Three Seats at the Table - CISO & Board Dynamics

An empty conference room.

Cross Posted from LinkedIn Article by Brian Haugli

I recently saw an announcement of a very accomplished CISO being not only named the leader of a cybersecurity company, but also a director of their Board. No, this wasn’t me (thanks for thinking that if you were). This is actually at a competitor of ours.

While I sifted through what appeared to be a standard press release highlighting the accomplishments and qualifications for taking on these new corporate roles, I couldn’t quite place why I felt this seemed like a bad idea. How could it? As CISOs and professionals we all pine for these types of roles and levels of responsibility.

But should we have all 3 roles at the same time? TL;DR – No

Let’s breakdown the expectations of each, especially for a publicly traded company.

CISO

We know what this role is about, but for those just joining the last 20 years, here’s a short recap. The Chief Information Security Officer is the top person in an organization leading a cybersecurity and risk management program. They have many skills to draw from within IT and risk management.

The CISO ideally has business savvy and executive presence to use in influencing the C-Suite, company management and the Board (psst, this is foreshadowing) on topics of risk mitigation and reduction. As a CISO, you’re creating programs and opportunities that have a cost to consider in order to reduce risk for the organization. Unless a clearly defined budget is in place and not fully utilized, then there additional funds sought to enable those risk reduction activities. Even with the budget, implementation of a CISOs program have an operation impact on the business that need to be socialized and approved by company management prior to execution.

President

This role is (usually) the second ranking role in the company’s management. They could function as the leader if the CEO is out or the CEO is an outward facing sales role. They could also perform more like an operations lead, much like a Chief Operations Officer (COO). Either way, they represent management of the company.

The President is in a position to lead and manage their subordinates along the vision and mission of the company. This should include making decisions that a CISO raises around risk mitigation or acceptance. The President would focus on operational efficiencies within an organization; something that could be counter to the actions a CISO would seek in risk reduction activities.

Board Director

THE seat at THE table. This is it. This is what most people want if they’re climbing that corporate ladder. Ok, maybe not, but it’s highly coveted role to be able to get. Through a suite of committees and meetings over the course of every year, the Board is making decisions based on information presented by the company management.

So what’s the Board’s role?

Plain and simple; The Board’s basic role is to hold corporate management responsible for their actions as being in the best interest of the shareholders and company.

So where’s the issue?

If the role of the CISO is to shape risk activities within a company…

And the President is in a role to oversee, approve or deny those activities…

And the Board is in the role to seek transparent information about risk and risk reduction activities…

And the Board is supposed to hold company management accountable…

Then how can that be done appropriately if the same person is in all three roles?

Now, before you raise the “well actually” points of the person recusing themselves from Board voting, we have to acknowledge the structure of all this is wrong.

Conclusion

Corporate structures are built with governance and independence in mind. We, as CISOs, have fought for years to get out from under the CIO to allow for more autonomy and transparency on risk within an organization. Examples of role expansion, such as being the CISO, President, and Board Director at the same time, diminish the goal of governance and transparency.

We should all want a seat at the table, but we can’t effectively sit in 3 chairs.

Need help in establishing your governance structure on cybersecurity with your CISO, Corporate Leadership or Board? Click here to contact us