CyberWire Daily - From board advisor to board member: evolution of the modern CISO. [CyberWire-X]
Episode Date: August 22, 2021The recent frequency of ransomware attacks and heightened visibility of supply chain risks has garnered the attention of executive teams and boards of directors for companies of all sizes, across all ...industries. For CISOs, these recent events have significantly amplified the importance of establishing and maintaining effective relationships and lines of communication with boards of directors. CISOs are now spending more time than ever engaging, reporting, and answering to boards regarding questions around where their organization is on the cyber risk spectrum. For CISOs, this heightened risk environment presents both a challenge and an opportunity. In this episode of CyberWire-X, guest ret. Major General Zan Vautrinot and Sponsor JM Search's Jamey Cummings joins the CyberWire's Rick Howard to discuss how today’s CISOs are challenged to develop an ever-expanding skill set to effectively execute in their role while also satisfying concerns and areas of interest of their board of directors. Jamey will also discuss how the evolving role of the CISO is unlocking opportunities for CISOs to elevate their stature, and can open the door for them to serve in board roles as companies are increasingly prioritizing information security and technology risk management skills for their directors. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone, and welcome to Cyber Wire X, a series of specials where we highlight important security topics affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer and Senior Fellow at the CyberWire.
Today's episode is titled, From Board Advisor to Board Member, Evolution of the Modern CISO.
Security executives like CIOs, CTOs, CISOs, and CSOs have pursued board positions in nonprofits,
startups, and established corporations as career toppers.
In other words, after they have spent years in the trenches protecting their organization's digital assets, some believe that the culmination of their career is to sit on one or more corporate
boards in order to advise other organizations with the hard-won knowledge that they have garnered throughout their career.
In this show, we're going to discuss how to pursue that goal and what to expect while
along the journey.
One programming note, each Cyber Wirex special features two segments.
In the first part of the show, we will hear from an industry expert on the topic at hand.
And in the second part, we will hear from our show's sponsor for their point of view. And since I brought it up, here's a word from today's sponsor, JM Search.
And now a message from our sponsor, JM Search. JM Search is a premier retained executive search firm and trusted advisor
to CEOs, investors, and boards of directors in recruiting, assessing, and delivering high
performance leaders and leadership teams. With a 40 plus year history of excellence,
JM Search clients include private equity firms and portfolio companies,
venture capital backedbacked businesses,
and publicly held companies. The firm's cybersecurity practice is a market leader in recruiting top talent into critical leadership roles across the entire cybersecurity ecosystem.
Whether it is chief information security officers and their leadership teams,
board directors or CEOs and senior executive leaders for cybersecurity
products and services companies, JM Search is the go-to partner for sourcing industry-leading
executives in the cybersecurity community. For more information about JM Search's executive
recruiting services, please visit jmsearch.com slash cybersecurity. That's jmsearch.com slash cybersecurity.
And we thank JM Search for sponsoring our show.
To start things off, I've invited Suzanne Vautrino.
Suzanne to her friends.
She is the president of Kilovolt Consulting, a U.S. Air Force Academy grad, and a retired
major general of the U.S. Air Force with three decades of experience in space and cyber operations.
She presently serves as director on several corporate boards like Wells Fargo, CSX, and
Echolab, just to name three.
I can't think of anybody more qualified to talk
about this subject. In this interview, Zan mentions an essay written by Maria Ward Brennan
on the website Corporate Secretary. You'll find a link to it in the show notes for this episode.
Zan, welcome to the show. Thank you, Rick. It is always, always a pleasure. In the early days, say the 2000s and
early 2000 teens with cybersecurity, corporate boards didn't really have a lot of interest in
corporate board experience from a security professional. Clearly, there is some acceptance
like in your case, but that hasn't been the norm. But with ransomware having a moment right now and
President Biden publicly speaking about
supply chain risk, do you find that corporate board recruiters are more inclined to seek board
members with that kind of background, that kind of security background? Yeah, so you're asking,
is there a greater opportunity for someone with a technology or particularly a security technology
background? And the answer is yes. You've got an article that I sent you from a corporate director.
Yep.
It talks about the change in the way that they're hiring board members.
And part of that is a significant increase in what they call non-traditional.
