Suzanne Vautrinot’s impressive cybersecurity experience has been in high demand since she retired from the U.S. Air Force in October 2013. As a major general and commander, she helped create the Department of Defense's U.S. Cyber Command and led the Air Force's IT and online battle group.
In the past year alone, she has fielded “more than a handful” of phone calls from company executives and recruiters who hope to attract her to their board of directors, but she doesn’t jump at every opportunity. She has turned down board positions “more than once” because she perceived that the company wasn’t committed to cybersecurity initiatives or that she wouldn’t be active in any board matters beyond security.
“You want to do your due diligence and ask is this a company I can be proud to be associated with?” says Vautrinot, who is also president of Kilovolt Consulting in San Antonio.
Today she sits on the boards of five carefully chosen, diverse companies, including Wells Fargo, Parsons Corp., Ecolab, Symantec and Battelle Memorial Institute. When it comes to choosing what board position to accept, “you want to know that there’s a seriousness about all the areas where you will be contributing,” she says.
Many board-worthy cybersecurity professionals share the same concerns – just as demand for their talents gains momentum.
“There’s a significant increase in inquiries we’re getting [for board positions] in the IT and cybersecurity space,” says Tom Daniels, lead director of the board services practice at executive recruitment firm Spencer Stuart. Companies in every sector now experience cybersecurity issues, and as boards think about refreshing the skill sets they need, cybersecurity, which wasn’t even on their radar five years ago, is suddenly at top of mind, he says.
What’s more, boards are looking for hard-to-find cyber superstars. “There’s a finite number of people that have the requisite skill set, the gravitas, the seasoning and the interpersonal skills, that know how to navigate not only at a day-to-day executive level but then be able to style-flex into a board room,” Daniels says.
So it’s no surprise that “board candidates are getting quite picky,” says Mike Dickstein, a consultant in the technology practice at Spencer Stuart. They don’t want to be the security scapegoat, and they don’t want their expertise to fall on deaf ears with the board, he adds.
“They know that joining a board as ‘the cybersecurity expert’ puts them in a unique position at least for reputational risk if something were to happen at that company from a cybersecurity standpoint,” Dickstein says. “They want to make sure that they’re not being set up as the fall guy, that the company has a true commitment by the board and the management team toward managing security, that leadership has a clear and consistent understanding of the risk relative to that business, and that cybersecurity is going to be appropriately funded and resourced. If they don’t see those things in place,” they may not want to risk their reputation on the company, he says.
[ ALSO ON CSO: Should your board of directors include a cybersecurity expert? ]
Attracting an expert
How can companies put their best security foot forward to attract top cybersecurity talent to the board? Companies often don’t look at their own cyber track record and vision for their security future before starting the interview process. Board advisers and cybersecurity pros offer five points to consider before interviewing a cybersecurity expert for the board.
1. How and how much will they contribute to the board?
Board members with security expertise often “feel they’re more of a checked box than a participating, core part of the board,” says Tammy Moskites, CISO at Venafi and former CISO at Home Depot and Time Warner Cable. Most high-level cybersecurity experts want to participate in all board activities and add value across the organization.
Some companies believe that the mere presence of a cybersecurity expert on the board will make a difference to shareholders, but in reality the board has no plans to leverage all of the expert’s knowledge, Moskites says. She once walked out of an interview for a board position when she realized the company’s intentions. “They said, ‘you really don’t need to be involved too much, but can you make these meetings four times a year?’ I said, ‘I don’t think this is a good match for us.’” In the end, the company never hired a CISO to the board, she adds. Moskites went on to sit on the boards of Qualys and Box, and she’s currently interviewing for another board position.
Cybersecurity experts also look for commitment to the mission. “If I’m going to contribute in cybersecurity, is the company, the board and the management team aligned in wanting to move forward in that area?” Vautrinot says. “You can tell early in the interviews if there has been significant consideration of these kinds of things.” She recalls her own experience as a candidate interviewing with Wells Fargo board members and discussing cybersecurity. “[The company] had completely looked at what its organizational structure ought to be, what kinds of capabilities should it be putting in place, what would be available now and what was going to be available in a few years, what was changing in the threat factors, and the regulatory environment that they had to consider,” she says. “You could see an intellectual and strategic commitment in the company to move forward in an area that you could contribute to, and you felt like you could make a difference.”
2. Plan to share the risk
Board members want assurance that risk will be shared. “The board can’t forego its responsibility about cybersecurity to the one director,” says Mary Galligan, director in the security and privacy practice at Deloitte. Galligan leads global boards of director through cyber awareness, cyber education and war gaming exercises. “You don’t want to go on the board as the cybersecurity ‘expert’ and have the other directors say ‘that’s your own responsibility.’ No other committee works that way. If you’re on the audit committee, for example, you’re as responsible as the CFO or any financial wizard on the board,” she says.
3. Bring in the security team
Companies should plan to put the CISO and anyone else who is responsible for implementing cybersecurity plans and processes in front of the candidate for a conversation, Vautrinot says.
“If the company is moving in this direction and has hired expertise within the company, those conversations light up your day,” she says. “Even if there are things that aren’t quite right, instead of seeing the problems, people that are passionate about making things better see the opportunities.”
4. Are your directors curious?
Are your board members the type that are lifelong learners? Most directors on high-performing boards are, Vautrinot says, and that’s a big selling point for cybersecurity experts. “As long as they’re comfortable with technologies in different areas, or with complex connect-the-dot kinds of problems,” it will be a good fit, she says. “They need to understand cyber risk and ask good questions.”
5. Think outside the box
Today the demand for high-level cybersecurity experts far exceeds the supply. As a result, “everyone goes after the same people for their boards,” Daniels says. “It’s very challenging for a sitting executive to sit on more than one outside board.” Even retired professionals don’t have the bandwidth to participate on more than two or three boards, he adds. When searching for board candidates with cybersecurity expertise, think beyond the obvious candidates and look at public sector superstars, as well as those in the private sector, he says.
Moskites recommends communicating with colleagues about your search and to ask for recommendations. She has personally referred seven cybersecurity pros to boards in the last 18 months. “There are people with incredibly strong technical backgrounds, and they can be tech wizards and billionaires, but that doesn’t necessarily mean that they’re a cybersecurity expert,” she says. “That’s becoming very apparent to us.”