From board advisor to board member: evolution of the modern CISO.
Rick Howard: Hey, everyone, and welcome to CyberWire-X - a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer and senior fellow at the CyberWire. Today's episode is titled From board advisor to board member - evolution of the modern CISO.
Rick Howard: For many years, security executives like CIOs, CTOs, CISOs and CSOs have pursued board positions in nonprofits, startups and established corporations as career-toppers. In other words, after they have spent years in the trenches protecting their organization's digital assets, some believe that the culmination of their career is to sit on one or more corporate boards, in order to advise other organizations with the hard-won knowledge that they have garnered throughout their career.
Rick Howard: In this show, we're going to discuss how to pursue that goal and what to expect while along the journey. One programming note - each CyberWire-X special features two segments. In the first part of the show, we will hear from an industry expert on the topic at hand. And in the second part, we will hear from our show's sponsor for their point of view. And since I brought it up, here's a word from today's sponsor JM Search.
Rick Howard: To start things off, I've invited Suzanne Vautrinot - Zan to her friends. She is the president of Kilovolt Consulting, a U.S. Air Force Academy grad and a retired major general of the U.S. Air Force with three decades of experience in space and cyber operations. She presently serves as director on several corporate boards, like Wells Fargo, CSX and Ecolab just to name three. I can't think of anybody more qualified to talk about this subject. In this interview, Zan mentions an essay written by Maria Ward-Brennan on the website Corporate Secretary. You'll find a link to it in the show notes for this episode.
Rick Howard: Zan, welcome to the show.
Zan Vautrinot: Thank you, Rick. It is always, always a pleasure.
Rick Howard: In the early days - say the 2000s and early 2000-teens - with cybersecurity, corporate boards didn't really have a lot of interest in corporate board experience from a security professional. Clearly, there are some exceptions, like in your case, but that hasn't been the norm. But with ransomware having a moment right now and President Biden publicly speaking about supply chain risk, do you find that corporate board recruiters are more inclined to seek board members with that kind of background, that kind of security background?
Zan Vautrinot: Yes. So you're asking, is there a greater opportunity for someone with a technology or particularly a security technology background? And the answer is yes. You've got an article that I sent you from Corporate Director.
Rick Howard: Yep.
Zan Vautrinot: It talks about the change in the way that they're hiring board members. And part of that is a significant increase in what they call nontraditional. So if you think of the traditional board members as being former CEOs, former COOs, former CFOs, there is a significant increase in nontraditionals. And one of the big areas for nontraditionals is technology background. Some of that is technology because everything needs to move towards digital, and you need a better understanding of how to build the enterprise. Part of it is the security issue that you just described and how much a part of risk that is for both reputation and operation at the company. So those skill sets are part of the growing desire by boards to bring in - we call it diversity. But it's diversity of skill.
Rick Howard: So now board recruiter are seeking people with tech backgrounds, with security backgrounds. How can you make yourself a better choice for those? What else do you need to be considered a good candidate to be a board position, besides your security or tech background?
Zan Vautrinot: Let me put it in two places. What you've done and how you've done it. The what you've done should be a level of experience that's both depth and breadth. So if you are just a CISO and you've only done security and you've never managed large numbers of people, you haven't made big-budget, future strategic budget decisions about how to change the enterprise, if you haven't been at a level that says lots of people, lots of money decisions, strategic risk considerations at the corporate level, then you're probably not a candidate because it's not about the technical knowledge. It's about the full breadth of skill set and applying that technical knowledge to corporate operations. The second area is how you did it. Do you have gravitas within your professional area? Do other professionals in that area respect your expertise? And have you contributed that expertise broadly? So that might be in universities, as a speaker, as an adviser. Beyond a singular company, what's the breadth of your expertise? It might be in government. And that's why you see a lot of folks that were very senior in government with a technical background being selected for boards.
Rick Howard: So I'm trying to come up with a list of concrete jobs that - say that a security executive like a CISO could pursue as they are moving up the corporate ladder to prepare them to be a board member somewhere at the top of their career. So let me just give you a couple. Would M&A experience - would that be something the board members would want?
