CISOs: More Than A One Trick Pony
In preparation for new SEC rules requiring cybersecurity expertise on public boards of directors, there has been a number of articles (like this one) lamenting that few CISOs have the executive experience or advanced degrees to serve as Directors. The prevailing sentiment is that CISOs are spending too much time in the technical weeds. They have turned their backs on executive education (or, for that matter, any formal advanced degrees) and are simply not well-enough-versed in understanding the business to be seriously considered as a board candidate.
The report that Artico and IANS created serves as the basis for much of this noise, and it’s a report worth reading. They have identified factors that make CISOs “Board-ready” using existing CISOs who serve on boards as a baseline model, then evaluated CISOs on the Russell 1000 against this standard. Through this lens, the data speaks for itself — there are lots of gaps that will need to be filled in order to have a pool of board-ready CISO candidates. No argument from me.
And Yet…
Underlying this entire line of thinking is an assumption that CISOs exist only in a singular “technology” role. The perspective of those who see CISOs as “one trick ponies” is that cybersecurity is fundamentally about tools and technology architecture.
