CyberWire Daily - CyberWire Pro Interview Selects: Zan Vautrinot on boards.
Episode Date: December 29, 2021During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a cura...ted selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Zan Vautrinot about boards. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
I'm pleased to have the Cyber Wire hash table today, Suzanne Vautrano.
Zan to her friends.
She is the president of KiloVote Consulting, a U.S. Air Force Academy grad,
a retired major general of the U.S. Air Force with three decades of experience in space and cyber operations.
She also serves on the board of directors for Wells Fargo, CSX, Ecolab, and Parsons Corporation, plus Battelle and City of Hope.
I can't think of anybody more qualified to talk about this subject.
Zan, welcome to the show.
Thank you, Rick. It is always, always a pleasure. In the early days, say the 2000s and early 2000 teens with cybersecurity, corporate boards didn't really have a lot of interest in corporate board experience from a security professional.
Clearly, there is some acceptance like in your case, but that hasn't been the norm.
norm. But with ransomware having a moment right now and President Biden publicly speaking about supply chain risk, do you find that corporate board recruiters are more inclined to seek board
members with that kind of background, that kind of security background? Yeah, so you're asking,
is there a greater opportunity for someone with a technology or particularly a security technology
background? And the answer is yes. You've got an article that I sent you from a corporate director.
Yep.
It talks about the change in the way that they're hiring board members.
And part of that is a significant increase in what they call non-traditional.
So if you think of the traditional board members as being former CEOs,
former COOs, former CFOs, there is a significant increase in non-traditionals.
And one of the big areas for non-traditionals is technology background.
Some of that is technology because everything needs to move towards digital and you need a better understanding of how to build the enterprise.
digital and you need a better understanding of how to build the enterprise. Part of it is the security issue that you just described and how much a part of risk that is for both reputation
and operation of the company. So those skill sets are part of the growing desire by boards to bring in, we call it diversity, but it's diversity of skill.
So now board recruiter are seeking people with tech backgrounds, with security backgrounds.
How can you make yourself a better choice for those? What else do you need to be considered
a good candidate to be a board position besides your security or tech background?
a board position besides your security or tech background? Let me put it in two places, what you've done and how you've done it. So what you've done should be a level of experience
that's both depth and breadth. So if you are just a CISO and you've only done security
and you've never managed large numbers of people, you haven't made big budget future
strategic budget decisions about how to change the enterprise, if you haven't been at a level
that says lots of people, lots of money decisions, strategic risk considerations at the corporate
level, then you're probably not a candidate because it's not about the technical
knowledge. It's about the full breadth of skill set and applying that technical knowledge to
corporate operations. The second area is how you did it. Do you have gravitas within your
professional area? Do other professionals in that
area respect your expertise? And have you contributed that expertise broadly? So that
might be in universities, as a speaker, as an advisor, beyond a singular company,
what's the breadth of your expertise? It might
be in government. And that's why you see a lot of folks that were very senior in government with a
technical background being selected for boards. So I'm trying to come up with a list of concrete
jobs that say that a security executive like a CISO could pursue as they are moving up the corporate ladder to prepare them to be a board member somewhere, you know, at the top of their career.
So let me just give you a couple.
Would M&A experience, would that be something the board members would want?
Absolutely. experience, supply chain experience, HR from the standpoint of knowing how to bring people in
and how to do professional development internally. On the flip side of that, knowing when to bring
people in internally and make it organic and where to reach and who to reach to for third-party advisory. Having the knowledge of which friend to phone
and how to phone a friend across the greater industry,
certainly important.
So in terms of practicality, you know,
CISOs could get involved and have been involved, right,
in M&A transactions.
They provide expertise to products,
especially if they're a security vendor or a tech
vendor. But how about soft skills, like maybe translating cyber risk into general purpose
business risk? Does that feed into this? Yeah, I'll make that part of Gravitas. If you can't
communicate at a senior leadership level, and if you don't know what it means to communicate
at a senior leadership level,
the strategic as opposed to the tactical, if you will.