Zan Vautrinot: Absolutely. Product experience, supply chain experience, HR from the standpoint of knowing how to bring people in and how to do professional development internally. On the flip side of that, knowing when to bring people in internally and make it organic and where to reach and who to reach to for third-party advisory. Having the knowledge of which friend to phone and how to phone a friend across the greater industry - certainly important.
Rick Howard: So in terms of practicality, you know, CISOs could get involved and have been involved right in M&A transactions. They provide expertise to products especially if they're a security vendor or a tech vendor. But how about soft skills, like maybe translating cyber risk into general purpose business risk because - does that feed into this?
Zan Vautrinot: Yeah. I'll make that part of gravitas - If you can't communicate at a senior leadership level and if you don't know what it means to communicate at a senior leadership level, you know, the strategic as opposed to the tactical, if you will. And that doesn't mean you can't go to the tactical if you need to, but you need to come right back up to the strategic, the implications for the company level and understand what those are and be able to explain them in a way that somebody that didn't grow up in your cylinder of excellence completely comprehends and can align with other considerations that they've got within the company. So you're exactly right.
Rick Howard: Do you need to have a formal education in business or can you pick that kind of stuff up by just studying what the CFO is talking about or studying the public papers that the company has to produce? Can you get there by doing it on your own?
Zan Vautrinot: There's knowing and there's proving. So just like a CISO will have credentials from the technical side, it helps to have credentials from the financial side. So certainly you can learn it or you can demonstrate it by being in the CFO's office and being an adviser from the technical side. But the other way to do it is take additional courses and have the credentials that you have learned this aspect of business.
Rick Howard: And is that a business degree or is there some other credential you can get that's more important?
Zan Vautrinot: I think business classes also work. And with each company, you know, what kinds of things indicate an expertise or a familiarity? So it's something you can discuss with your leadership as you're doing professional development and say, how can I learn this? And how can I demonstrate that I have expertise in this area? And they should be able to help you from their company's standpoint.
Rick Howard: Right, demonstrate to you that I have that experience, right? That's - yeah.
Zan Vautrinot: Exactly. What would prove to you that I have the experience? Not just that I sat in the meetings and was exposed to it, but that I really now have a firm understanding and an ability to then weave it into my Venn diagram of expertise.
Rick Howard: Is there anything that - let's say a newbie CISO is just kind of, you know, kind of new in the field, is there something that he or she should be doing right now if they think they might want to be this person, you know, later in their career? Is there stuff they should be doing right now in terms of - I don't know - education, jobs, tasks, things to do that would help them be more qualified for this?
Zan Vautrinot: Sure. The first one is internal, and that is volunteer for things outside your comfort zone. If somebody says you're going to be part of internal audit or internal controls or part of an investigation or part of a large strategic exercise, take advantage of those opportunities because you'll learn a lot more about the company. If there is a major push to do professional development, running professional development for the company either in the tech area or in another area that's important to the company would be a great move forward because now you've become part of something that is both breadth and important to that company. You want it to be outside your normal comfort zone because remember what I said at the beginning, it's not just about depth in your area of expertise. It's breadth across a number of different leadership expertise that are important. No one is hired to be on the board of directors that is a one-trick pony.
Rick Howard: Right.
Zan Vautrinot: You can't afford to. The board's not big enough to have a whole bunch of, you know, in the stable.
Rick Howard: Yeah.
Zan Vautrinot: So every single person on that board has a mix of experience, usually four or five key things that make them valuable and make them unique to the company and to the board.
Zan Vautrinot: So the second thing I would say to do is do some research, particularly on companies that are in the industry that you're interested in or are the size that you would be appropriate for based on where you're getting your expertise, what's the size of your company. Pull the proxy or the 10-K and look very specifically at two things - how do they define their future strategy and where they want to go with the company? - because that's the conversation that you need to be able to have is, can you be relevant to making that kind of a strategic future happen? And if you look at a bunch of them, you'll see some consistency across different companies. If you can position yourself to have all of the expertise to help make that strategy happen, that's important.
