Like most good planners, Jasper Ossentjuk is beginning to ponder how he’ll transition into retirement – even though it’s more than a dozen years away. “When I’m 60, do I still want to be coming into the office Monday through Friday from 9 to 5 and taking the pager home?” he wonders. In his current role as senior vice president and CISO of TransUnion, and with almost a decade of similar roles under his belt, Ossentjuk has certainly cultivated cybersecurity skills and expertise. He hopes to share his knowledge on a board of directors or on an advisory role.
There’s just one thing standing in Ossentjuk's way. He needs to get on the radar of those key executives who are often asked to recommend someone for those rare and highly sought-after seats. So far “nobody is coming forward and saying, ‘here is the manual on how this works,’” he says.
Scott Goldman is also looking to get noticed by a board. He is CEO and co-founder of TextPower, which provides secure text messaging for mission-critical applications, and he holds patents in identity access management and two-factor authentication. Goldman already sits on the board of copper products maker Mueller Industries, but he’s looking to expand his board presence. “For people seeking board positions, it’s all about networking and raising awareness,” he says.
So how do real cybersecurity pros like these get on the radar of board decision-makers?
“It’s kind of a wild west environment,” since board-level cybersecurity searches began popping up in the last two years, says Stephen Spagnuolo, managing director at ZRG Partners, a cybersecurity talent acquisition and advisory firm. “There’s no one right answer. It ranges from knocking on the door directly, to networking your way internally through the organization, to identifying a couple of headhunters or other leaders who can make a targeted introduction.”
These experts agree that to nab a highly coveted board seat, you first have to actually be a board-worthy cybersecurity professional, and then you need to know where to look.
Board-worthy = technical expertise + business acumen + ‘gravitas’
Many cybersecurity pros, sensing a hot trend, think they’re board material, but “not many of them are qualified,” says Matt Comyns, co-global cybersecurity practice leader at executive search firm Russell Reynolds Associates. The firm has identified four common backgrounds for cybersecurity board members, based on the board selections that publicly traded companies have already made.
Many successful candidates were CISOs or CSOs with a cyber or IT background and a deep understanding of cybersecurity issues from a more technical point of view, he says. Another popular candidate pool came out of government where they held cyber positions in the military or intelligence community.
Candidates from the consulting or legal world who focused on cybersecurity were also successful in getting board positions, Comyns says. CEOs of cybersecurity companies who have moved on from those roles after acquisitions or IPOs have also become very interesting to boards, he adds.
“These candidates also shared a strong business acumen that adds value to the board beyond the cyber topic. That’s always the tricky part,” Comyns says. “Finding a true, deep cyber-level expert and somebody who is a broad business leader and can communicate at that level with the board on other topics beside cybersecurity – that would always be first choice.”
[ ALSO ON CSO: How to attract a board-level cybersecurity expert ]
And then there’s that certain je ne sais quoi – “the gravitas, the seasoning and the interpersonal skills” that boards want, says Tom Daniels, lead director of the board services practice at executive recruitment firm Spencer Stuart. “There’s a finite number of people who have that” skill set.
Know who’s looking
Those who still think they’ve got what it takes to be on the board need to look at industries with the greatest need, Comyns says. “The experience needed really depends on the makeup of the existing board – where they need to add complimentary skills and backgrounds.”
Energy companies and those industries deemed critical infrastructure have been highly focused on cybersecurity, and some have been adding cyber experts to their boards. “The industry has not had well-established or mature information security programs – so that in-house expertise is lacking,” Comyns says. “They have tended to lean toward more technical or CISO-type backgrounds” for board experts.
Other industries that are behind the cyber curve, like industrial manufacturing and some healthcare segments, may opt for a deeper, cyber and technical expertise to really help vet whether they have the proper solutions and if they’re benchmarking appropriately, he adds.
Early movers into cybersecurity, such as financial services, technology and telecom industries, may already have deeper expertise in cybersecurity in-house – so rather than a technical expert on the board, they might need a consulting, legal or government background that will expand on their in-house expertise.
Get on their radar
Board hopefuls should also make themselves visible to connectors, like recruiting firms and board influencers.
Suzanne Vautrinot, a retired major general in the U.S. Air Force who sits on the boards of Wells Fargo, Parsons Corp., Ecolab, Symantec and Battelle Memorial Institute, often fields calls from executive search firms and fellow board members asking for references for board-worthy cybersecurity experts. She knows plenty of well-qualified people who are “just not well known by boards or executive search firms.” She considers herself a connector in these cases. “You just have to help them meet each other,” she adds.
Several recruiting firms also have board practices that focus on cybersecurity talent, including Russell Reynolds, Spencer Stuart and Korn Ferry – to name a few.
Public speaking and publishing articles or blogs on the web also puts prospective cyber board members on the radar. Goldman regularly writes online columns on cybersecurity issues. He also hosts and moderates a cybersecurity forum on the website Boardprospects.com. Ossentjuk speaks at CISO executive summits four to five times a year.
Round out your resume
If your resume looks a tad light on business skills and capabilities – would an executive MBA improve your chances? “Probably,” Comyns says, “not that an MBA alone would qualify you – but that helps make your resume stand out.”
The same goes for a CISSP certifications. It may set you apart, but it’s not always required, Spagnuolo says.
Cyber pros could also look to cybersecurity startups to gain board experience, Comyns says. “It might be a little easier to get on to than a Fortune 500 board,” he says. “That would give you board experience and make you look like you’re on the cutting edge of new developments and new technologies.”
CISOs should also emphasize their experience with their own company’s board. Articulate on your resume and in interviews how often you talk to your board or an audit committee, how many times a year, and what you cover, he adds.
No board experience necessary?
One bright spot for board-level cybersecurity hopefuls – first-time directors are at an all-time high. While previous board experience was once a prerequisite for many boards, the novelty of cybersecurity and other technical expertise has allowed younger candidates to make the cut. Of the 376 new directors added to S&P boards in 2015, 26 percent were serving on a board for the first time, Daniels says. “The year before it was at 39 percent -- way higher than it has been in the last 30 years.”
This story, "How cyber security pros transition to board level decision makers" was originally published by CSO.