Why more cyber professionals should join company boards

In the ever-evolving landscape of cybersecurity, the stakes have never been higher.

New and emerging threats and threat-actors continue to loom large — opportunistically and intentionally targeting organizations, both public and private. This situation leaves many cybersecurity professionals feeling distressed and burnt-out and the leaders of organizations feeling overwhelmed and unequipped to effectively and securely lead.

Both groups share these feelings and challenges with me daily. A key aspect of my work is to encourage and facilitate their collaboration for more effective problem-solving, but it often seems to me that we need to do something more systemic and less transactional to really enable and empower change.

A few months ago, after I delivered a keynote on the importance of cyber-risk governance, an audience member asked a question that helped me identify the disconnection that creates so many of these challenges for us all. I had just discussed how strategic business decisions often create vulnerabilities that can be exploited throughout business processes and communications, which then rely on the tech stack to solve.

The question addressed this directly and resonated deeply: “If you could do something within your power to significantly improve the security posture for all Canadian organizations, what would you do?”

I thought about the enormity of the problem and how best to systemically create positive change. My immediate response was: “I would help every cybersecurity professional in this room get appointed to a board of directors.”

Imagine the potential impact and profound transformative effect on Canada’s cybersecurity posture if we were to embark on a mission to appoint a cybersecurity professional to the boards of 100, 500, 1,000, or perhaps even every organization?

From local art galleries and museums to emerging start-ups, community colleges, major health-care systems, utilities, retailers, transportation, mining, manufacturing, and insurance firms, such an initiative would not only cultivate a security-centric mindset within the strategic decisions of these entities but also promote a mutual exchange of knowledge between cybersecurity experts and organizational leaders.

I have seen first-hand that when cybersecurity professionals take their seats at the boardroom table, they infuse strategic decisions with a security-centric mindset. No longer relegated to the IT report, cybersecurity becomes an integral part of organizational strategy. Risk assessments, incident response plans, and threat mitigation strategies are no longer afterthoughts or stand alone and apart — they are woven into the fabric of decision-making.

With a cybersecurity professional at the table, board members gain a deeper understanding of cyber threats, vulnerabilities and best practices. Simultaneously, cybersecurity professionals learn about business operations, financial considerations and the delicate balance between risk and reward. This symbiotic relationship fosters informed decision-making and ensures that security considerations are not sacrificed for short-term gains.

As cybersecurity professionals gain governance experience, they can also ascend to more prominent boards. Their expertise can extend beyond firewalls and encryption protocols; they can become adept at navigating complex regulatory landscapes, managing stakeholder expectations, and aligning security initiatives with organizational goals. These newly seasoned cyber-risk governance professionals can then serve as champions, guiding organizations toward robust security practices.

Imagine a cybersecurity professional is appointed to the board of a regional utility company. Their insights lead to enhanced threat detection mechanisms, secure infrastructure upgrades, and proactive risk management. As they gain experience, they move on to larger boards, perhaps a national retailer or a major health-care system. Simultaneously, fresh talent steps into their previous role, benefiting from mentorship and exposure to high-level decision-making.

Cumulatively and over time, this endeavour could markedly strengthen Canada’s defences against cyber-threats. Each boardroom appointment contributes to a collective shield, a network of vigilant cybersecurity professionals working alongside of their business leadership peers safeguarding critical infrastructure, sensitive data and citizen privacy. As we bridge the gap between cybersecurity and governance, we help pave the way for a more secure Canada.

Stepping into a boardroom, even if just to present the quarterly CISO report, provides a decisive opportunity to advocate for stronger cybersecurity representation. It’s a chance to elevate executive cyber-literacy and cyber-risk informed decisions. The most effective pathway to mastering this advocacy is by gaining experience on a board yourself.

I am dedicated to empowering as many cybersecurity professionals as possible to transition from the technical confines of the server room to the strategic expanse of the boardroom. By each of us committing to encourage and mentor others on this journey, we can weave a network of success and resilience that stretches across Canada, one director’s seat at a time

Kevin Magee is chief security and compliance officer at Microsoft Canada (www.microsoft.ca).