Zan Vautrinot: The second one is, look at the type of people that they have on that board and what those skill sets are and where do you stack up, kind of looking at the matrix, in each of those skill set areas and across - how many blocks can you check that you have skill sets across that matrix? And that's where you want to develop yourself - is to make sure that you have the broadest set of blocks you could check in what they're looking for and the greatest depth in specific areas. I think it's important to recognize, just like in everything else, how you work with others as you come through your career will matter when you're considered as either an advisory or a board member. If you are a collegial team player - that doesn't mean you agree with everyone all the time, but the way that you have conversations brings others into the conversation and gets to a better end, and the way that you communicate makes people want to bring you into a discussion or into a panel or other areas. How you go about doing your job is going to matter as a board member because that reputation will follow you. You can't all of the sudden become strategic and collegial at the end. How you demonstrate that all the way through your career will come up at the end. And so every day is that test.
Rick Howard: So there are a number of different types of boards that are out there. And I think my community - my peer community doesn't really understand the difference. There's advisory boards. There's nonprofit boards. There's general purpose corporate boards. And then I'll throw another category out there, you know, Fortune 500 corporate boards. Is there any others that I'm missing there?
Zan Vautrinot: Let's talk about public boards. And the reason we start with public boards is because the requirements are the most refined and specific because you have to prove to the investors and often to the regulators and to people that are interested in the company that your board has the right credentials to represent and to make sure that they can protect the company. That's the duty of care, duty of loyalty, duty of obedience kinds of things that they are looking for in all board members. So those credentials become very important externally as well as internally to the board and the management.
Zan Vautrinot: So that's the set that's probably the most formal. And it's really easy to pick up a proxy, you know, the annual statement for the company as they get ready for their votes, or the 10-K, the annual financial report, which also reports on the status of the company overall. Those will carry a matrix that says here are all the board members, and here's the area where they have expertise. And that matrix gives you a really strong sense of, what was the intentional set of expertise and the diversity of those expertise and even the level - because you could look at the individuals and see the level and the type of expertise they have - that made them valuable to a Fortune 500, a Russell 1000, you know, to a public company.
Zan Vautrinot: On the other end of the spectrum is a senior advisory board. A senior advisory board has no fiduciary responsibility. It is a board that advises either one key individual in the C-suite, in the management side, in, perhaps, technology or in strategic thinking or in relationships and business development. But it is a specific, defined role to advise some part of management on the future of the company. So think of it as a retained consultant. And usually, senior advisory boards - you're retained for a year at a time, but it's generally a number of years.
Rick Howard: So - and there's a wide range of activity for these advisory board positions. I know I've been on several myself, and they range anywhere from being, give us your opinion of our new product roadmap to, help us think about the future of the company.
Zan Vautrinot: Exactly. If you're going to go into a senior advisory board role - really important to look at the contract that you have with them. And it'll usually be two or three pages, and it'll spell out what they're expecting you to do. Unlike a board of directors, the compensation is negotiable for an advisory board. They generally have a standard for a senior advisory board so that there's an equity for all of them but not always. So it is negotiable for senior advisory, and it has to do with level - what's your level as an expert? It also has to do with how much time they need. Is it a couple of hours, a month, or is it many hours a week? And it has to do with what they ask of you in terms of not having conflict of interest. If they want you to be exclusive, then that's an entirely different contract and level of compensation than if you were advisory to them and they're just aware of other things that you're doing. And then you just have non-disclosure, and so they just trust you not to disclose across companies. But for an advisory board, that's what you're talking about.
Rick Howard: Based on what you said, there are - the differences between what an advisory board position would be and a public board would be are very wide. When executive board recruiters are looking for new members, does being on an advisory board help? Does that give you extra points because you've had that experience? Or does it not matter that much?
