Boardrooms without CISOs

Boardrooms without CISOs are Risking More Than They Know

1 Comment / Cyber Foundations, Cybersecurity Leadership, Threat Intelligence & Ops / By

Boardrooms without CISOs Are Risking More Than They Know

Digital technology is now deeply connected to every part of modern business. Because everything is so connected now, cyber threats are a big worry that can really hurt businesses; stopping them from working, damaging trust, and costing a lot of money.

This big change in the world of risk is really changing who sits on company boards. The traditional pillars of finance, law, and manufacturing, while still vital, are now being augmented by a critical new perspective: cybersecurity expertise. As George Kurtz, the CEO and Founder of Crowd Strike, highlights, the future will see a CISO (Chief Information Security Officer) either occupying a seat at the highest table or their absence keenly felt in the aftermath of a digital crisis. ( During his RSA 2025 speech)

Kurtz astutely points out the historical evolution of boardroom representation. Just as regulatory pressures and the increasing complexity of financial markets necessitated the inclusion of Chief Financial Officers (CFOs) to provide crucial financial acumen, so too are the escalating threats in the cyber domain demanding the presence of CISOs.

Understanding the complex details of cyber threats, the fine points of data rules, and how to bounce back from attacks is why we need someone on the board who can explain cybersecurity in a way that makes sense for the business.

The data paints a stark picture. There’s a real disconnect between the widespread acknowledgement of cyber risks by boards and the actual number of cybersecurity experts sitting amongst them. While a considerable majority of boards recognize the urgent need for this knowledge, the reality is that only a fraction, somewhere between a meager 12% and a still-low 29% depending on the study, currently possess it. You can’t help but wonder why this gap exists.

Several factors likely contribute: a potential shortage of CISOs with the broad business acumen required for board-level discussions, perhaps some lingering outdated governance models that haven’t fully caught up with the digital age, or even just a lack of understanding among traditional board members about the strategic importance of a dedicated cybersecurity voice.

This significant disparity represents a critical vulnerability, leaving organizations potentially ill-equipped to truly understand, assess, and mitigate the ever-evolving threats that could jeopardize their very existence.

Consider, for a moment, a hypothetical scenario:

Imagine a mid-sized manufacturing company, digitally connected across its supply chain. Without a cybersecurity expert on its board, discussions around a potential ransomware attack might focus solely on the immediate financial cost of the ransom. The board might miss the bigger picture: the potential for long-term operational paralysis, the erosion of trust with key suppliers and customers, and the lasting damage to their reputation.

Now, picture a similar company with a CISO on the board. This individual could articulate the broader risks, advocate for proactive security measures, and guide the board in developing a robust incident response plan. The presence of that expertise could be the difference between a contained incident and a business-crippling catastrophe. Conversely, we’ve seen instances where a board’s proactive engagement with a CISO led to the early detection and mitigation of a sophisticated attack, saving the company millions and preserving its market standing.

Of course, the path for CISOs to the boardroom isn’t always smooth sailing. They might face resistance from more traditional board members who view cybersecurity as a purely technical issue best left to the IT department. There can also be confusion about the CISO’s role at the board level – is it simply to report on threats, or to actively contribute to strategic decision-making? Overcoming these hurdles requires CISOs to not only possess the right skills but also to be effective communicators and relationship builders.

Ultimately, the inclusion of CISOs in the boardroom isn’t just about career growth for security folks; it’s a smart move for the long-term health and ability to bounce back for businesses. In a time where everything is connected digitally and cyber threats are constant, having a cyber expert’s voice is no longer just a tech need – it’s absolutely crucial for making good decisions and running a company well.

The time for CISOs to step up, navigate the challenges, and claim their rightful place at the table has arrived, leading to a new way of running things with cyber awareness at the top.

Landing a Board Seat: A CISO’s Practical Guide

So you’re a CISO aiming for a board seat? That’s a fantastic goal! It’s not just about being good at security; it’s about showing you understand the business of security. Think of it like this: boards are made up of people who see the big picture, the financial implications, the overall strategy. You need to speak their language.

  1. Talk Like a Business Person, Not Just a Techie: This is huge. When you’re talking to the executive team or the current board (if you get the chance), don’t dive deep into the technical weeds. Instead, frame cybersecurity risks and solutions in terms of dollars and cents, potential business impact (like losing customers or facing lawsuits), and how security enables the company’s goals (like building trust or allowing for new digital products). Think “how does this affect the bottom line?” or “what’s the risk to our reputation?”
  2. Get Your Business Chops Up: Boards care about strategy, finance, and governance. If your background is purely technical, make a conscious effort to learn more about these areas. Maybe take some business courses, read up on financial statements, or even try to get involved in projects outside of pure security that have a business focus. Understanding how the whole company works makes you a much more valuable candidate.  
  3. Build Your Network (Think Beyond Security Conferences): Don’t just hang out with other security folks (though that’s important too!). Start building relationships with people who are already in the circles you want to be in – other executives, board members (even if it’s just informational interviews at first), and people in industries you’re interested in. Go to broader industry events, join relevant associations, and be genuinely interested in what they do.
  4. Make Your Achievements Board-Worthy: Instead of just saying “we implemented MFA,” talk about how that reduced the risk of account takeover by X percent, potentially saving the company Y dollars in avoided losses. Quantify your successes in business terms. When you talk about incidents, focus not just on how you fixed it, but on what the potential damage could have been and how your team’s actions mitigated that.
  5. Position Yourself as a Strategic Thinker: Boards aren’t looking for someone to just tell them what’s broken. They want someone who can think strategically about the future of cyber risk, understand how it aligns with the company’s overall strategy, and contribute to those high-level discussions. Show that you’re not just reactive, but proactive and forward-thinking.  
  6. Consider Board Training: There are specific programs designed to help executives understand the responsibilities and dynamics of board service. Going through one of these shows you’re serious and helps you understand what’s expected.  
  7. Look for the Right Opportunity (and Be Patient): Not every company is ready for a CISO on the board right now. Look for companies where cybersecurity is clearly a major risk or a strategic differentiator. Smaller, digitally-native companies might be more open to this than older, more traditional ones initially. And sometimes, it just takes time for the right opportunity to arise.
  8. Don’t Be Afraid to Put Yourself Out There: Once you feel you have the right skills and experience, make your aspirations known (appropriately, of course). Talk to your CEO and other senior leaders about your goals. Let them know you’re interested and why you think your perspective would be valuable.

You can read more Cybersecurity Leadership articles here

Level Up Your Security Game: A CISO’s Guide to Thriving in a Dynamic Cyber World

Vision for CISOs in 2025

Keywords

chief information security officers cisos – cloudnative application protection platform – travel insurance companies best covid

Leave a Comment

Your email address will not be published. Required fields are marked *