Paul Connelly built the first cybersecurity programs at two of the world’s highest risk organizations – the White House and HCA Healthcare (one of the largest healthcare providers in the U.S.). He led those programs for a combined 28 years in CISO roles, and in-between, he spent six years building a cybersecurity consulting practice at PricewaterhouseCoopers. He is broadly experienced – C-level leader at a Fortune 100 company, partner at a big four public accounting firm, and senior civilian at a DoD agency at the White House supporting three U.S. presidents. Paul is also a developer of people, with thirty-four team members selected for CISO positions, and by now serving as a cybersecurity educator.
Independent Director seats are carefully filled to provide corporate boards with broad expertise across critical areas. Most boards include CEOs, CFOs, and other executives who are informed on cybersecurity, but have no direct experience. The “State of Cyber Awareness in the Board Room Report” by NightDragon and Diligent showed 88% of the companies in the S&P 500 have no directors with true cybersecurity expertise. Here are two reasons companies should change that status quo: (1) recent regulatory actions in the U.S. by the SEC and the New York State Department of Financial Services are putting board oversight of cybersecurity squarely in the spotlight, and (2) boards that have the deep expertise of a CISO can help their companies make cybersecurity, technology, and data enablers of business growth while their competition is held back by fear, uncertainty, and doubt.
Boards have a fiduciary responsibility to oversee management’s handling of risk. In the high-stakes, complex, and rapidly changing world of cybersecurity, there is a substantial difference in knowledge between a director with high-level understanding and one who has run a cybersecurity program. Benefits from a director with CISO expertise include:
- Been-there-done-that: These directors have firsthand operational knowledge of cybersecurity that provides deep understanding and insight on one of the most challenging areas boards face today.
- Deep understanding of technology: Being a successful CISO mandates understanding technology and being involved in strategy, implementation, and operation. Most CISOs grew up within IT.
- Crisis response: These directors have received the 3:00 AM calls, been through countless real and exercise events, and know how to calmly respond to crises.
- Communication: Directors with CISO expertise can bridge today’s communication gap between the board, business leaders, and the organization’s cybersecurity and IT programs.
- Credibility: Directors with CISO expertise provide a unique perspective on cybersecurity and technology to help the board provide credible oversight.
- Future proofing: Directors with a CISO background are on top of dynamic technology and data evolutions and disruptors.
- Diverse thinking: Directors with a CISO background have risen through different ranks than most board members, and bring a technology savvy, connection with younger generations, and innovator’s mindset.
The Modern CISO role requires being in front of leadership, the workforce, and stakeholders in many other valuable areas for a board of directors:
- Business strategy and operations
- Budgeting and fiscal management
- Privacy and data governance
- Risk management
- Regulatory compliance
- Ethics
- Company culture
- Geo-political risk
- Diversity, equity, and inclusion
- Development and retention of high-performing individuals and teams
- Diligence and implementation of M&A initiatives
In addition to this breadth of skills and experience, successful CISOs have three valuable board skills – ability to collaborate with business leaders to forge joint goals, courage to speak up on key issues, and ability to engage in “collegial dissent.”
Flip the script! Forward-thinking boards that add the deep cybersecurity and technology expertise of a CISO are going to help position their companies to maximize their advantage from technology, data, and partnerships – flipping the script from fear and hesitation to opportunity and advantage.