Cyber Chiefs Seeking Board Seats Have Their Work Cut Out for Them
Summary
- ‘The typical CISO is still caught up in the technology milieu,’ says recruiter Steven Martano
Cyber chiefs who want to serve on corporate boards are filling out their résumés with directorship training and stints on advisory boards. Such moves probably aren’t enough.
The Securities and Exchange Commission’s proposed rules for cybersecurity oversight call for companies to provide details about the cyber expertise of their boards. Chief information security officers might assume their skills will make them prime candidates, but they often lack the broad business experience and advanced degrees commonly sought in directors, recruiters and analysts say.
Those who check these boxes will be in demand, but other CISOs will find ordinary education and professional knowledge likely won’t land them board seats, said Steven Martano, a partner at Artico Search, a recruiting firm that specializes in cybersecurity.
“The typical CISO is still caught up in the technology milieu," Martano said.
Among CISOs at companies in the Russell 1000 index, 32% have professional experience in roles outside of cybersecurity, according to a study out Tuesday from Artico and cybersecurity advisory organizations IANS Research and the CAP Group. In education, 38% of these CISOs have an advanced degree in technology, engineering, business or law, the researchers found.
“It’s rare for a board to take anyone on as a one-trick pony," said Brian Walker, CAP Group chief executive.
Even at cybersecurity companies, competition for board roles can be fierce. Data-analytics company Sumo Logic interviewed about 50 people when it was looking for a cyber expert for its board last year, said George Gerchow, chief security officer. “We wanted a CISO who also had cross-functional expertise," he said. “It was a struggle."
The company in November named Timothy Youngblood, who until this month was chief security officer at T-Mobile US. Youngblood left Sumo Logic’s board in May as the company went private.
“He brought the perspective of wide external experience," said Gerchow, who is also Sumo Logic’s senior vice president of information technology and a faculty member at IANS Research.
Courses from director-training organizations can improve a cyber executive’s knowledge of business and law, but there are no widely agreed standards for these programs, Walker said. “Some require quite a number of hours and a difficult test. Some are half-day meetings," he said. “The market is very, very immature."
John Scrimsher, CISO at Kontoor Brands, which makes Wrangler and Lee jeans, said he wants to attain a board seat, ideally at a multibillion-dollar company with a heavy manufacturing aspect. He has a long career in security at General Motors, Oracle and Hewlett Packard.
Not all CISOs can translate a cyberattack to financial, sales and product-distribution risks and then help prioritize how to respond, he said.
Scrimsher is increasing his business knowledge through the National Association of Corporate Directors’ Accelerate program, a $6,500 course for aspiring board members. Key for security leaders, he said, is “the hundreds of hours of study you need to do to break out of the technical and tactical mind-set that a CISO lives day to day."
Write to Kim S. Nash at kim.nash@wsj.com