Zan Vautrinot: In my experience, it doesn't matter, although it may be part of your resume that shows a level of expertise or a level of interface. So for example, as part of an advisory board, you were talking to board members frequently, which is not generally the case. Usually, you're talking to somebody very senior in management. But if you were talking to the CEO frequently as a result of that senior advisory or if you were talking to congressional representation or if you were speaking to international counterparts with management or on behalf of management, that would become part of your resume. But the fact that you were on a senior advisory board is not, you know, a credential. For a board of directors, the compensation is set and made public if it's a public board. And it's the same for everyone. It doesn't change that often. At best, every two or three years, it might change a little bit. And it's usually - about half is going to be a cash retainer, and about half is going to be equity. Occasionally, there are also meeting fees or stock options, but generally, it's those first two categories, and it's preset.
Rick Howard: I hate to get into details like this, but it's also the perks of travel and all that kind of stuff that they mandate because you have to go to meetings and things. They cover all that stuff. Is that right?
Zan Vautrinot: Yes, exactly. So all of your expenses in both cases - for senior advisory and for a board of directors, the expenses are covered and how you travel and how they'll reimburse and all those kinds of things, what level they'll reimburse to. You know, is it economy or first class? And do they dictate which hotel you stay at, or is it up to you where you stay? Do they provide a car or do you get a rental car? All of those things are kind of preordained so that there's consistency with everybody.
Rick Howard: This is all fantastic, Zan. And I really appreciate you coming on the show, and thanks for doing it. I can't wait to come up with the next topic, so I can bring you on sooner.
Zan Vautrinot: It's always a pleasure. And I hope that this helps you create some more great board numbers because, boy, do we need a lot of them that have technical background and the ability to apply it to strategy.
Rick Howard: Next up is my conversation with Jamey Cummings from JM Search, our show's sponsor. He most recently co-led the cybersecurity practice at the largest global executive search firm for nearly a decade. And today, he's a partner at JM Search. And as you can imagine, he's talked to a lot of CISOs, CSOs and CIOs in his career. I asked him the same question I asked Zan. Was it his experience that these kinds of security executives are seeking to obtain some sort of corporate board position somewhere down their career path as kind of a pinnacle to their career?
Jamey Cummings: I have had the pleasure of speaking with a lot of heads of information security and technology, and I have found over the last - in particular, the last several years, an increase in the number of those professionals who want to do that absolutely as a bit of a pinnacle of their career. It was a little bit, I think, of contributing and giving back as well. You know, that's another way as they start thinking about - rather than going and rinsing and repeating and building another cybersecurity program somewhere else, it's a way to continue to be active and engaged in a meaningful way without sitting in the seat on a full-time basis. So it's definitely something of a high level of interest across the CISO and the CIO community.
Rick Howard: I also expected something like a bit of a respect toward the security professional because for many, many years, security executives weren't really thought of that highly by corporate boards. But is that it, too? Is it - 'cause I know that - it's one of my feelings about this - is that if you get to a corporate seat, that's the industry saying, yeah, you kind of made it to the top of the pile there.
Jamey Cummings: Yeah, I do think it is a little bit of coming of age, of, hey, we finally have arrived and got in that real seat at the table. You know, I think that CIOs and CISOs both overall, as a community, feel like they have to consistently earn that right to get that seat at the table. And increasingly, a lot of them have been able to do that. Being on a board is a bit of that culmination or affirmation that, hey, you're not just a token technology or security person that will break glass in case something drastic or important happens. You're actually part of the fabric of the strategy of the organization. And being on the board, that is the expectation, and I think there is an indication that, yeah, I've actually proven myself as someone who can be part of the C-suite.
Rick Howard: So let's do some mechanics here and talk about the different kinds of boards, because they're not all the same in terms of the amount of work you have to do and the amount of compensation you might get for being on it. So there's advisory boards, nonprofit boards, traditional corporate boards and - I'll even throw a special category on - Fortune 500 corporate boards because, you know, those are the big dogs. Can you explain what those are and what the difference is for - if somebody got on some of those? What do CISOs need to think about there?
Jamey Cummings: We'll start with the last one, the Fortune 500 in particular and those publicly-traded boards. High-level visibility - there's a lot of fiduciary responsibility. And I think it's one of those things that you would talk to any board director - it sounds great, but certainly something you want to be aware of as much as you can - what you're really getting into. There was actually some boards in the past where there was some sort of incident, and they were targeted by investors. So you could put yourself out there from a fiduciary and liability perspective, if you're not really very careful about it. So I think there's that, which is different than going on a nonprofit or a private board. So that level of scrutiny is the way I would guess I'd boil it down to.
