The vital role the CISO has to play in the boardroom

"As the collective business sector starts to awaken to the size and scale of the risk, the battle for exceptional CISOs will be fierce..."

The boardroom has a skills shortage – and it’s in the shape of exceptional CISOs.

The cyber skills shortage is rapidly becoming a significant and business critical issue. Cybersecurity is increasingly being regulated by U.S and EU legislators including the Securities and Exchange Commission cyber ruling (July 2023) and the European Commission’s Network and Infrastructure 2 (EU NIS 2) and the Digital Operational Resilience Act (DORA) (January 2023).

These pieces of legislation enforce compliance requirements for boards to demonstrate their oversight, assurance and management of cybersecurity risks, requiring boards to seek guidance from, amongst others, their Chief Information Security Officer (CISO), writes Rebecca Hopkinson, head of cybersecurity practice at executive search firm Howgate Sable.

However, the combination of technical skill and boardroom aptitude is hard to find. As head of the cybersecurity practice at executive search firm Howgate Sable, I work with large businesses seeking to fill prestigious C-Suite security roles, but many struggle to attract the premium candidates – and I’ve seen many a skilled security officer fail to secure those top-level jobs because of the broader skills needed to thrive in a boardroom.

Success as a CISO is about more than being an exceptional security expert. It also requires leadership, change management and an ability to develop quality trusted relationships.

Why boards are becoming more aware of the CISO role

Cybersecurity is a growing concern among businesses of varying sectors. A rapidly changing threat landscape, poor levels of cybersecurity risk management and the adoption of cyber regulation means that businesses of all sizes, sectors and locations should understand that they are potential victims of cyber-attacks, need to manage their cyber maturity and be clear as to the impact of cyber regulations on themselves and their third party suppliers.

As the latest SEC ruling regarding business’ obligations to disclose material cyber risk and material cyber incidents comes into force, it will increase the number of businesses that will be looking for exceptional talent required to assess, manage and report on their cybersecurity risks and incidents.

See: Tough new SEC cyber disclosure rules leave kicking and screaming in their wake

It’s a CISOs market – so what steps can individuals take to make themselves indispensable to a board?

1. Learn to communicate effectively

Cybersecurity risk management and information governance are complex and gritty subjects which can be hard to follow for the uninitiated. Boardrooms aren’t the place for the ins and outs of the issue at hand. Learning to communicate effectively is possibly the single most important skill for aspiring and ambitious CISOs. Throughout history, great leaders have demonstrated an excellent ability to communicate, bringing people on a journey with them and gathering support along the way.

This is not about dumbing down or glossing over the important parts. Rather, it’s about honing a fundamental business skill: being able to make a compelling argument clearly and concisely. You need to be able to translate critical cybersecurity information into business objectives.

See also: Hiring a CISO (or want to be one?) Know you this…

Cybersecurity risk management is a regulated requirement.  Board directors, officers and senior management can be held liable for the decisions they make around cybersecurity risks and incidents.  Clear and effective communication is critical in supporting organisations to make the right decisions that could be later relied upon to protect its people.

2. Stay ahead of the curve

Developments are happening at pace, from the SEC to the European Union’s cybersecurity regulatory framework. Being ahead of the curve is important – it gives the business the cutting edge and helps front-foot a preparedness response. CISOs need to be immersed in the wider developments and have a clear view of where things are heading.

Join peers following The Stack on LinkedIn

Cybersecurity is changing, where once it was focused on managing security through controls, it’s now evolving to an enterprise-wide risk focused capability, where cyber risk management must be demonstrated.

3. Be clear about the role’s requirements

Being a CISO is an increasingly risky business. CISOs place themselves at considerable personal risk and must, therefore, be very clear about what is required to enable them to do their job properly. For their own protection, a good CISO will take a non-negotiable approach to the basic requirements they need to be able to deliver their role.

CISOs need to understand their role, the role of cyber security risk management and the intersection between corporate enterprise-wide risk and cyber risks, or they face putting themselves at a heightened risk of prosecution.

4. Use the right tools and standards

As cyber develops into a risk management capability, CISOs are increasingly required to provide input into the organisation’s risk register while maintaining their own cybersecurity risk register. CISOs are responsible for managing the cyber security programme, mitigating cybersecurity risks.

They must have a clear understanding of the tools and apply the appropriate standards to manage cyber risk.

5. Keep learning – and demonstrate the depth of your knowledge

Boards require their CISOs to be experts. It’s imperative that you keep pace with developments and show (rather than tell) that you’re an expert. Importantly, as cyber becomes regulated CISOs are being held as the corporate expert, they are being opened up to legal challenge. CISOs have to demonstrate that the decisions they made on behalf of their organisation can withstand legal challenge today or in the future.

The CISO role is an exciting one and the opportunity for skilled cybersecurity experts to climb the career ladder to unlock new and fulfilling positions is vast. In my experience, few companies have been ahead of the curve in sourcing talented CISOs and, as the collective business sector starts to awaken to the size and scale of the risk, the battle for exceptional CISOs will be fierce.

Shell appoints former CISO as new Group CIO