So if you think of the traditional board members as being former CEOs,
former COOs, former CFOs, there is a significant increase in non-traditionals.
And one of the big areas for non-traditionals is technology background.
Some of that is technology because everything needs to move towards digital and you need a better understanding of how to build the enterprise.
it's digital and you need a better understanding of how to build the enterprise. Part of it is the security issue that you just described and how much a part of risk that is for both reputation
and operation of the company. So those skill sets are part of the growing desire by boards to bring in, we call it diversity, but it's diversity of skill.
So now board recruiter are seeking people with tech backgrounds, with security backgrounds.
How can you make yourself a better choice for those? What else do you need to be considered
a good candidate to be a board position besides your security or tech background?
Let me put it in two places,
what you've done and how you've done it. What you've done should be a level of experience
that's both depth and breadth. So if you are just a CISO and you've only done security
and you've never managed large numbers of people, you haven't made big budget future
strategic budget decisions about how to change the enterprise, if you haven't been at a level
that says lots of people, lots of money decisions, strategic risk considerations at the corporate
level, then you're probably not a candidate because it's not about the technical
knowledge. It's about the full breadth of skill set and applying that technical knowledge to
corporate operations. The second area is how you did it. Do you have gravitas within your professional area? Do other professionals in that
area respect your expertise? And have you contributed that expertise broadly? So that
might be in universities, as a speaker, as an advisor, beyond a singular company,
what's the breadth of your expertise? It might
be in government. And that's why you see a lot of folks that were very senior in government with a
technical background being selected for boards. So I'm trying to come up with a list of concrete
jobs that say that a security executive like a CISO could pursue as they are moving up the corporate ladder to prepare them to be a board member somewhere, you know, at the top of their career.
So let me just give you a couple.
Would M&A experience, would that be something the board members would want?
Absolutely.
Product experience.
Supply chain experience.
experience, supply chain experience, HR from the standpoint of knowing how to bring people in and how to do professional development internally. On the flip side of that, knowing when to bring
people in internally and make it organic and where to reach and who to reach to for third-party advisory. Having the knowledge of which friend to phone
and how to phone a friend across the greater industry,
certainly important.
So in terms of practicality, you know,
CISOs could get involved and have been involved, right,
in M&A transactions.
They provide expertise to products,
especially if they're a security vendor or a tech
vendor. But how about soft skills, like maybe translating cyber risk into general purpose
business risk? Does that feed into this? Yeah, I'll make that part of Gravitas. If you can't
communicate at a senior leadership level, and if you don't know what it means to communicate at a senior leadership level, you know, the strategic as opposed to the tactical, if you will.
level and understand what those are and be able to explain them in a way that somebody that didn't grow up in your cylinder of excellence completely comprehends and can
align with other considerations that they've got within the company. So you're exactly right.
Do you need to have a formal education in business or can you pick that kind of stuff
up by just studying what the CFO is talking about or
studying the public papers that the company has to produce? Can you get there by doing it on your own?
There's knowing and there's proving. So just like a CISO will have credentials from the technical
side, it helps to have credentials from the financial side. So certainly you can learn it
or you can demonstrate it by being in the CFO's office and being an advisor from the financial side. So certainly you can learn it or you can demonstrate
it by being in the CFO's office and being an advisor from the technical side. But the other
way to do it is take additional courses and have the credentials that you have learned this aspect
of business. And is that a business degree or is there some other credential you can get that's
more important? I think business classes also work.
And with each company, you know, what kinds of things indicate an expertise or a familiarity?
So it's something you can discuss with your leadership as you're doing professional development and say, how can I learn this and how can I demonstrate that I have expertise in this area?
And they should be able to help you from their company standpoint.
Right.
Demonstrate to you that I have that experience, right?
That's what, yeah.
Exactly.
What would prove to you that I have the experience?
Not just that I sat in the meetings and was exposed to it, but that I really now have
a firm understanding and an ability to then weave it into my Venn diagram of expertise.
Is there anything that, let's say a newbie CISO is just kind of, you know, kind of new in the field.