And that doesn't mean you can't go to the tactical
if you need to,
but you need to come right back up to the strategic,
the implications for the company level
and understand what those are
and be able to explain them in a way that somebody
that didn't grow up in your cylinder of excellence completely comprehends and can align with other
considerations that they've got within the company. So you're exactly right.
Do you need to have a formal education in business or can you pick that kind of stuff up by just
studying what the CFO is talking about or
studying the public papers that the company has to produce? Can you get there by doing it on your
own? There's knowing and there's proving. So just like a CISO will have credentials from the
technical side, it helps to have credentials from the financial side. So certainly you can learn it
or you can demonstrate it by being in the CFO's office and being an advisor from the financial side. So certainly you can learn it or you can demonstrate
it by being in the CFO's office and being an advisor from the technical side. But the other
way to do it is take additional courses and have the credentials that you have learned this aspect
of business. And is that a business degree or is there some other credential you can get that's
more important? I think business classes also work
and with each company, you know, what kinds of things indicate an expertise or a familiarity.
So it's something you can discuss with your leadership as you're doing professional development
and say, how can I learn this and how can I demonstrate that I have expertise in this area?
And they should be able to help you from their company standpoint.
Right. Demonstrate to you that I have that experience, right?
Exactly. What would prove to you that I have the experience?
Not just that I sat in the meetings and was exposed to it,
but that I really now have a firm understanding
and an ability to then weave it into my Venn diagram of expertise.
Is there anything that, let's say a newbie CISO is just kind of, you know, kind of new in the field.
Is there something that he or she should be doing right now if they think they might want to be this
person, you know, later in their career? Is there stuff they should be doing right now in terms of,
I don't know, education, jobs, tasks, things to do that would
help them be more qualified for this? Sure. The first one is internal, and that is volunteer for
things outside your comfort zone. If somebody says you're going to be part of internal audit
or internal controls or part of an investigation or part of a large strategic exercise, take advantage of those opportunities
because you will learn a lot more about the company. If there is a major push to do
professional development, running the professional development for the company,
either in the tech area or in another area that's important to the company,
would be a great move forward because now
you've become part of something that is both breadth and important to that company. You want
it to be outside your normal comfort zone because remember what I said at the beginning, it's not
just about depth in your area of expertise, it's breadth across a number of different leadership expertise that are important.
No one is hired to be on the board of directors that is a one-trick pony.
You can't afford to.
The board's not big enough to have a whole bunch of in the stable. on that board has a mix of experience, usually four or five key things that make them valuable
and make them unique to the company and to the board. So the second thing I would say to do is
do some research, particularly on companies that are in the industry that you're interested
in or are the size that you would be appropriate for based on where you're getting your expertise? What's the
size of your company? Pull the proxy or the 10K and look very specifically at two things.
How do they define their future strategy and where they want to go with the company?
Because that's the conversation that you need to be able to have is, can you be relevant to making that kind of a strategic future happen?
And if you look at a bunch of them, you'll see some consistency across different companies.
If you can position yourself to have all of the expertise to help make that strategy happen, that's important.
The second one is look at the type of people that they have on that board and what those skill sets are.
And where do you stack up kind of looking at the matrix in each of those skill set areas and across how many blocks can you check that you have skill sets across that matrix?
skill sets across that matrix. And that's where you want to develop yourself is to make sure that you have the broadest set of blocks you could check in what they're looking for and the greatest
depth in specific areas. I think it's important to recognize just like in everything else,
how you work with others as you come through your career will matter when you're considered as either an advisory or a board member.
If you are a collegial team player, that doesn't mean you agree with everyone all the time, but the way that you have conversations brings others into the conversation and gets to a better end.
And the way that you communicate makes people want to bring you into a discussion or into a panel or other areas.
How you go about doing your job is going to matter as a board member because that reputation will follow you.
You can't all of a sudden become strategic and collegial at the end.
How you demonstrate that all the way through your career will come up at the end. And so every day is that test.
So there are a number of different types of boards that are out there. And I think my community,
my peer community doesn't really understand the difference. There's advisory boards,
there's nonprofit boards, there's general purpose corporate boards,
and then I'll throw another category out there, you know, Fortune 500 corporate boards.
