“It’s like any professional functional area. Not all audit partners or CFOs are ready for the boardroom either,” Zukis says. “So, there are some CISOs that are ready, willing and able right now–more than they’re given credit for. And there are some that can get there with the right development, coaching and mentorship. And then there’s some that will need a lot more experience and development to be there.”
Corporate governance issues and procedures training
Even those CISOs with deep pools of expertise in cybersecurity and tons of experience working with different lines of business may still need additional development and education on corporate governance issues and procedures. This is where executive training and certifications can potentially come into play to help them get up to speed.
Perhaps one of the most well-known certification and education programs on this front is the NACD Directorship Certification. Hutchinson said it was a good refresher for her on governance learnings that she initially picked up in her MBA education, obtained earlier in her career. “It was a good reminder as to the purpose of the BOD, specifically as we expect new rules from the SEC,” she says.
But that’s just one of many specialized programs available to CISOs looking to fill in the knowledge gaps and strengthen their governance chops. Business schools like Northwestern Kellogg, UPenn’s Wharton, and Columbia all offer corporate governance executive programs. Internationally there are also classes and programs like INSEAD’s International Directors Programme, Corporate Governance Institute’s Diploma in Corporate Governance, and Institute of Directors’ Chartered Director Programme, as well as the aforementioned IBDC.D.
Meantime, Zukis’ DDN is seeking to specifically help CISOs and other technology experts with a comprehensive masterclass on boardroom readiness for tech executives, one of the only programs globally focused on this niche.
Taking classes like these provides CISOs the opportunity to understand the full scope of responsibilities for board governance, says Bob West, CISO for Palo Alto Networks and a veteran security practitioner who is systematically building his career track for an eventual spot on a public board. Even with a lengthy and robust resume as a security practitioner and consultant, and an MBA, he’s still taking the time to boost that with executive training courses. He’s currently working through a board director prep course through KPMG and last year he says he took the governance course through Wharton.
“That really helps provide another lens for when you step into the boardroom for a meeting: ‘Here are all the things you need to care about,’” he says. “I think those types of courses are very helpful for people in general. It gets you part of the way. Maybe just enough to be dangerous.”
Building the right mix of professional experiences
While directorship courses and certification can provide a needed boost, nothing trumps the school of hard knocks. All the experts agree that before considering executive educations, CISOs should first ensure that they’re regularly encountering professional experiences that expose them to business-level decision-making.
One of the biggest professional gaps uncovered by the IANS study is in cross-functional expertise. The research showed that only about a third of CISOs have broad experience with strategic board-level decision-making, standing in stark contrast with CISOs who currently hold board positions, of which 71% have that cross-functional box checked.
“Applied experience is always worth more than theoretical experience. CISOs who can broaden out their role, broaden out their perspective, broaden out their value proposition across the organization, will be served much more from that applied experience,” says Zukis. “The secondary path is the classroom and the executive education. That stuff is good, but it doesn’t replace having been there and done that.”
The most obvious first step in that route to relevance is for CISOs to be sure they’ve built solid relationships with their own board directors and are learning from those experiences. “CISOs that aren’t having regular engagement, and arguably a relationship with the board will need to build that experience before ascending to the seat,” Hutchinson says.
For CISOs currently stuck in more tactical positions, the way to get there is to start finding ways to take responsibility and track a broader set of enterprise risks beyond just the typical cyber threats. This is probably one of the most important ways CISOs can ready themselves for a board position, says Wang.
“I think a CISO should consider a journey to be the chief risk officer of the company. That would be a really great thing to do, whether you have the title or not,” Wang says. “In doing so, you’ll get experience working with different business units and different perspectives — including legal, compliance and so on. These interactions will prepare you to have the right mindset and experiences for serving on a board.”
Making lateral moves across industries may not be a bad idea either, she says. “If you’re CISO for a particular industry and you move to a different industry, you’ll get exposed to a different set of risks, which is great for expanding your horizons,” Wang says, explaining that she knows several CISOs who have greatly bolstered their experience by jumping to different industries. “They really have a very enriched view on cyber risks and other risks as a result.”
Broadening perspectives could also potentially be achieved by pivoting into consulting and making forays into vendor land to build out business expertise, like West has done. He’s had a number of stints as CISO at financial services organizations but has also buttressed that with years of consulting and management experience at Deloitte and Ernst and Young, which he says has helped him learn the “right way” to communicate with directors.
“The more that you can bulk up on business strategy and overall business operations, the better. That becomes tremendously helpful because you don’t just want to be a one trick pony on a board,” he says. “You don’t want to be the person that’s adding value for 10 minutes out of the whole day. You want to be able to add value throughout the board’s discussions.”
He’s also building experience through serving on nonprofit boards. The most valued of those experiences is his work for USA Track & Field Foundation, where he explains he’s been serving alongside a number of high-powered CEOs from organizations like American Express, Blackstone, and NASDAQ. “Where I’m going with that is that they’re used to a lot of rigor in their boards (at their day jobs),” he says. “So that’s been very, very instructive in understanding how disciplined boards function.”