Is there something that he or she should be doing right now if they think they might want to be this
person, you know, later in their career? Is there stuff they should be doing right now in terms of,
I don't know, education, jobs, tasks, things to do that would
help them be more qualified for this? Sure. The first one is internal, and that is volunteer for
things outside your comfort zone. If somebody says you're going to be part of internal audit
or internal controls or part of an investigation or part of a large strategic exercise, take advantage of those opportunities
because you will learn a lot more about the company. If there is a major push to do
professional development, running the professional development for the company,
either in the tech area or in another area that's important to the company,
would be a great move forward because now
you've become part of something that is both breadth and important to that company. You want
it to be outside your normal comfort zone because remember what I said at the beginning, it's not
just about depth in your area of expertise, it's breadth across a number of different leadership expertise that are important.
No one is hired to be on the board of directors that is a one-trick pony.
You can't afford to.
The board's not big enough to have a whole bunch of in the stable.
on that board has a mix of experience, usually four or five key things that make them valuable and make them unique to the company and to the board. So the second thing I would say to do is
do some research, particularly on companies that are in the industry that you're interested
in or are the size that you would be appropriate for based on where you're getting your expertise? What's the
size of your company? Pull the proxy or the 10K and look very specifically at two things.
How do they define their future strategy and where they want to go with the company?
Because that's the conversation that you need to be able to have is, can you be relevant to making that kind of a strategic future happen?
And if you look at a bunch of them, you'll see some consistency across different companies.
If you can position yourself to have all of the expertise to help make that strategy happen, that's important.
The second one is look at the type of people that they have on that board and
what those skill sets are and where do you stack up kind of looking at the matrix in each of those
skill set areas and across how many blocks can you check that you have skill sets across that
matrix. And that's where you want to develop yourself is to make sure that
you have the broadest set of blocks you could check in what they're looking for and the greatest
depth in specific areas. I think it's important to recognize just like in everything else,
how you work with others as you come through your career will matter when you're considered as either an advisory or a board member.
If you are a collegial team player, that doesn't mean you agree with everyone all the time, but the way that you have conversations brings others to bring you into a discussion or into a panel or other areas.
How you go about doing your job is going to matter as a board member because that reputation will follow you.
You can't all of a sudden become strategic and collegial at the end.
How you demonstrate that all the way through your career
will come up at the end. And so every day is that test.
So there are a number of different types of boards that are out there. And I think my community,
my peer community doesn't really understand the difference. There's advisory boards,
there's nonprofit boards, there's general purpose corporate boards,
and then I'll throw another category out there, you know, Fortune 500 corporate boards.
Is there any others that I'm missing there? Let's talk about public boards. And the reason
we start with public boards is because the requirements are the most refined and specific because you have to prove to the investors and often to the regulators
and to people that are interested in the company that your board has the right credentials
to represent and to make sure that they can protect the company. It's the duty of care,
duty of loyalty, duty of obedience kinds of things that they are looking for in all
board members. So those credentials become very important externally as well as internally to the
board and the management. So that's the set that's probably the most formal. And it's really easy to
pick up a proxy, you know, the annual statement for the company as they get
ready for their votes, or the 10K, the annual financial report, which also reports on the
status of the company overall.
Those will carry a matrix that says, here are all the board members, and here's the
area where they have expertise.
And here's the area where they have expertise. And that matrix gives you a really strong sense of what was the intentional set of expertise and the diversity of those expertise and even the level, because you can look at the individuals and see the level and the type of expertise they have that made them valuable to a Fortune 500, a Russell 1000, to a public company. On the other end of the spectrum is a senior advisory board. A senior advisory board has no fiduciary responsibility.
It is a board that advises either one key individual in the C-suite, in the management side, in perhaps technology or
in strategic thinking or in relationships and business development. But it is a specific
defined role to advise some part of management on the future of the company. So think of it as a retained consultant.
And usually senior advisory boards, you're retained for a year at a time, but it's generally
a number of years. So, and there's a wide range of activity for these advisory board positions.
I know I've been on several myself and they range anywhere from being, give us your opinion on our new product roadmap to help us think about the future of the company.
Exactly.
If you're going to go into a senior advisory board role, really important to look at the contract that you have with them.
And it'll usually be two or three pages, and it'll spell out what they're expecting you to do.
two or three pages and it'll spell out what they're expecting you to do. Unlike a board of directors, the compensation is negotiable for an advisory board. They generally have a standard
for a senior advisory board so that there's an equity for all of them, but not always.