Jamey Cummings: And the other thing about those boards is that the level of commitment you're making not only on the fiduciary responsibility side of things, but also from your time commitment - I don't want to be flippant about it, but it's not like you just show up for a couple hours of meetings and a dinner every quarter. There's a lot of time investment that you need to put into it. And you commit to those board meetings as far as a year out. And unless you're incapacitated, you will be at those board meetings and you will be carrying out your duty, because there is this, I think, sense of duty, of care and value that you have for the shareholders, where you're really signing up for a lot, and you definitely should not take that lightly. And I think the advisory or nonprofit boards, those tend to be a little bit more of - I'll call it a labor of love. There's certainly not a compensatory aspect of that you're going to get typically - in fact, quite the opposite. There'll be, often on nonprofit in particular, the expectation of a give and/or get aspect of that.
Jamey Cummings: But I think what's interesting is one way that those can potentially tie in together is that it's not unusual to start with a - whether a private or a nonprofit board - to learn some of the mechanics of being on a board, interacting with others and what it entails. And by virtue of that, you've demonstrated your ability to be above and beyond an operational executive and take on a little bit more of that bigger-picture advisory-type role. But at the end of the day, getting on a board - they don't always go to an executive search firm. They're often the executive search committee themselves, word of mouth. And if you happen to sit on a nonprofit board with someone who's on a Fortune 500 board and they have a good impression of you, well, then that might be a way for you to get exposure and the opportunity to sit on a bigger board. So there is a little bit of that potential connective tissue there.
Rick Howard: So just like finding regular jobs in the security community, like CISOs and CIOs and things, it's mostly about who you know.
Jamey Cummings: It can be that way, certainly. Not all board searches are conducted the same way. But if it's a thorough search, they're looking at a large and broad slate of candidates. Get an invitation to the party is one thing. At that point then, there are many, many factors that go into play into who gets the role. But I think it varies across different boards. Especially with private boards sometimes, it's more who you know, networking. But there are some processes that are very thorough and structured, where who you know is less important than the criteria by which they're selecting the candidates.
Rick Howard: Back to something you said before - you know, there's a big difference between a Fortune 500 board and a public board versus a startup board. When people are reaching out to you to join a startup board, that means the compensation is probably not there upfront. What you're really doing is making a bet that your startup is going to make it big somewhere down the line. So that's you knowing that before you get involved in that, and the time you have to commit to that might be extreme. So can you talk about that a little bit?
Jamey Cummings: You're absolutely right. It is a different model. And in fact, it could be a different model, even on the full operational executive side. There's a difference between being public and startup or early-stage. It's - the total potential compensation over multiple years could be similar, but the nature and timing of this cash flow is certainly different. So yes, absolutely. It's, once again, maybe a little bit of a labor of love. I think some people join these startup or early-stage boards probably because they're passionate about it. They really enjoy it. They like working with entrepreneurs, contributing actually to the cybersecurity industry from a technology perspective. And, you know, I think at the end of the day, while it's nice that there is a potential upside from a wealth creation opportunity, I don't sense, in speaking with a lot of CISOs and CIOs, that that is their primary driver of sitting on a board like that. But it is a nice benefit that they can potentially achieve out of that, if things go well.
Rick Howard: Yeah, so - and I think people should realize that. Like you said, it should be a labor of love because if you don't believe in the product, it would be hard to dedicate that much time to it, if you don't really love what they're trying to do. So make sure you know that going in, right? That's what you're saying.
Jamey Cummings: I would agree. I personally have not sat on either type of board. I'd love to do that someday myself as well. But if you are with a startup, there's probably a lot more hands-on care and feeding and maybe less rigor and structure around the timing and the structure of the board meetings. You're right, it's very much dependent upon to what extent you're involved. It could take a lot more of your time and energy than you anticipate. So I think that's something you want to be really thoughtful about going into it, the extent to which you want to be hands-on involved and what you're going to get out of it.
