Every board I talk to is deeply concerned about cybersecurity and most are actively looking to bring security expertise to the table.
They claim that they just can’t seem to find people with the right experience and an interest in serving as a director. Yet a great number of cybersecurity professionals, when they hear of my interest in governance and my experience serving on boards, share with me that they would love to volunteer for a board position, give back to their community, expand their network and most importantly, experience the opportunity to learn.
So, what’s going on here and what can be done to close this gap? I have given plenty of advice to boards on how I think this problem can be addressed. Here are some ideas on why and how you, as a security professional, should get yourself on a board of directors.
Most of what I read about cybersecurity and the board are just remixes of the same two stories. First, that boards should be taking this seriously — which they are — and second, generalities about how CISOs should best communicate to the board, which they continue to struggle with.
The reason I think these two stories keep being retold is that we as an industry are trying to engage boards on the topic of cybersecurity from the outside looking in but with little experience of what they do, how they function or what is important to them.
The best solution to this dilemma is therefore to have cybersecurity professionals join them and learn. There is nothing more instructive on how and what to communicate to a board than having the opportunity to sit on the other side of the table and experience listening to it.
Every month, an average board member is expected to attend at least two committee meetings and the board meeting itself. Each meeting is accompanied by a huge agenda package of reading, including hundreds of pages of documentation on financial details, production numbers, safety items, labour negotiations, staffing challenges, and building and facilities concerns.
Buried somewhere in all that reading is the cybersecurity report. If you have ever wondered why they don’t understand cybersecurity, it is likely because you are not making it easy for them to learn, let alone internalize all the information you are providing them.
While it’s unlikely you will have the opportunity to sit on the board of your own company, even if you are the CISO, I recommend that you find an organization that you have a personal connection to such as a charity, the college or university you graduated from, your local hospital, museum, kids’ sports league or a service club. Almost every organization you interact with has a board of directors and this is a great place to start.
Sitting on a board for an organization you care about will create a safe place for you to learn how to be a board member. It is an opportunity to ask questions, make mistakes and build not only your skills in governance, but also your competence and confidence as a director.
An easy first step is reaching out to a contact you have at one of these organizations to introduce you to a member of the board, or the board chair. A short conversation over coffee or by phone will likely be enough to start the process of discovering if there is a fit and how you can best make a contribution.
Perhaps it is starting on a board committee as a community member to gain experience with the organization. This is also a great opportunity to demonstrate your consistency and commitment, which will be an important factor in whether you are asked to join the board itself.
The other thing you can do to better prepare and improve your chances of becoming a director is to do some homework. There are plenty of books available for sale or at your local library on the basics of governance and how boards operate. Another option is taking a course for aspiring or new directors provided by organizations such as the Institute of Corporate Directors. Doing so will make you a more attractive candidate for an open board position and better prepare you for success as a director. It will also provide valuable insights into how best to work with and communicate to your own board.
When you do take the leap and finally become a board member, the most important step you can take is help others in the security industry to follow in your footsteps — with introductions, advice and mentorship!
Kevin Magee is the chief security officer at Microsoft Canada (microsoft.ca).
Print this page