CISO in the boardroom: a new imperative for modern companies

Today's business environment requires a strong and decisive footprint in the field of information security. This is reflected in the growing importance placed on information security officers (CISOs), who are gaining a prominent place on corporate boards. This trend is underlined by the affirmation of Chris Steffen, director of research at the analysis and consultancy firm Enterprise Management Associates (EMA), who states: "It is no longer acceptable that the role of security is subordinated to other technological priorities that the company may have.” As risk visibility and regulatory compliance increase, many of the initiatives and controls organizations undertake will be security-related, often requiring intervention by the CISO.

The importance of CISOs on boards of directors

As security incidents increasingly feature in the news, boards must demonstrate that they take these issues seriously. According to Steffen, one of the most effective ways to do this is by elevating the CISO to a position of responsibility and authority on the board. At the same time, companies are becoming increasingly aware of cyber risk as a component of corporate risk and, as Nick Kakolowski, director of research at IANS Research points out, they need CISOs to be part of board-level governance discussions.

The skills required of CISOs for a role on the board of directors

Despite the importance of the role of CISOs, research conducted by IANS Research, in collaboration with ttico Search and The CAP Group, has revealed that less than half of CISOs stand out as potential candidates for the board of directors. Furthermore, 90% of listed companies do not have even one qualified cyber risk expert, highlighting a significant discrepancy between the demand and supply of cyber experts for boards of directors. Only 15% of CISOs possess the general skills required for executive-level positions, such as a holistic understanding of the business, a global perspective, and the ability to manage diverse stakeholders, while an additional 33% possess a subset of these skills.

Communication skills and understanding of risk are essential competencies for CISOs

CISOs must possess, in addition to cybersecurity expertise, effective communication skills to be able to explain complex topics in a way that is understandable to non-experts. Furthermore, they must be able to understand and manage risk at 360 degrees, not limiting itself to the technological component. In fact, according to Larry Whiteside, CISO at RegScale and board member of several organizations, it is critical that CISOs understand business risk, which includes fiduciary, operational and technology risk. Ultimately, CISOs need to be aware of their role on the board and their responsibilities within the organization, bearing in mind that they may have skills that go beyond information security. Finally, to deal with any eventuality, it is essential that CISOs have a strong network of professionals in various sectors.