CISOs: More Than A One Trick Pony

Helen Patton
5 min readJun 18, 2023
Two ponies standing near a fence
Photo by Chris Liverani on Unsplash

In preparation for new SEC rules requiring cybersecurity expertise on public boards of directors, there has been a number of articles (like this one) lamenting that few CISOs have the executive experience or advanced degrees to serve as Directors. The prevailing sentiment is that CISOs are spending too much time in the technical weeds. They have turned their backs on executive education (or, for that matter, any formal advanced degrees) and are simply not well-enough-versed in understanding the business to be seriously considered as a board candidate.

The report that Artico and IANS created serves as the basis for much of this noise, and it’s a report worth reading. They have identified factors that make CISOs “Board-ready” using existing CISOs who serve on boards as a baseline model, then evaluated CISOs on the Russell 1000 against this standard. Through this lens, the data speaks for itself — there are lots of gaps that will need to be filled in order to have a pool of board-ready CISO candidates. No argument from me.

And Yet…

Underlying this entire line of thinking is an assumption that CISOs exist only in a singular “technology” role. The perspective of those who see CISOs as “one trick ponies” is that cybersecurity is fundamentally about tools and technology architecture.

--

--

Helen Patton
Helen Patton

Written by Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange