How to attract a board-level cybersecurity expert

Suzanne Vautrinot’s impressive cybersecurity experience has been in high demand since she retired from the U.S. Air Force in October 2013. As a major general and commander, she helped create the DoD's U.S. Cyber Command and led the Air Force's IT and online battle group.

Suzanne Vautrinot’s impressive cybersecurity experience has been in high demand since she retired from the U.S. Air Force in October 2013. As a major general and commander, she helped create the Department of Defense's U.S. Cyber Command and led the Air Force's IT and online battle group.

In the past year alone, she has fielded “more than a handful” of phone calls from company executives and recruiters who hope to attract her to their board of directors, but she doesn’t jump at every opportunity. She has turned down board positions “more than once” because she perceived that the company wasn’t committed to cybersecurity initiatives or that she wouldn’t be active in any board matters beyond security.

“You want to do your due diligence and ask is this a company I can be proud to be associated with?” says Vautrinot, who is also president of Kilovolt Consulting in San Antonio.

Today she sits on the boards of five carefully chosen, diverse companies, including Wells Fargo, Parsons Corp., Ecolab, Symantec and Battelle Memorial Institute. When it comes to choosing what board position to accept, “you want to know that there’s a seriousness about all the areas where you will be contributing,” she says.

Many board-worthy cybersecurity professionals share the same concerns – just as demand for their talents gains momentum.

“There’s a significant increase in inquiries we’re getting [for board positions] in the IT and cybersecurity space,” says Tom Daniels, lead director of the board services practice at executive recruitment firm Spencer Stuart. Companies in every sector now experience cybersecurity issues, and as boards think about refreshing the skill sets they need, cybersecurity, which wasn’t even on their radar five years ago, is suddenly at top of mind, he says.

What’s more, boards are looking for hard-to-find cyber superstars. “There’s a finite number of people that have the requisite skill set, the gravitas, the seasoning and the interpersonal skills, that know how to navigate not only at a day-to-day executive level but then be able to style-flex into a board room,” Daniels says.

So it’s no surprise that “board candidates are getting quite picky,” says Mike Dickstein, a consultant in the technology practice at Spencer Stuart. They don’t want to be the security scapegoat, and they don’t want their expertise to fall on deaf ears with the board, he adds.

“They know that joining a board as ‘the cybersecurity expert’ puts them in a unique position at least for reputational risk if something were to happen at that company from a cybersecurity standpoint,” Dickstein says. “They want to make sure that they’re not being set up as the fall guy, that the company has a true commitment by the board and the management team toward managing security, that leadership has a clear and consistent understanding of the risk relative to that business, and that cybersecurity is going to be appropriately funded and resourced. If they don’t see those things in place,” they may not want to risk their reputation on the company, he says.

[ ALSO ON CSO: Should your board of directors include a cybersecurity expert? ]

Attracting an expert

How can companies put their best security foot forward to attract top cybersecurity talent to the board? Companies often don’t look at their own cyber track record and vision for their security future before starting the interview process. Board advisers and cybersecurity pros offer five points to consider before interviewing a cybersecurity expert for the board.

1.    How and how much will they contribute to the board?

Board members with security expertise often “feel they’re more of a checked box than a participating, core part of the board,” says Tammy Moskites, CISO at Venafi and former CISO at Home Depot and Time Warner Cable. Most high-level cybersecurity experts want to participate in all board activities and add value across the organization.

Some companies believe that the mere presence of a cybersecurity expert on the board will make a difference to shareholders, but in reality the board has no plans to leverage all of the expert’s knowledge, Moskites says. She once walked out of an interview for a board position when she realized the company’s intentions. “They said, ‘you really don’t need to be involved too much, but can you make these meetings four times a year?’ I said, ‘I don’t think this is a good match for us.’” In the end, the company never hired a CISO to the board, she adds. Moskites went on to sit on the boards of Qualys and Box, and she’s currently interviewing for another board position.

Cybersecurity experts also look for commitment to the mission. “If I’m going to contribute in cybersecurity, is the company, the board and the management team aligned in wanting to move forward in that area?” Vautrinot says. “You can tell early in the interviews if there has been significant consideration of these kinds of things.” She recalls her own experience as a candidate interviewing with Wells Fargo board members and discussing cybersecurity. “[The company] had completely looked at what its organizational structure ought to be, what kinds of capabilities should it be putting in place, what would be available now and what was going to be available in a few years, what was changing in the threat factors, and the regulatory environment that they had to consider,” she says. “You could see an intellectual and strategic commitment in the company to move forward in an area that you could contribute to, and you felt like you could make a difference.”

2.    Plan to share the risk

Board members want assurance that risk will be shared. “The board can’t forego its responsibility about cybersecurity to the one director,” says Mary Galligan, director in the security and privacy practice at Deloitte. Galligan leads global boards of director through cyber awareness, cyber education and war gaming exercises. “You don’t want to go on the board as the cybersecurity ‘expert’ and have the other directors say ‘that’s your own responsibility.’ No other committee works that way. If you’re on the audit committee, for example, you’re as responsible as the CFO or any financial wizard on the board,” she says.

3.    Bring in the security team

Companies should plan to put the CISO and anyone else who is responsible for implementing cybersecurity plans and processes in front of the candidate for a conversation, Vautrinot says.

“If the company is moving in this direction and has hired expertise within the company, those conversations light up your day,” she says. “Even if there are things that aren’t quite right, instead of seeing the problems, people that are passionate about making things better see the opportunities.”

4.    Are your directors curious?

Are your board members the type that are lifelong learners? Most directors on high-performing boards are, Vautrinot says, and that’s a big selling point for cybersecurity experts. “As long as they’re comfortable with technologies in different areas, or with complex connect-the-dot kinds of problems,” it will be a good fit, she says. “They need to understand cyber risk and ask good questions.”

5.    Think outside the box

Today the demand for high-level cybersecurity experts far exceeds the supply. As a result, “everyone goes after the same people for their boards,” Daniels says. “It’s very challenging for a sitting executive to sit on more than one outside board.” Even retired professionals don’t have the bandwidth to participate on more than two or three boards, he adds. When searching for board candidates with cybersecurity expertise, think beyond the obvious candidates and look at public sector superstars, as well as those in the private sector, he says.

Moskites recommends communicating with colleagues about your search and to ask for recommendations. She has personally referred seven cybersecurity pros to boards in the last 18 months. “There are people with incredibly strong technical backgrounds, and they can be tech wizards and billionaires, but that doesn’t necessarily mean that they’re a cybersecurity expert,” she says. “That’s becoming very apparent to us.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSODeloitteEcolabHome DepotParsonsQualysSpencer StuartSymantecTime WarnerVenafiWells Fargo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place