So it is negotiable for senior advisory and it has to do with level. What's your level as an expert? It also has to
do with how much time they need. Is it a couple of hours a month or is it many hours a week?
And it has to do with what they ask of you in terms of not having conflict of interest.
If they want you to be exclusive, then that's an entirely different contract and level of compensation than if you
are advisory to them and they're just aware of other things that you're doing. And then you just
have non-disclosure. And so they just trust you not to disclose across companies. But for an
advisory board, that's what you're talking about. Based on what you said, there are the differences
between what an advisory board position would be and a public board would be are very wide.
When executive board recruiters are looking for new members, does being on an advisory board help?
Does that give you extra points because you've had that experience or does it not matter that much?
In my experience, it doesn't matter, although it may be part of your resume that shows a level of expertise
or a level of interface. So, for example, as part of an advisory board, you were talking to board
members frequently, which is not generally the case. Usually you're talking to somebody very
senior in management, but if you were talking to the CEO frequently as a result of that senior advisory, or if you were talking to congressional representation, or if you were speaking to international counterparts with management or on behalf of management, that would become part of your resume.
But the fact that you're on a senior advisory board is not a credential. For a board of directors, the compensation is set and made public if it's a
public board. And it's the same for everyone. It doesn't change that often. At best, every two or
three years, it might change a little bit. And it's usually about half is going to be a cash retainer and about half is going to be equity.
Occasionally, there are also meeting fees or stock options, but generally it's those first two categories and it's preset.
I hate to get into details like this, but it's also the perks of travel and all that kind of stuff that they mandate because you have to go to meetings and things.
They cover all that stuff. Is that right?
Yes, exactly.
date because you have to go to meetings and things, they cover all that stuff. Is that right?
Yes, exactly. So all of your expenses in both cases for senior advisory and for board of directors, the expenses are covered and how you travel and how they'll reimburse and all those
kinds of things, what level they'll reimburse to, you know, is it economy or first class and
do they dictate which hotel you stay at or is it up to you where you stay? Do they
provide a car or do you get a rental car? All of those things are kind of preordained so that
there's consistency with everybody. This is all fantastic, Zan. I really appreciate you coming on
the show and thanks for doing it. I can't wait to come up with the next topic so I can bring you one
sooner. It's always a pleasure and I hope that this helps you create some more great board
members because board, we need a lot of them that have technical background and the ability to apply
it to strategy. Next up is my conversation with Jamie Cummings from JM Search, our show sponsor.
He most recently co-led the cybersecurity practice at the largest global executive search firm
for nearly a decade.
And today he's a partner at JM Search.
And as you can imagine,
he's talked to a lot of CISOs, CSOs, and CIOs in his career.
I asked him the same question I asked Zan.
Was it his experience
that these kinds of security executives
are seeking to obtain some sort of corporate board position somewhere down their career path as kind of a pinnacle to their career?
I have had the pleasure of speaking with a lot of heads of information security and technology.
And I have found over the last, in particular, the last several years, an increase in the number of those professionals who want to do that absolutely as a bit of a pinnacle of their career. There's a little bit, I think, of
contributing and giving back as well. And that's another way as they start thinking about,
rather than going and rinsing and repeating and building another cybersecurity program somewhere
else, it's a way to continue to be active and engaged in a meaningful
way without sitting in the seat on a full-time basis. So definitely something of a high level
of interest across the CISO and the CIO community. I also expect it's something like a bit of a
respect toward the security professional, because for many, many years, security executives weren't
really thought of that highly by corporate boards. But is that
it too? Because I know that's one of my feelings about this is that if you get to a corporate seat,
that's the industry saying, yeah, you kind of made it to the top of the pile there.
Yeah, I do think it is a little bit of coming of age of, hey, we finally have arrived and got in
that real seat at the table. And I think that CIOs and CISOs,
both overall as a community,
I feel like they have to consistently earn that right
to get that seat at the table.
And increasingly, a lot of them have been able to do that.