Rick Howard: Most of the security executives I talk to find it easier to get on an advisory board, and they think that having that experience will make them more palatable to board recruiters, let's say, down the line. Is that a true thought - if you are - if you volunteer for an advisory board or a nonprofit board, people will look favorably on you down the line for a big corporate board job?
Jamey Cummings: My view is it can't hurt, but advisory boards...
Rick Howard: Not a prerequisite, yeah.
Jamey Cummings: No, I would agree. No. I think - now if you're on a private board or a startup board or some like that or even nonprofit where there is something a little bit closer to a fiduciary responsibility as opposed to just providing some advice, I think that gets you closer - where you actually need to show up and you need to bring a lot to the table as far as understanding the business, providing high-level advisory guidance. An advisory board, it doesn't seem like as high as a bar of actually being on a board where you're selected. And so advisory boards I think are nice, but other boards like nonprofit or an actual seat on the board of a private company would, I think, stand out a lot more than just advisory boards.
Rick Howard: Traditionally, corporate boards have never really sought out security executives. But with nation-states really stepping up their game these past five years or so, are they actually seeking out security executives to fill those board positions or is it more of the same?
Jamey Cummings: We're seeing some of it. Not to the extent I think we would have expected, but the way I would describe it is cybersecurity expertise, amongst the many, many criteria that board directors are being considered against, is moving up the list. And by virtue of that, some security professionals who also bring a lot of other things to the table are getting more opportunities than they would have in the past. But what I think you're not seeing very much of is someone saying we want a CISO. Because boards have multiple ways that they could become much more knowledgeable of cybersecurity and to help them work with executive teams - by the way, they're not operational, they're advisory - to develop mitigation strategies and plans to include into the entire enterprise risk management framework. But being a CISO is one amongst many considerations, and you need to bring a lot more to the table to be considered for a board. And that's what we've seen pretty consistently, is those who - CISOs who sit on boards, there's a broader skill set that is valued by the board.
Rick Howard: So let's talk about some of those, all right? What are some of the prerequisites that CISOs need in order to even be considered for these kinds of board positions?
Jamey Cummings: Probably they - I would capsulate it best with being seen as a credible senior business executive who, oh, by the way, happens to be knowledgeable and facile in the area of information security; someone who can work with the other board members and help them articulate and understand how cybersecurity fits into the broader business and enterprise risk framework that they need to consider as a board. So someone who could do that. And in order to be able to do that and consistently operating at a senior executive level within the organization, ideally someone who is involved in higher-level strategic parts of the conversation within the organization, not just brought in to talk only about cybersecurity. So I think you're finding those who have business acumen, who are well-rounded, who are articulate and able to convey their messages in a way to senior non-security technology executives that can be interested in the risk framework, that is the - first and foremost what - how CISOs need to differentiate themselves to be considered.
Rick Howard: If I was going to offer advice to some young CISO out there, first thing I would tell them is have a discussion with their boss their goal is to be on a board somewhere and if they have to do a certain amount of things for even to be considered - so like you said, at some point, they need to be a senior vice president for the company because you probably won't even get looked at if you don't have that in your title; and you need to be on the senior staff or the executive staff for the company as a contributing member, not just someone who shows up at meetings and briefs, but you're part of the inner circle. So you got to talk to your boss about how do you get put into that. And that's a tough situation to break into. I've been in lots of companies, and the executive staff is a pretty close-knit group. That's a pretty big task. I don't know if you have any recommendations about that.
Jamey Cummings: I would say that right, wrong or indifferent, the other board members are going to look at you through that lens - to what extent are you a legitimate member of the executive leadership team, whether you're officially an officer of the company or not. And, you know, you and I both know, Rick, we've been seeing an evolution over time of CISO reporting structures. And even if they don't directly report into the CEO or chief risk officer or otherwise, there is this dotted line or other direct line of communications with, often, the audit committee, for example. So the more that you as a CISO can have those sorts of either direct or indirect reporting relationships and have regular, consistent communications with board members and senior executives on topics well beyond information security, absolutely. Now, as - you know, unfortunately, for some people, the structure of the organization is such that it's going to be tougher to do that. But if you're able to do that within your current organization or as you consider other places you might go in the future, that would be a criterion by which you want to look at that opportunity, to consider, hey, does this position mean not only for the next operational challenge, an opportunity to expand my skill set, but does it set me up beyond that to get more interaction at the board level and be a better potential candidate to sit on the board myself?
