This blog is part of our Board Oversight Series, an interactive collection of resources on Cyber Risk.
As our Board Oversight Series continues, we’ve decided to provide some context and guidance around a question that’s top-of-mind for many boards: Given the heightened risk of cyber threats, should we be recruiting a cybersecurity expert to the board?
According to PwC’s Annual Corporate Directors Survey, 72 percent of directors say that their board is looking for cybersecurity expertise. We sat down with Jason Baumgarten, a partner with Spencer Stuart and a corporate director himself, to understand how the supposed demand for cyber experts was translating on the director recruitment side.
In just the past few years, cybersecurity has evolved from an item on the audit committee agenda to a full-board issue–and a central component of discussions of strategy, risk and innovation. What trends have you seen on the director recruitment side? Do you find that more boards are searching for cybersecurity expertise or are they electing other methods for oversight?
JB: To be honest, we have not seen a significant uptick in requests for cybersecurity experts. Rather, we’re experiencing demand for skill sets on a broader technology scale, as boards seek talent that can help them keep up with today’s rapid pace of change and ongoing disruption.
Their focus is less on cybersecurity in particular and more on how technology is disrupting and transforming industries.
The other big shift we’re seeing is a growing recognition that having a CISO on the board won’t by itself shift the discussion around cybersecurity. The whole board needs to be educated and vigilant about this new and important risk. Further, a lot of the cyber challenges that today’s companies are facing are not just the traditional cybersecurity issues–rather, they’re regulatory, they’re business-model driven, and they involve broader ethical questions around how to interact with data and machine learning.
Increasingly, we see boards contemplating this shifting landscape of privacy and regulatory dilemmas as opposed to operating narrowly within the traditional lens of cybersecurity, which has been centered on threat reduction and response. It doesn’t mean the latter is going away, but I think the cybersecurity playing field is expanding to cover new things.
For boards that consider recruiting cybersecurity expertise, a common concern is that they’ll get a “single-skilled director” who can’t contribute to other boards/committee functions. How real is this fear? Is the talent pool as binary as boards suggest? Or will boards need to evolve their expectations/criteria in order to get the types of cyber expertise they’re looking for?
JB: Beyond cybersecurity, there’s a broader trend at play here. More boards are recruiting non-CEOs and non-CFOs. These leaders have spent less time in the boardroom, and they may have a less holistic understanding of the role of a board. In addition, boards are getting more creative about where they find cybersecurity talent.
We are helping boards find executives who may have started their careers in a particular functional skill set, then later expanded to become CEOs or general managers. We are also looking at leaders in the cybersecurity ‘industry’ versus just the ‘function’ –some may have played a CISO role, but now have a much broader remit as a member of the executive team and also bring a perspective of what numerous companies are doing around security.
Like any functional role, there are going to be CISOs who have a broad, strategic involvement in their company, and those who are very tactical. Finding the right fit for your board is critical, and that depends on (a) how big your board is, (b) how complex your business is, and (c) how critical your need is for that tactical skill set versus trying to bring multiple perspectives in a single director addition.
If you have a very small board, it is much harder to have single-purpose directors than if you have a larger board because you have to staff committees. I think the fear of being limited by a “single-purposed director” is a real concern, but boards are also getting much savvier about how to mitigate those risks. We try to help boards recognize that the external value of a board member is short-lived. It’s really about finding a deeper, contextual fit.
So then how should boards be approaching questions around cybersecurity talent? Ultimately, what advice would you offer boards that are considering whether they need to recruit a cyber expert?
JB: It comes down to what I call the magic question. When boards tell me they need cybersecurity expertise, I ask them:
What conversations does your board want to be having around cybersecurity that you feel unable to do with your current board expertise?
By asking this simple, powerful question, boards begin to evaluate their needs through various lenses:
- How much time are we going to be spending on cyber risk in the boardroom?
- Given our business model, are we more concerned about third-party risk or about the ethical and regulatory aspects of data management?
- Do we need an enterprise CISO with very direct enterprise experience or do we need someone who’s lived through a specific episode or disruption?
- Are we better off creating an advisory board vs. recruiting a full-time director?
- Should we instead consider bringing in an outside expert to lead discussions around this topic?
- Do we have the right management team around security today?
As the board starts to define the cyber risk discussion it wants to have, it can better determine what it actually needs. It also requires a discussion with management about what challenges the business is facing. Could the executive team benefit from a ‘cybersecurity sage’ of sorts? Is the company expanding into new markets? The answers to these questions will shape the needs of each board, and no two boards are exactly alike.