Being on a board is a bit of that culmination
or affirmation that, hey,
you're not just a token technology or security person
that will break
glass in case something drastic or important happens. You're actually part of the fabric of
the strategy of the organization. And being on the board, that is the expectation. And I think
there is an indication that, yeah, I've actually proven myself as someone who can be part of the
C-suite. So let's do some mechanics here and talk about the different
kinds of boards because they're not all the same in terms of the amount of work you have to do and
the amount of compensation you might get for being on it. So there's advisory boards, non-profit
boards, traditional corporate boards, and I'll even throw a special category on Fortune 500
corporate boards because, you know, those are the big dogs.
But can you explain what those are and what the difference is for if somebody got on some of those?
What do CISOs need to think about there?
We'll start with the last one, the Fortune 500 in particular, those publicly traded boards.
High level visibility.
There's a lot of fiduciary responsibility.
And I think it's one of those things that you would talk to any board director. It sounds great, but certainly something you want
to be aware of as much as you can, what you're really getting into. There's actually some boards
in the past where there was some sort of incident and they were targeted by investors. So you can
put yourself out there from a fiduciary and liability perspective if you're not really very careful about it.
So I think there's that, which is different than going on a nonprofit or a private board.
So there's that level of scrutiny is the way I would guess I would boil it down to.
And the other thing about those boards is that the level of commitment you're making, not only on the fiduciary responsibility side of things, but also from your time commitment, I don't want to be flipping about it, but it's not like you
just show up for a couple hours of meetings and a dinner every quarter. There's a lot of time
investment that you need to put into it. And you commit to those board meetings as far as a year
out. And unless you're incapacitated, you will be at those board meetings
and you will be carrying out your duty
because there is this,
I think a sense of duty of care and value
that you have for the shareholders
where you're really signing up for a lot
and you definitely should not take that lightly.
And I think the advisory or nonprofit boards, those tend to be
a little bit more of, I'll call it a labor of love. There's certainly not a compensatory aspect
of that you're going to get typically. In fact, quite the opposite. There'll be often on a
nonprofit in particular, the expectation of a give and or get aspect of that. But I think what's interesting is one way that those can
potentially tie in together is that it's not unusual to start with a, whether a private or
a nonprofit board to learn some of the mechanics of being on a board and interacting with others
and what it entails. And by virtue of that, you've demonstrated your ability to be above and beyond an operational
executive and take on a little bit more of that bigger picture advisory type role. But at the end
of the day, getting on a board, they don't always go to an executive search firm. They're often
the executive search committee themselves, word of mouth. And if you happen to sit on a non-profit
board with someone who's
on a Fortune 500 board and they have a good impression of you, well, then that might be a
way for you to get exposure and the opportunity to sit on a bigger board. So there is a little
bit of that potential connective tissue there. So just like finding regular jobs in the security
community, like CISOs and CIOs and things, it's mostly about who you know. It can be that way, certainly. Not all board
searches are conducted the same way, but if it's a thorough search, they're looking at a large and
broad slate of candidates. Get an invitation to the party is one thing. At that point, then there
are many, many factors that go into play into who gets the role. But I think it varies across different boards, especially with private boards.
Sometimes it's more who you know networking.
But there are some processes that are very thorough and structured where who you know is less important than the criteria by which they're selecting the candidates.
Back to something you said before, there's a big difference between a Fortune 500 board and a public board versus a startup board.
When people are reaching out to you to join a startup board, that means the compensation is probably not there up front.
What you're really doing is making a bet that your startup is going to make it big somewhere down the line.
So that's you knowing that before you get involved in it. And the time you have to commit to that
might be extreme. So can you talk about that a little bit? You're absolutely right. It is
a different model. And in fact, it could be a different model even on the full operational
executive side. There's a difference between being public and startup or early stage. It's the total
potential compensation over multiple years could be similar, but the nature and timing of those
cash flows is certainly different. So yes, absolutely. It's once again, maybe a little
bit of labor of love. I think some people join these startup or early stage boards,
probably because they're passionate about it. They really enjoy it. They like working with entrepreneurs,
contributing actually to the cybersecurity industry
from a technology perspective.