Is there any others that I'm missing there? Let's talk about public boards. And the reason we start
with public boards is because the requirements are the most refined and specific because you have to prove to the investors and often to the regulators
and to people that are interested in the company that your board has the right credentials
to represent and to make sure that they can protect the company. It's the duty of care,
duty of loyalty, duty of obedience kinds of things that they are looking for in all
board members. So those credentials become very important externally as well as internally to the
board and the management. So that's the set that's probably the most formal. And it's really easy to
pick up a proxy, you know, the annual statement for the company as they get
ready for their votes, or the 10K, the annual financial report, which also reports on the
status of the company overall.
Those will carry a matrix that says, here are all the board members, and here's the
area where they have expertise.
And here's the area where they have expertise. And that matrix gives you a really strong sense of what was the intentional set of expertise and the diversity of those expertise and even the level, because you can look at the individuals and see the level and the type of expertise they have that made them valuable to a Fortune 500, a Russell 1000, to a public company. On the other end of the spectrum is a senior advisory board. A senior advisory board has no fiduciary responsibility.
It is a board that advises either one key individual in the C-suite, in the management side, in perhaps technology or
in strategic thinking or in relationships and business development. But it is a specific
defined role to advise some part of management on the future of the company. So think of it as a retained consultant.
And usually senior advisory boards, you're retained for a year at a time, but it's generally
a number of years. So, and there's a wide range of activity for these advisory board positions.
I know I've been on several myself and they range anywhere from being, give us your opinion on our new product roadmap to help us think about the future of the company.
Exactly.
If you're going to go into a senior advisory board role, really important to look at the contract that you have with them.
And it'll usually be two or three pages, and it'll spell out what they're expecting you to do.
or three pages and it'll spell out what they're expecting you to do. Unlike a board of directors,
the compensation is negotiable for an advisory board. They generally have a standard for a senior advisory board so that there's an equity for all of them, but not always. So it is negotiable
for senior advisory and it has to do with level. What's your level as an expert? It also has to
do with how much time they need. Is it a couple of hours a month or is it many hours a week?
And it has to do with what they ask of you in terms of not having conflict of interest.
If they want you to be exclusive, then that's an entirely different contract and level of compensation than if you
are advisory to them and they're just aware of other things that you're doing. And then you just
have non-disclosure. And so they just trust you not to disclose across companies. But for an
advisory board, that's what you're talking about. Based on what you said, there are the differences
between what an advisory board position would be and a public board would be are very wide.
When executive board recruiters are looking for new members, does being on an advisory board help?
Does that give you extra points because you've had that experience or does it not matter that much?
In my experience, it doesn't matter, although it may be part of your resume that shows a level of expertise
or a level of interface. So, for example, as part of an advisory board, you were talking to board
members frequently, which is not generally the case. Usually you're talking to somebody very
senior in management, but if you were talking to the CEO frequently as a result of that senior advisory, or if you were
talking to congressional representation, or if you were speaking to international counterparts
with management or on behalf of management, that would become part of your resume.
But the fact that you're on a senior advisory board is not a credential. For a board of directors,
is not a credential. For a board of directors, the compensation is set and made public if it's a public board. And it's the same for everyone. It doesn't change that often. At best, every two
or three years, it might change a little bit. And it's usually about half is going to be a cash retainer and about half is going to be equity.
Occasionally, there are also meeting fees or stock options, but generally it's those first two categories and it's preset.
I hate to get into details like this, but it's also the perks of travel and all that kind of stuff that they mandate because you have to go to meetings and things.
They cover all that stuff. Is that right?
Yes, exactly. So all of your expenses in both cases for senior advisory and for board of
directors, the expenses are covered and how you travel and how they'll reimburse and all those
kinds of things, what level they'll reimburse to, you know, is it economy or first class and
do they dictate which hotel you stay at or is it up to you where you stay? Do they
provide a car or do you get a rental car? All of those things are kind of preordained so that
there's consistency with everybody. This is all fantastic, Zan. I really appreciate you coming on
the show and thanks for doing it. I can't wait to come up with the next topic so I can bring you one
sooner. It's always a pleasure and I hope that this helps you create some more great board
members because board, we need a lot of them that have technical background and the ability to apply
it to strategy.