“I’m a CISO and I’ve climbed the career ladder to the C-Suite, so where can I go from here?
or
“I’d like to become a CISO and I have good business skills, but how do I get more experience working at board level?”
Though these questions come from two very different places, they actually share a common answer. Becoming a non-executive director or NED.
But what exactly is a NED? What does it involve? And why do security-minded leaders make excellent non-exec directors? Let’s investigate.
A non-executive director (sometimes shortened to NED or NXD) is an individual who sits on the board of directors to provide crucial input, experience, and knowledge, yet they aren’t part of the organisation’s executive management hierarchy or tied to a given department or business function.
The role of the non-exec director is to provide meaningful contributions to the board of directors, drawing on their own, often storied career’s worth of expertise. NEDs bring an external, independent perspective, providing non-partisan oversight and advice, and can also constructively query, and even challenge, executive directors for the good of the company. True lived expertise isn’t something that can be synthesised through training – it has to come genuinely from having truly “been there, done that, got the T-shirt.”
In the UK, non-executive directors undertake the same roles and responsibilities as directors under the Companies Act 2006.
NEDs are often brought on to evenly balance the kinds of experience in a boardroom, yet non-exec directors aren’t limited to a set business function – it’s not like being a CISO or a CiO where you have a documented departmental “lane” to stay in. And with the world becoming increasingly digital, incorporating essential cybersecurity expertise into the board’s talent mix is going to be essential going forward.
And in my opinion, CISOs looking for their next challenge can make spectacularly valuable NEDs. I’ll explain why shortly – let’s explore the world of NEDs a bit closer first…
The role of a non-exec director isn’t linked to the internal organisation’s hierarchy, so being a NED is not a leadership or management role. They don’t manage teams or “get their hands dirty” with day-to-day operations, they are very hands-off individuals who are simply there to steer the board towards making the right decisions.
It can be a demanding role at times, but it is not a full-time commitment; a non-exec director may only be needed for a couple of days a month. However, NEDs might need to be effectively “on call” at short notice for advice, meetings, or in case of a business emergency (a prospect that current or former CISOs will be more than familiar with!). In many cases, this means you can have a full-time position at one company and be a NED at a different organisation – provided your full-time employer is OK with a little flexibility.
Though the role is largely one of being a knowledgeable party and “wise owl” in board meetings, that’s often not all that non-executive directors do. They may spend time outside of board meetings sharing expertise with specific directors; researching solutions to issues that the organisation is facing; signing off official documents like audits or accounts (as with other directors); and sometimes preparing for future board meetings.
Non-exec directors are often brought on to provide a specific type of expertise, whether it’s for their sharp business acumen, their innate knowledge of a given organisation type (e.g., non-profits or national infrastructure), or for their expertise in a given field such as finance, HR, compliance, information security, and so on.
NEDs can bring a lot of transferable knowledge into the boardroom. For example, a NED with a career’s worth of experience in manufacturing will likely be a fount of wisdom in advising a retailer in matters relating to supply chain management, logistics, dealing with regulators, and more.
Taking on a non-executive directorship is generally considered to be a middle-aged to older person’s game; something taken on by someone with 30-40 years’ industry experience who can bring that lived expertise to the boardroom table.
However, there are some instances where that age precedent can – and probably should – be challenged, but more about that shortly.
NEDs sometimes take a salary, though they often sometimes offer their expertise pro bono. The latter is especially common in startups and charities. If you’re taking your first, faltering steps into the world of non-executive directorship; and especially if you have a philanthropic streak; we’d advise taking a calculated move into becoming a pro bono non-exec director for a charity if the opportunity presents itself.
Even though NEDs often have experience in a given department or organisational structure, there is one thing that they all need, regardless of their expertise: an unwaveringly strategic business mindset.
Being a non-exec director is not a hands-on operational or leadership role; their brain power will only ever be called upon for highly strategic, director-level matters. Therefore, they will need an innate understanding of how things work at organisations like those whose boards they sit on; for example, a NED providing input on finance and operations at a local charity is likely to need very different experience to a NED providing input on finance and operations at a Tier 1 investment bank.
It also helps if the non-executive director has experience in the specific challenges that the organisation faces, especially if it is an issue that is new to some of the other directors. NEDs are there to balance out the skillset of the other executive and non-executive directors, after all.
Because NEDs often rose through the ranks in operational positions to where they are today, it can be helpful for them to formalise their grown business experience with a business qualification of some kind, with an MBA being the ideal.
Non-exec directors can be found in any organisation that has a board of directors; this can include for-profit businesses, non-profit organisations, and academic establishments where a carefully curated balance of high-level expertise is required.
