A recent study conducted by IANS Research, Artico Search, and The CAP Group has shown that cybersecurity expertise is lacking among board directors in the US. The study titled “CISO as Board Directors – CISO Board Readiness Analysis,” has evaluated the qualifications of Chief Information Security Officers (CISOs) across the Russell 1000 Index (R1000), which are the top 1000 US public companies by market capitalization, against five key traits of credible candidates for cyber expert board positions. The results of the study revealed that only 14% of R1000 CISOs are potential board director candidates.
This finding comes as the Securities and Exchange Commission (SEC) is expected to issue new rules that will require public companies to formally disclose the cybersecurity expertise of their board members. However, the research conducted by The CAP Group shows that 90% of Russell 3000 companies lack a single board director with cybersecurity expertise, highlighting the significant gap in the supply of cyber experts.
According to Phil Gardner, CEO of IANS Research, given the proposed SEC rule changes, board directors are now expected to identify candidates possessing cybersecurity expertise to fill the gap. But only a few CISOs are strong candidates for board directorships. To address this issue, IANS Research partnered with Artico Search and The CAP Group to provide insights and recommendations to both boards and CISOs to close the cyber expert supply-side gap.
The CISO Board Readiness report identifies five overarching traits of credible cyber directorship candidates, including infosec tenure, cross-functional expertise, the ability to scale, advanced education, and diversity. To identify the essential board traits of a cyber director, the research team examined the profiles of CISOs who currently hold corporate directorships.
Brian Walker, CEO, and cyber board advisor at The CAP Group reiterated that technology and cybersecurity expertise alone are insufficient for board directorships. Board directors operate at a strategic level, and in most boards, there is no room for ‘one-trick ponies’ since adding a new director for every complex domain of expertise isn’t scalable.
The report also revealed other key findings, such as approximately 6% of R1000 CISOs have firsthand corporate board director experience, while another 14% represent a strong candidate pool for board service. In all, roughly half of R1000 CISOs might be viable candidates for joining boards. This is an opportunity for companies to add diversity and cyber expertise in a single candidate, with half of the viable CISO candidates being female or from underrepresented groups.
Additionally, Steve Martano, a partner and executive recruiter in Artico Search’s cyber practice, suggested that the transition from executive leadership to board directorship is profound, and many struggle to adapt. Both boards and CISOs would benefit from aligning on expectations for a board-ready cyber expert.
The data used for the research was sourced from publicly available sources, including data from LinkedIn, executive bios, speaking bios, press releases, and interviews. The research team cross-referenced the data against self-reported information from IANS’ and Artico’s annual CISO Compensation and Budget study and verified and supplemented it with firsthand knowledge of the representative sample. The study resulted in a comprehensive analysis of the board readiness of CISOs across the R1000.
Artico Search, founded in 2021, is a team of executive recruiters that focuses on a “grow and protect” model, recruiting senior go-to-market and security executives in growth venture, private equity, and public companies. IANS Research provides experience-based security insights for CISOs and their teams, supporting client decisions and executive communications with Ask-an-Expert inquiries, a peer community, deployment-focused reports, tools, and templates, and consulting. The CAP Group advises board directors and officers seeking pragmatic advice on cyber-risk matters, founded in 2017 and based in Dallas, the firm supports clients ranging from global Fortune 500 to regional G2000. The firm brings decades of practical experience in the management of cyber-risk and understands the unique needs of both the board and executive leaders. The CAP Group’s advice focuses on ensuring transparency and collaboration between the board and the executive team, providing the insights required to provide effective shareholder risk management.