CISOs: More Than A One Trick Pony

Helen Patton
5 min readJun 18, 2023
Two ponies standing near a fence
Photo by Chris Liverani on Unsplash

In preparation for new SEC rules requiring cybersecurity expertise on public boards of directors, there has been a number of articles (like this one) lamenting that few CISOs have the executive experience or advanced degrees to serve as Directors. The prevailing sentiment is that CISOs are spending too much time in the technical weeds. They have turned their backs on executive education (or, for that matter, any formal advanced degrees) and are simply not well-enough-versed in understanding the business to be seriously considered as a board candidate.

The report that Artico and IANS created serves as the basis for much of this noise, and it’s a report worth reading. They have identified factors that make CISOs “Board-ready” using existing CISOs who serve on boards as a baseline model, then evaluated CISOs on the Russell 1000 against this standard. Through this lens, the data speaks for itself — there are lots of gaps that will need to be filled in order to have a pool of board-ready CISO candidates. No argument from me.

And Yet…

Underlying this entire line of thinking is an assumption that CISOs exist only in a singular “technology” role. The perspective of those who see CISOs as “one trick ponies” is that cybersecurity is fundamentally about tools and technology architecture.

Take the report recommendation of new skills that CISOs must have in order to serve on boards:

As board directors, CISOs must be capable of providing governance guidance; standing their ground alongside business executives; and demonstrating proficiency in influence, persuasion, empathy, relationship management, active listening and clarity of messaging

Any CISO would tell you that their core job is “providing governance guidance, standing their ground alongside business executives; and demonstrating proficiency in influence, persuasion, empathy, relationship management, active listening and clarity of messaging.” This isn’t something new they must learn in order to serve on a board, this is something they hone every single day AS A CISO.

Or this item:

Directors with cross-functional experience are better equipped to engage in holistic, strategic board-level discussions because they think about the business…

--

--

Helen Patton

Cyber Security, Technology Ethics, and Humanity. What else? I can be found at CISOHelen.com or on Twitter @CisoHelen or on Mastodon @cisohelen@infosec.exchange