). Think of this expert as a jack of all cyber trades.
2. Active and Ongoing Insight into the Threat Landscape [Highly Encouraged]
You want an expert actively engaged in real-world and practical cybersecurity matters. Both the threat landscape and new defensive measures evolve rapidly. If your expert isn’t paying close attention and engaged in actual use cases, they will unlikely have relevant insights to benefit your organization.
For this reason, we caution against fully retired or purely academic professionals. Pay attention to the keywords in that sentence: “fully” retired and “purely” academic. For instance, a former Chief Information Security Officer (CISO) who now works remotely as a Virtual CISO (vCISO) would still afford you ongoing real-world experience. A professor deeply involved in malware research would also be considered someone currently addressing practical cybersecurity matters.
3. The Ability to Communicate Clearly [Highly Encouraged]
Your cyber expert must be able to share insight and information in a way that the rest of the board can understand. An essential skill is effectively communicating complex cybersecurity concepts to non-technical board members. Your expert must be skilled at simplifying technical information and articulating risks and their impacts on the organization in a digestible way that lends itself to easy understanding.
Your expert also needs to do this in an approachable manner so that the other board members will feel comfortable asking follow-up questions and engaging in healthy, productive debates.
4. In-Depth Experience as a Business Leader [Highly Encouraged]
The expert should be a proven business leader to ensure they can immediately make an impact. Being familiar with the complications of running an organization, or having years of experience running teams/programs, will allow them to start helping your organization balance security and business as soon as they join.
An experienced business leader should also understand the benefits of establishing relationships internally, so they can be most effective in understanding the scope of your organization's needs. This will help them enact vital strategic initiatives, like building a cybersecurity team, that get full buy-in and make a difference.
5. A Focus on Your Organization’s Specific Needs [Ideal]
In an ideal world, your cyber expert will have the experience and the demonstration of focus on your organization’s specific needs. For example, if you are a Software-as-a-Service (SaaS) provider, finding a cybersecurity expert with a deep and specific understanding of SaaS is desired.
In addition, you want them to have regulatory expertise over technical know-how (if you had to pick one). Continuing with our SaaS example, when serving on a board of directors, a cyber expert who knows SaaS regulatory and governance practices is preferable over one with SaaS systems integration knowledge.
6. Possesses a Creative Mind [Nice to Have]
Creative thinking enables individuals to look at things from all different perspectives to create something new, find inventive solutions, and devise creative compromises. This will be extremely helpful when balancing security and business. Let’s be honest, cyber is a cost center, but for most organizations, it is critical to have robust defenses and countermeasures in play.
Cybersecurity is a constantly evolving, high-stakes cat-and-mouse game. When bringing a cyber expert to your board of directors, you can significantly benefit from finding a flexible and innovative thinker to help guide security and business cost/benefit analysis.
Conclusion and Next Steps
Selecting the right cyber expert for your board of directors is critical for your organization's security. By using these six points as guidance, you can avoid missteps and add a valuable resource dedicated to your organization's security.
Why Horace Vandergelder. That is the nicest thing you have ever said to me. You better share this article with all your chums in Yonkers!
Are you looking to go to a persona page?
Cyber 101 | The Solopreneur | SMB | BoD