And I think at the end of the day,
while it's nice that there is a potential upside
from a wealth creation opportunity,
I don't sense in speaking with a lot of CISOs and CIOs that that
is their primary driver of sitting on a board like that, but it is a nice benefit that they
can potentially achieve out of that if things go well. Yeah. So I think people should realize that
like you said, it should be a labor of love because if you don't believe in the product,
it'd be hard to dedicate that much time to it if you don't really love what they're trying to do. So make sure you know that
going in, right? That's what you're saying. I would agree. I personally have not sat on either
type of board. I'd love to do that someday myself as well. But if you are with a startup,
there's probably a lot more hands-on care and feeding and maybe less
rigor and structure around the timing and the structure of the board meetings. You're right,
very much depending upon to what extent you're involved could take a lot more of your time and
energy than you anticipate. So I think that's something you want to be really thoughtful about
going into it, the extent to which you want to be hands-on and involved in what you're going to get out of it. Most of the security executives I talk to find it
easier to get on an advisory board, and they think that having that experience will make them more
palatable to board recruiters, let's say, down the line. Is that a true thought? If you volunteer for an
advisory board or a nonprofit board, people will look favorably on you down the line for a big
corporate board job? My view is it can't hurt, but advisory boards... Not a prerequisite.
No, I would agree. No, I think... Now, if you're on a private board or a startup board or something like that, or even nonprofit where there is something a little bit closer to a fiduciary responsibility as opposed to just providing some advice, I think that gets you closer where you actually need to show up and you need to bring a lot to the table as far as understanding the business, providing high-level advisory guidance.
An advisory board, it doesn't seem like as high as a bar of actually being on a board
where you're selected. And so advisory boards, I think, are nice, but other boards like nonprofit
or actual seat on the board of a private company would, I think, stand out a lot more than just advisory boards.
Traditionally, corporate boards have never really sought out security executives. But with nation
states really stepping up their game these past five years or so, are they actually seeking out
security executives to fill those board positions or is it more of the same?
We're seeing some of it. Not to the extent I think we would have expected.
But the way I would describe it is cybersecurity expertise amongst the many, many criteria that board directors are being considered against is moving up the list.
And by virtue of that, some security professionals who also bring a lot of other things to the table are
getting more opportunities than they would have in the past. But what I think you're not seeing
very much of is someone saying, we want a CISO because boards have multiple ways that they could
become much more knowledgeable of cybersecurity and to help them work with the executive teams, by the way, they're not
operational, they're advisory, to develop mitigation strategies and plans to include
into the entire enterprise risk management framework.
But being a CISO is one amongst many considerations, and you need to bring a lot more to the table to be considered for a board.
And that's what we've seen pretty consistently is those who CISOs that sit on boards, there's a broader skill set that is valued by the board.
So let's talk about some of those, all right?
What are some of the prerequisites that CISOs need in order to even be considered for these kinds of board positions?
Probably the encapsulated best with being seen as a credible senior business executive
who, oh, by the way, happens to be knowledgeable and facile in the area of information security.
Someone who can work with the other board members and help them articulate and understand
how cybersecurity fits into the broader business and enterprise risk framework that they need to
consider as a board. So someone who could do that. And in order to be able to do that,
it's consistently operating at a senior executive level within the organization, ideally someone who is involved in higher level strategic parts of the and able to convey their messages in a way to senior
non-security technology executives that can be understood in a risk framework,
that is the first and foremost how CISOs need to differentiate themselves to be considered.
If I was going to offer advice to some young CISO out there, first thing I would tell them is have a discussion with
their boss. Their goal is to be on a board somewhere and that they have to do a certain
amount of things for even to be considered. So like you said, at some point they need to be a
senior vice president for the company because you probably won't even get looked at if you don't
have that in your title. And you need to be on the senior staff or the
executive staff for the company as a contributing member, not just someone who shows up at meetings
and briefs, but you're part of the inner circle. So you got to talk to your boss about how do you
get put into that. And that's a tough situation to break into. I've been in lots of companies and
the executive staff is a pretty close-knit group.
That's a pretty big task. I don't know if you have any recommendations about that.
I would say that right, wrong, or indifferent, the other board members are going to look at you
through that lens. To what extent are you a legitimate member of the executive leadership
team, whether you're officially an officer of the company or not. And you and I both know, Rick, we've been seeing an evolution over time of
CISO reporting structures. And even if they don't directly report into the CEO or chief risk officer
or otherwise, there is this dotted line or other direct line of communications with often the audit committee, for example.