Rick Howard: So this is a long-range plan. You're not going to jump into this kind of situation tomorrow after you've heard this podcast. This is five, 10-year road map for you to get there. So my recommendation is to talk to your boss about how you can have these kind of positions. And if you can't because of whatever reason, politics or whatever, the next security job you could - that'd be - should be part of the negotiation. That's what you're trying to get to so you can be a board member down the road and you have that as part of your repertoire. I think also, we've talked in the past, Jamey, that experience in M&S activity would be useful. Experience in managing products would also be useful. Do you agree with both of those?
Jamey Cummings: Yes. I would say the broader set of experiences you bring to the table, so much the better. The more you can demonstrate that you're not a one-trick security pony, absolutely. And something else that's been coming up a lot more lately is even if there is not, once again, an official reporting structure, we have clients very consistently asking, to what extent has this executive briefed the board of directors? How regularly and in what context, and what are the topics?
Rick Howard: So you're saying that CISOs should take advantage of this opportunity if they think they want to be on a board somewhere down the line and they haven't yet briefed the board as part of their current job. This latest epidemic of ransomware might be a way for them to improve their resume by getting a chance to get in front of their own board.
Jamey Cummings: If there is a silver lining there - now, what we have noticed is that, especially with the ramp-up in ransomware and boards - you talk to a lot of CISOs. They would, quite frankly, say a lot of boards are freaking out. By virtue of that, that actually has opened up the opportunity for more CISOs to have more frequent communications with the board. So hopefully, that's something that will open the door for more of the CIO and CISO community to be able to do that. So you avoid a little bit of that chicken and egg, absolutely. But getting back to the other question around M&A and products, especially if you look at M&A, cybersecurity is increasingly an important aspect of whether it's evaluating vendors or evaluating M&A targets as to what extent is there a risk and liability we're going to inherit by acquiring this company? But by virtue of being part of those conversations, you're going to be shoulder to shoulder with some of the other deal folks and businesspeople who are talking about things well beyond cybersecurity. And so that's another way you can demonstrate your business acumen - is through things like M&A, evaluating products. So all those things, if you have the opportunity as a CISO, that - they just do make you more well-rounded and position you to be a better potential candidate for sure.
Rick Howard: Those are experiences that you should be seeking in order to be valuable for these kind of board positions. But like you said before, there's other skill sets that you probably need to be working on. You talked about being able to translate a cyber risk into business impact. But can you think of any other skill sets that security executives should be thinking about?
Jamey Cummings: Yeah. I think - well, this is something that, just in order to be a good CISO, is important and consistent - is, I would say, relationship building and communications. That's how you're going to build trust and credibility. That's going to enable you not only to be more effective in your full-time day job, but if people see you as a trusted adviser, understands their needs and their priorities and their challenges, that's going to open up more doors for you to be able to have people say, I'm comfortable with this CISO communicating to the board on a frequent basis because he or she is actually quite articulate and can translate a message into something that is consumable by a nontechnical audience. Those are key skill sets to be in a full-time role, as well as to position yourself to be, I think, a board director.
Rick Howard: The other skill set that hardly gets mentioned in the cybersecurity venues that we like to hang out in is your ability to understand the corporate finance bottom line. And what I mean by that is if you don't understand what the CEO and the CFO are talking about at the quarterly analyst call, pick your favorite company. You don't have the skills to be a board member. You have to understand the finance at a very deep level and not just understand it but being able to make suggestions on how to improve the bottom line. Do you see that as a skill set they need, too?
