Security Experts:

Why Companies Need CISOs and CIOs as Board Members

Diversity Not Only Includes Gender and Racial Diversity, But Also Diversity of Thought

We’ve all heard the phrase “every company is a technology company.” Today, that’s truer than ever. As companies started to realize the business value digital transformation unlocks in terms of operations efficiency, performance, and quality of services, they began opening new connectivity vectors to enterprise infrastructure and collecting data from machinery and processes and storing and analyzing it in the cloud. Others have progressed even further with devices on the edge or robots in warehouses and on factory floors that monitor, manage, and execute processes leveraging the power of machine learning and artificial intelligence. 

Digital transformation has been good for business and is here to stay. The COVID crisis has underscored this reality by accelerating transformation and introducing change to everything – from how we communicate and collaborate to how our infrastructure is organized – resulting in huge shifts in business and operating models. It’s why we’ve seen Zoom soar to a $129 billion market cap, and the CEO of Microsoft stating that they’ve seen two years’ worth of digital transformation in two months. 

Obviously, the biggest changes and opportunities are for the infrastructure companies themselves. But even companies in sectors like manufacturing that had begun to embrace digital transformation initiatives around the cloud, SaaS applications, and secure remote access, were able to pivot faster for competitive advantage. They had already started thinking about cybersecurity as an enabling factor in an expanding and open environment, where IT and operational technology (OT) network convergence is inevitable. Guided by strong technology leaders, IT and OT teams have been able to support dramatic changes to the workplace – sometimes overnight – with data and processes secured. 

As digital transformation and cybersecurity become pillars that successful companies will build their futures on, the time has come to include CISOs and CIOs on company boards. It’s no secret that diversity is a hot topic these days. However, diversity not only includes gender and racial diversity, but also diversity of thought. Technology expertise is especially lacking at the board level. In fact, a new report (PDF) finds that in 2019, approximately 70% of new independent directors came from CEO, operating or senior finance experience, with no mention of technology experience representation. As the discussion on risk and security is heightened and becomes more complex, organizations must look towards a future that includes technology experts on their boards. 

The value CISOs and CIOs bring to the table

Depending on how far companies were on their digital transformation journey prior to the pandemic, they either saw the benefits or experienced the pain of transitioning to a remote work model. Now that the initial rush to support a shift to a more distributed model is behind us, companies have an opportunity to do two things: 1) pause and consider what work still needs to be done to further resiliency, and 2) plan how to move further along their digital transformation journey securely, to continue to drive competitive advantage and emerge stronger from the global pandemic.

Risk is an essential part of any executive decision. But as enterprises adapt to their current state and initiate new digital transformation projects, many are finding that accurately identifying risk – much less reducing it – is exceedingly complex, particularly in industrial environments. Boards need to include CISOs and CIOs at the helm of their leadership who can provide advice on moving forward with digital change initiatives and help companies prepare for the future. As board members, CISOs and CIOs can explain how changes to the infrastructure can increase growth and reduce risk, as well explain the organization’s risk posture, including exposure from new initiatives and the relative impact of potential breach scenarios, and what can be done to mitigate risk. They can also elevate the conversation to ensure understanding, more informed decision-making, and total business alignment, which is especially crucial during a crisis when companies need to move even faster.

When boards lack the CISO and CIO perspective, various scenarios can play out. In some cases, we see complacency where some boards feel they’ve done enough. The immediate urgency has passed, and they plan to continue with the status quo until life “returns to normal.” In other cases, boards have been stymied from making important strategic decisions because they lack the background to understand the full extent of opportunities for digital transformation. They gained an appreciation for what is possible over the last six months and saw the positive impact on the bottom line, but don’t know how to move forward.

These situations are problematic for several reasons. I’ll just name a few:

1. In the rush to support productivity and keep the business moving, most teams didn’t have the luxury to account for failure. It’s time to focus on maximizing resiliency. 

2. No one knows what “normal” will look like. What we do know is that disruptions are inevitable and successful companies will be those that remain agile. 

3. All critical infrastructure sectors are facing heightened threats as adversaries take advantage of an expanding attack surface and legacy devices, never designed for internet connectivity, now being connected. There’s urgent work to be done to reduce exposure. 

4. Boards likely would have embraced digital transformation sooner had they had the benefit of the expertise, experience, and insights that CIOs and CISOs can provide. Companies can ill afford to put digital initiatives on the backburner any longer. They must start rethinking infrastructure and security.

A lack of technology experts on corporate boards is exposing companies to unnecessary business risk and slowing down progress. Now is the time to strengthen resiliency, plan for additional digital initiatives, and begin executing on them. The global pandemic will have lasting effects on how we work and live. We need to make lasting changes to the makeup of boards so we can weather this crisis and future disruptions with better business outcomes and mitigated risk.

Learn More at SecurityWeek's ICS Cyber Security Conference

view counter
Galina Antova is the Co-founder and Chief Business Development Officer at Claroty. Prior to that, she was the Global Head of Industrial Security Services at Siemens, overseeing development of its services that protect industrial customers against cyber-attacks. She was also responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services for industrial control systems operators. Previously, Ms. Antova was with IBM Canada, with roles in the Provisioning and Cloud Solutions business. She holds a BS in Computer Science from York University in Toronto, and an MBA from the International Institute of Management and Development (IMD) in Lausanne, Switzerland.