So the more that you as a CISO can have those sorts of either direct or indirect reporting
relationships and have regular consistent communications with board members and senior
executives on topics well beyond information security, absolutely.
Now, unfortunately for some people,
the structure of the organization is such
that it's going to be tougher to do that.
But if you were able to do that
within your current organization,
or as you consider other places you might go in the future,
that would be a criterion
by which you want to look at that opportunity
to consider, hey, does this position me not only for the next operational challenge and
opportunity to expand my skillset,
but is it set me up beyond that to get more interaction at the board level
and be a better potential candidate to sit on the board myself?
So this is a long range plan.
You're not going to jump into this kind of situation tomorrow after you heard this podcast.
This is five, 10 year roadmap for you to get there.
So my recommendation is to talk to your boss about how you can have these kinds of positions.
And if you can't, because of whatever reason, politics or whatever, the next security job
you get, that should be part of the negotiation.
That's what you're trying to get to. So you can be a board member down the road and have should be part of the negotiation. That's what you're trying to get to
so you can be a board member down the road and have that as part of your repertoire. I think also
we've talked in the past, Jamie, that experience in M&A activity would be useful. Experience in
managing products would also be useful. Do you agree with both of those?
Yes. I would say the broader set of
experiences you bring to the table, so much the better. The more you can demonstrate that you're
not a one-trick security pony, absolutely. And something else that's been coming up a lot more
lately is even if there is not a, once again, an official reporting structure, we have clients very consistently asking, to what extent has this
executive briefed the board of directors, how regularly, and in what context, and what are the
topics? So you're saying that CISOs should take advantage of this opportunity. If they think they
want to be on a board somewhere down the line, and they haven't yet briefed the board as part of
their current job, this latest epidemic of ransomware might be a way for them to improve their resume by getting a chance to get in front of their own board.
the ramp up in ransomware and boards, you talk a lot of CISOs,
they would quite frankly say a lot of boards are freaking out by virtue of that.
That actually has opened up the opportunity for more CISOs to have more
frequent communications with the board.
So hopefully that's something that will open the door for more of the CIO and
CISO community to be able to do that.
So you avoid a little bit of that chicken and egg. Absolutely.
But getting back to the other question around M&A and product, especially if you look at M&A,
cybersecurity is increasingly an important aspect of whether it's evaluating vendors or evaluating M&A targets.
Is to what extent is there a risk and liability we're going to inherit by acquiring this company. But by
virtue of being part of those conversations, you're going to be shoulder to shoulder with
some of the other deal folks and business people are talking about things well beyond cybersecurity.
And so that's another way you can demonstrate your business acumen is through things like M&A,
evaluating products. So all those things, if you have the opportunity as a CISO,
that they just do make you more well-rounded and position you to be a better potential candidate,
for sure. Those are experiences that you should be seeking in order to be valuable for these kind
of board positions. But like you said before, there's other skill sets that you probably need
to be working on. You talked about being able to translate
a cyber risk into business impact. Can you think of any other skill sets that a security executive
should be thinking about? Yeah, I think, well, this is something that just in order to be a good
CISO is important and consistent is, I would say, relationship building and communications.
That's how you're going to build trust and credibility.
That's going to enable you not only to be more effective in your full-time day job,
but if people see you as a trusted advisor, understands their needs and their priorities
and their challenges, that that's going to open up more doors for you to be able to have
people say, I'm comfortable with this.
So communicating to the board on a frequent basis because he or she is actually quite articulate and can translate a message into something that is consumable by a non-technical audience.
Those are key skill sets to be in a full-time role as well as to position yourself to be, I think, a board director.
The other skill set that hardly gets mentioned in the cybersecurity venues that we like to
hang out in is your ability to understand the corporate finance bottom line.
And what I mean by that is if you don't understand what the CEO and the CFO are talking about
at the quarterly analyst call, pick your favorite company. You don't have the skills to
be a board member. You have to understand the finance at a very deep level and not just
understand it, but being able to make suggestions to how to improve the bottom line. Do you see that
as a skill set they need to? Absolutely. That ties into the overall business acumen. Now, I don't
think anytime soon the CISOs are going to be the ones that are sharing any audit committees or anything like that.
