Further to our prior report: "Cyber Board Oversight: Think Business Model/Strategy, Regulatory & Ethical," Boardroom Resources' interview with Spencer Stuart Partner and corporate director Jason Baumgarten, captured in this recent post: "Should We Recruit a Cybersecurity Expert to the Board?", reiterates the importance of a company-specific approach to how the board ensures its quest for cybersecurity expertise fits with its overall composition in view of numerous factors including board size, company industry, business complexity and maturity, overall mix of director skills & qualifications, management-level talent, access to outside expertise, and much more.
Baumgarten suggests boards consider these questions to help evaluate their needs:
- How much time are we going to be spending on cyber risk in the boardroom?
- Given our business model, are we more concerned about third-party risk or about the ethical and regulatory aspects of data management?
- Do we need an enterprise CISO with very direct enterprise experience or do we need someone who's lived through a specific episode or disruption?
- Are we better off creating an advisory board vs. recruiting a full-time director?
- Should we instead consider bringing in an outside expert to lead discussions around this topic?
- Do we have the right management team around security today?
In addition and presumably related to an increasing demand for directors with broader-than-cybersecurity technology skill sets, Baumgarten notes this director recruitment trend:
The other big shift we're seeing is a growing recognition that having a CISO on the board won't by itself shift the discussion around cybersecurity. The whole board needs to be educated and vigilant about this new and important risk. Further, a lot of the cyber challenges that today's companies are facing are not just the traditional cybersecurity issues–rather, they're regulatory, they're business-model driven, and they involve broader ethical questions around how to interact with data and machine learning.
More broadly, boards are tending to recruit non-CEOs and non-CFOs (including CISOs or former CISOs) who, although potentially lacking in boardroom experience, bring strategic or other skills, perhaps in combination with desired cyber or tech experience, to round out and complement the board's collective skill sets.