Service on a board of directors is a natural career step for C-level executives, but many CISOs have challenges in landing their first board position. Nevertheless, the increasingly complex threat landscape and the spiraling costs of cyber-crime mean that many boards are actively seeking people with cybersecurity expertise to join their ranks. As a result, opportunities for CISOs to join boards may be more numerous than ever. But like any career move, securing a board position requires preparation and work.
Joyce Brocaglia is perhaps best known as the founder and CEO of Alta Associates, an executive search firm that specializes in cybersecurity and IT risk. She is also founder of the Executive Women’s Forum on Information Security, Risk Management, and Privacy, one of the world’s most prominent and influential women’s business organizations. And she recently launched a new executive education company called BoardSuited, which provides a self-directed curriculum that helps cybersecurity leaders to prepare and position themselves for a seat on a nonprofit, advisory, or corporate board of directors.
The initiative is off to an impressive start. Just a month after its launch, universities, associations, and other business organizations are already expressing significant interest in bringing BoardSuited to their members and clients through an affiliate program. The CISO Collective recently had a chance to speak with Joyce about this new offering and how CISOs can prepare to join a board.
A: I have spent almost my entire 35-year career advising executives, building world-class organizations, and developing leaders. In recent years, I have been asked the same question over and over by EWF members and Alta clients alike: “Joyce, how do I get a seat on a board?” It makes sense that I am hearing that question from both groups, because we’re seeing a new surge of interest in diversifying boards, and companies are also beginning to recognize the value of having someone with cybersecurity knowledge as a board member.
When I looked around at the courses that were available, I found that most of them were for people who were already on boards, and covered some aspect of how to be a better director. These courses usually had barriers to entry as well: applicants had to be approved to take the course, or they had to be a member of a corporate board association. So, I wanted to eliminate all those barriers and create the kind of program that enables people to start earlier in their career so that they would have time to develop the skills and talents that are needed on a corporate board.
A: Cybersecurity really has finally become what I would call a board-level imperative. Companies are now changing board compositions to include cybersecurity experts and others who are well-versed in information technology. The term “digital director” is becoming more common; this is a new kind of board member who provides support and oversight to the company's digital strategies and helps the company mitigate cyber risks. Many companies are also creating cybersecurity committees, which is a great place for cyber executives to start their board careers.
A: Some CISOs think their subject matter expertise in cybersecurity alone is enough to make them effective corporate board directors. They need to understand that board service is about governance and not technical expertise. They also need to be capable of plainly articulating to the board how to connect the dots between technology, risk, and corporate strategies. And of course, when a cybersecurity crisis does occur, it’s their job to be the calming, confident, and educated voice in the room. Some of these skills are outside many CISOs’ comfort zones because they came up through technical roles, but they need to develop broad business acumen to serve on a board.
A: The reason we created BoardSuited as a self-directed learning course rather than a short workshop or webinar is that we are delivering true executive education with a much more robust curriculum. There are nine learning modules that executives can truly customize based on their needs. The course gives them an opportunity to evaluate where they are today, then teaches them to develop and execute a plan to land their first board seat. A workshop or webinar might have one or two interesting takeaways, but most don’t really give executives a comprehensive understanding of what steps they personally need to take.
A: Our contributors are seated board members and board experts. They all did on-camera interviews speaking about their areas of specialty. So for example, when we talk about the nomination and governance committee, which is the committee that selects new board members, we have Aetna’s committee chair talking about his experience. We have an attorney who talks about legal liability. We have the managing director of an executive compensation company talking about how boards compensate their members. We have two CISOs who talk about their experiences both on boards and on cybersecurity subcommittees. So, we have put together a very strong curriculum that is built into a world-class learning platform, and the result is a fun, digestible, and engaging experience for participants.
A: The course begins with the basics: the different types of corporate, advisory, and nonprofit boards and how they're structured. Then it delves into the roles, responsibilities, and the legal liabilities of board members. Afterwards, the course takes learners on their own personal path to the boardroom: assessing and developing their network, writing their CV, creating their bio and even their pitch statement. We provide tools and assessments along the way to help participants evaluate their readiness on a variety of fronts. There are also examples, exercises, templates, assessments, and outside reading suggestions. By the time they're done, learners have really learned how best to prepare and position themselves for their first board seat.
A: A network is so important because overwhelmingly personal recommendations are what lead to director opportunities. And for most CISOs, the network that got them their last job is most likely not going to get them their first board seat. If their network is other CIOs and CISOs, they need to broaden their network to include people seated on boards, venture capitalists, mergers and acquisition folks, bankers, and attorneys.
We have a networking assessment tool that is very detailed in terms of personal and professional networks, and it really helps learners to think outside of the box. And we have a lot of video footage of seated board members who talk about their personal journeys to their first board seats and the importance of their network in securing it.
A: When we think about identifying the right board seats to target, it starts with introspection: what are my skills? What type of company would those skills be most valuable for? What am I particularly passionate about? On that latter question, one piece of advice that we give is to start with a nonprofit or advisory board. Those are often a great entrée into a corporate board seat in the future.
A: I think the chatrooms are useful for people to interact with each other about the challenges and successes they’re experiencing in their quest. We’re also developing a webinar series with our contributors featuring live Q&A so that people who are engaged in the course can actually pose their questions to some of the contributors as well.
A: I would say that you must prepare for the important things in life. Getting your first board seat is one of those crucial steps. A lot of people are really good at preparing for the beginning of their career, but they don’t put the same vigorous, proactive effort into the latter stages of their career. The sooner you start to prepare, the better equipped you’ll be. Knowledge is power, and preparation is the key to success.