It wasn’t too long ago that company hackers were an occasional nuisance to be dealt with by ‘what’s-their-name’ in IT. Today, however, a cyber war worth billions rages on 24/7, and the SEC has taken note—proposing new cybersecurity regulations to match. All of a sudden ‘what’s-their-name’—aka the Chief Information Security Officer (CISO)—may have the full attention of the board.

Or do they? Reportedly, a mere 1.4% of companies have a current or former CISO on their boards. And yet the SEC proposal will require private firms to publicly disclose cyber incidents within four business days and share the organization's protocols for responding. The regulation, which was proposed last year, would also mandate a yearly report on boards' cybersecurity know-how.

One survey finds that only three-in-ten directors have high confidence in their board’s ability to oversee a cyber crisis, making CISOs seem like an ideal solution. But experts say there’s a growing tug-of-war over whether they’re truly a good fit for the boardroom. “A CISO can prevent bad things from happening, but then again, there’s only so many board seats,” says Sue Ribot, Korn Ferry Senior Client Partner and Global Cybersecurity Practice Leader.

Board & CEO Services

Better leaders for a better world

Indeed, the average board size of S&P 500 companies is reportedly eleven people. Our experts say that while CISOs are invaluable in their function, the primarily technical nature of their work may mean they don’t have the wider business perspective required of a board member. Though it’s not entirely the CISO's fault, given the demands of the role. A recent survey found that over half of information security professionals feel burned out, with our experts pointing to the need for constant threat vigilance being a possible factor. “CISOs may have too much on their plate to think about a company’s overall growth,” says Max Kershner, Korn Ferry’s North America Cybersecurity Leader.

Our experts say organizations should aim to do more to cultivate CISOs into future business leaders—or risk losing them altogether. One-in-four security leaders are reportedly projected to leave the security industry by 2025, and some experts posit that the one cause could be a lack of professional advancement opportunities. More CISOs want to report directly to the CEO, and with good reason—a reported eight-in-ten tech security leaders who report to the CEO state that they can more easily get the funding they need for security initiatives.

"Think about it: from a boardroom perspective, after a major data breach, if it's suddenly discovered that your CISO is a fairly minor player within the organization, that’s not a good look from a litigation standpoint," says Benjamin Frost, a Senior Client Partner in Korn Ferry's Products business. “We’re potentially a couple of fines away from quite a radical rethink on this,” he adds.

Our experts propose a key way that CISOs can help to improve their standing within a company is by developing their ability to articulate technical principles in language that boards can digest. Our data shows 91% of CEOs say they know tech and AI is important for the future of their company, but only 17% say they understand it. Expanding the breadth of topics that CISOs can contribute to might also be a necessity, says Anthony Goodman, Korn Ferry Senior Client Partner and leader of its North American Board Effectiveness practice. Quoting another business leader, he adds, “If you have a board full of one-trick ponies, you end up with a circus.”

Looking to level up your organization’s cybersecurity capabilities? Talk to us.