Jamey Cummings: Absolutely. That ties into the overall business acumen. Now, I don't think anytime soon the CISOs are going to be the ones that are chairing any audit committees or anything like that. But absolutely, you need to be able to speak the language of business, and finance is obviously a significant part of that. In fact, I've even spoken with a couple of CISOs that - they didn't go out and, you know, get an additional degree in finance or anything but whether through NACD or other organizations, taking some basic business finance is absolutely a tool that will help you once you get on a board certainly, but in preparation for that, whether it's taking a class or interacting very closely with your counterparts in finance within your organization so you're more facile with the ins and outs of corporate finance. Absolutely. If you are illiterate in corporate finance, that is not going to position you well to sit on a board.
Rick Howard: I came up from the technical ranks and had to learn business on my own. I think that the modern-day CISO, you know, the kids coming out of schools these days will be business people first and security executives second as part of their corporate function. That's kind of the way I see it going.
Jamey Cummings: Yeah, I mean, I think both security and technology leaders - whether it's searching for a board or even for a full-time position, that is really the mantra, is a business executive who happens to be quite facile in the areas of technology and security.
Rick Howard: Let me change gears a little bit here. In terms of social media, what can security executives do now to improve their chances of getting on a board seat? Can they shape their desirability from board members - OK - by having a social media presence? I'm talking about presentation videos on YouTube or just having a Twitter presence. Anything like that helpful here?
Jamey Cummings: I think it certainly can't hurt as long as it demonstrates the breadth of your capabilities and what you bring to the table. So certainly, if you're going to be a CISO considered for a board, having a certain level of cybersecurity expertise is going to be table stakes. And I think the more you can demonstrate on your LinkedIn or whatever social media - LinkedIn is often the most appropriate and most used from a professional perspective - would be to demonstrate not only the boards that you've been on, but what have you done on those boards? How have you demonstrated your abilities that go well beyond cybersecurity? So if I were to enhance my social media to position myself, I would focus on how I accentuate my non-cybersecurity credentials, ideally.
Rick Howard: Exactly. So instead of writing about, you know, the malware tool that Panda Bear used, you flip the conversation around about - how does the new adversary campaign impact the business and why? So change that focus so they can demonstrate that you are a business technical leader and not just a techie that, you know, likes techie things.
Jamey Cummings: Absolutely. And I think another theme here too overall with boards, whether it's - regardless of your function. And I think this is particularly important for CISOs who tend to be operational problem-solvers. They want to dig in and fix things. As a board member, you are not there to be operational. You are there to take a much higher level view and be an adviser. So the more you can demonstrate - once again, I think you raise a good point. Not just talking about the latest malware, but bigger picture - what are the implications for an organization or an industry or otherwise for the things that are happening and what do you do about it is going to be way more valuable to show that you can think and operate at that senior level and avoid the tendency to dig into the details from an operational perspective.
Rick Howard: So how can you and JM Search help CISOs who want to pursue this path find what they are looking for? How does JM Search enter the equation here?
Jamey Cummings: We are very active in the market, in working with clients to recruit CISOs into roles at a wide variety of companies across industries. But we also are active in recruiting board members. Recently, we were actually doing a search where we did, in fact, have a client that was looking for someone who brought a lot of things to the table, e-commerce business acumen, but also a good amount of cybersecurity expertise. So how we can help is not only - it's good to be on our radar as a prospective candidate for any searches we may have, but I always enjoy conversations with CISOs who are just thinking about their own career progression and how they position themselves. So I'm always open to have that conversation, even outside the context of a specific, formal executive search that we might be conducting. And my colleagues on my team are the same way.
Rick Howard: That's all good stuff, Jamey. Thanks for coming on the show discuss this topic. Jamey is a partner at JM Search, a executive recruiting firm. Thanks for being on the show.
Jamey Cummings: Rick, thank you for your time. This is, I think, a really important and current topic, and hopefully the community out there will find this to be valuable.
Rick Howard: We'd like to thank Zan Vautrinot, our own CyberWire Hash Table subject matter expert, and JM Search's Jamey Cummings for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive producer is Peter Kilpe. And I'm Rick Howard. Thanks for listening.
