Home » Cybersecurity » CISO Suite » Do we need a cyber-NED on our board?

Do we need a cyber-NED on our board?

by Matt Palmer on October 13, 2020

Cyber skills are often absent in the boardroom. Photo by Drew Beamer on Unsplash

Few corporate boards feel adequately skilled for cyber security. It’s a complex and fast moving risk that has developed at a pace since many independent directors and NEDs were hands on executives. For executive directors, cyber is a challenging pain point that can be difficult to fully get your head around. It’s often an issue that leaves board members with a sense of discomfort.

Board members bring value through having ‘been there and done it’: no seminar can replicate that. Increasing the diversity of skills on a board is always a good idea, as long as new non-executive board members can learn to operate at a strategic level and stay ‘hands-off’ in a non-executive capacity. Board members also need to be able to contribute credibly on a range of topics, and understand the dynamics of a boardroom environment.

Recruiting a ‘cyber-NED’ — someone with hands on leadership experience in cyber security and technology risk management, who has managed this successfully and handled major incidents before — sounds like an attractive option. However this type of role can be very new to technology and cyber security leaders who may not have prior board experience. Having served as an NED on a number of boards, I’m aware that I am an exception to the rule. Your security leaders may need your help to build that perspective.

Don’t let that stop you though: more diversity on boards has been shown to enhance corporate performance, and board diversity is not just about gender or ethnicity — it’s about skills and age diversity too. And how will experts in cyber gain this level of exposure if not through being given the opportunity to do so?

Of course you can’t be a ‘cyber-NED’ any more than you can be a ‘marketing NED’ — you are a director and share responsibility for the performance of the company. That does mean a certain level of capability is required across wider disciplines, and a good ‘cyber-NED’ candidate has likely held senior business responsibility, handled financial performance of business units, and served in other roles leading operations or service delivery as well as risk and compliance. With both a cyber and finance background, I find I am asked to Chair or serve on audit committees and risk committees. Candidates with this experience are out there, but they may not be in your network so you may need to engage a board search firm to find them.

There are a number of services available today that have access to suitable qualified candidates, and running an open recruitment process for your next NED or independent director brings other benefits too. You are more likely to obtain wider skills or experience, obtain greater diversity of candidates, and benefit from a fresh perspective that can bring greater value to board discussions and decisions.

Cyber may be only one of a number of skills gaps for your board, and you may not find the ideal candidate right away. If you need to address the gap in other ways you could also consider setting up an advisory board to contribute missing skills, seeking an external coach with expertise in this area, or asking your CISO to lead a series of training seminars for the board. All are good places to start (and help bridge the gap between business and technical leadership, too).

At the very least, make sure your cyber leader has direct access to the board and is regularly asked to present at it. If there is a disconnect, take action to upskill the board to resolve it.

However you decide to address it, don’t leave it: every organisation needs a cyber and risk literate board.