But absolutely, you need to be able to speak the language of business and finance is obviously a significant part of that.
In fact, I've even spoken with a couple of CISOs that they didn't go out and get an additional degree in finance or anything.
finance or anything, but whether through NACD or other organizations, taking some basic business finance is absolutely a tool that will help you once you get on a board, certainly, but in
preparation for that, whether it's taking a class or interacting very closely with your counterparts
in finance within your organization so you're more facile with the ins and outs of corporate finance,
absolutely. If you are illiterate in corporate finance, that's not going to position you well
to sit on a board. I came up from the technical ranks and had to learn business on my own.
I think that the modern day CISO, the kids coming out of schools these days, will be business people
first and security executive second as part of their
corporate function. That's kind of the way I see it going. Yeah, I mean, I think both security and
technology leaders, whether it's searching for a board or even for a full-time position,
that is really the mantra is a business executive who happens to be quite facile in the areas of
technology and security. Let me change gears a little bit here.
In terms of social media, what can security executives do now to improve their chances of
getting on a board seat? Can they shape their desirability from board members, okay, by having
a social media presence? I'm talking about presentation videos on YouTube or just having
a Twitter presence. Anything like that helpful here? I think it about presentation videos on YouTube or just having a Twitter presence,
anything like that helpful here? I think it certainly can't hurt as long as it demonstrates
the breadth of your capabilities and what you bring to the table. So certainly if you're going
to be a CISO considered for a board, having a certain level of cybersecurity expertise is going
to be table stakes. But I think the more you could demonstrate on your LinkedIn or whatever social media,
LinkedIn is often the most appropriate and most used from a professional perspective,
would be to demonstrate not only the boards that you've been on, but what have you done
on those boards? How have you demonstrated your abilities that go well beyond cybersecurity?
demonstrated your abilities that go well beyond cybersecurity. So if I were to enhance my social media to position myself, I would focus on how I, how I accentuate my non-cybersecurity credentials
ideally. Exactly. So instead of writing about, you know, the malware tool that Panda Bear used,
you flip the conversation around about how does the new adversary campaign impact the business and why?
So change that focus so that you can demonstrate that you are a business technical leader and not just a techie that likes techie things.
Absolutely.
And I think another theme here, too, overall with boards, whether it's regardless of your function.
overall with boards, whether it's regardless of your function. And I think this is particularly important for CISOs who tend to be operational problem solvers. They want to dig in and fix
things. As a board member, you are not there to be operational. You are there to take a much
higher level view and be an advisor. So the more you can demonstrate,
once again, I think you raise a good point.
Not just talking about the latest malware,
but bigger picture,
what are the implications for an organization
or an industry or otherwise
for the things that are happening
and what do you do about it
is going to be way more valuable
to show that you can think and operate
at that senior level
and avoid the tendency to dig into the details from an operational perspective.
So how can you and JM Search help CISOs who want to pursue this path find what they are looking for?
How does JM Search enter the equation here?
equation here? We are very active in the market in working with clients to recruit CISOs into roles at a wide variety of companies across industries, but we also are active in recruiting
board members. Recently, we're actually doing a search where we did, in fact, have a client
that was looking for someone who brought a lot of things to the table, e-commerce business acumen, but also a good amount of cybersecurity expertise.
So how we can help is not only it's good to be on our radar as a prospective candidate for any
searches that we may have, but I always enjoy conversations with CISOs who are just thinking
about their own career progression and how they position themselves. So I'm always open to have that conversation, even outside the context of a specific formal executive search that we might be conducting.
And my colleagues on my team are the same way.
That's all good stuff, Jamie. Thanks for coming on the show to discuss this topic.
Jamie is a partner at JM Search, a executive recruiting firm. Thanks for being on the show.
Rick, thank you for your time.
This is, I think, a really important and current topic.
And hopefully the community out there will find this to be valuable.
We'd like to thank Zan Voterno, our own CyberWire hash table subject matter expert, and JM Search's Jamie Cummings for joining us.
CyberWire X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of Data Tribe, where they are co-building the next generation of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive producer is Peter Kilby.
And I'm Rick Howard.
Thanks for listening.