Regardless of the kind of organisation they are working for, the role of the NED is largely the same: to contribute to the organisation in a strategic way by bringing expertise that complements and balances out the talents around the boardroom table.
Due to the levels of expertise (and career climbing) it takes to be an effective and valuable non-exec director, they are often middle aged or older, with decades of experience under their belt. In fact, the average age of a NED in the UK is 59.9. Becoming a NED is a great way for those approaching retirement age (and older) to keep their valuable expertise around the boardroom table, continue to make a difference, and to keep their grey matter engaged.
However, there is an argument to be made for bucking this trend when it comes to growing and emerging fields like cybersecurity and information security. IT security as we know it today is a relatively new prospect in business, and achieving good security continues to be a unique, moving target.
Therefore, it stands to reason that if a board is lacking in crucial cybersecurity insight, seeking a younger NED with relevant skills would be a shrewd move. The same goes for companies who rely on up-and-coming tech like AI, VR, and blockchain – all stand to gain from board members with passion, knowledge, and experience – regardless of their age.
As a specialist recruiter for cybersecurity leaders, we’ve identified a few reasons why CISOs (or indeed budding CISOs) make great NEDs.
One of the more direct benefits is that CISOs eat, sleep, and breathe risk. If a NED has had a successful stint as a CISO, chances are they are experienced at advising around different types of risk, can skilfully quantify risk, and can tie the impacts of risk to financial and reputational stakes. Essential skills for any board to have on tap.
An organisation’s cyber-risk landscape can vary wildly depending on what that organisation is or does. So therefore, non-exec directors with CISO experience in a given sector will have invaluable knowledge of the specific threats and risks that sector faces. It’s likely they can also comment on sector-specific regulatory bodies and help the organisation stay in the regulators’ good books!
Having a NED who is/has been a CISO, can be a great selling point to investors, especially if that NED has documented experience in steering the company through something challenging like technological growth. It demonstrates that the organisation takes cybersecurity very seriously and that security endeavours are “led from the top”.
Becoming a non-exec director at a new or growing organisation can be a great opportunity for infosec leaders who are looking to become CISOs too. When you become a C-Suite anything, you will suddenly be presented with a very daunting prospect – dealing with the board. To the uninitiated, this can be a spine-chilling experience!
So what’s an embryonic CISO to do? There are plenty of ways to get experience in speaking with boards of directors, all of which are great for your CV. One way is to become a Deputy CISO, though this doesn’t necessarily come with an easy “undo” button if you don’t take to the high-pressure, hands-off nature of the CISO life.
That leaves another option: becoming a non-executive director in a less intense organisation alongside your existing role. This way, you’re able to gauge how well you cope with stressful board meetings, you’re building valuable board-level experience, and you get a flavour of the hands-off strategic business focus needed at C-Suite level.
Countless organisations are in dire need of information security expertise at board level. And as anyone in infosec can tell you – ignorance of cyber threats is a risk in and of itself!
85% of US CISOs recently reported that the board has increased their focus on information security and cybersecurity in the last 12 months, yet 55% feel that there is a marked lack of understanding on the board around the role that CISOs play, holding them back from articulating critical priorities. (Source: FTI Consulting)
We believe that before long, any company who has a C-Suite will need to have a CISO. And when it comes to NEDs, we would take this a step further: Any organisation that has non-executive directors will soon need a cybersecurity-savvy NED.
Becoming a non-exec director is a very different role to your traditional management position, and can be quite the culture shock to those who aren’t prepared. When considering work as a NED, heed the following words of warning:
Don’t get sucked into granular questions like “what SIEM solution should we use?” or “should we hire candidate A or candidate B?” You are not there to make nitty-gritty operational decisions, you are there to help steer the board and the business at a far higher, strategic level.
Non-executive directors aren’t there to network or get involved in day-to-day business development. NEDs are there to give their own expertise to the board. At the end of the day your black book is your own, and blurring the boundaries, expectations, and responsibilities of your non-exec role could dilute the whole board’s ability to contribute.
If you are already working as a C-Suite exec elsewhere, do you really have the time, mental space, and physical energy to do justice to a non-exec role? Yes, being a non-exec director looks great on your CV, but if you can’t devote yourself to it properly then things could end badly.
If you are in full time employment, you may also need to declare an external NED work to them and to the tax man. Also be aware that your employer may consider you a “flight risk” if you appear to be suddenly buddying up to another company!
When you state that something isn’t being done right (especially critical in fields like cybersecurity and compliance) then this may cause ructions with those in more operational leadership positions. Keeping a cool head and a diplomatic tone is often very much required!
We’re all aware that security can sometimes be treated as a cynical tick-box exercise in some organisations. Well, hiring a non-executive director with CISO experience can sadly sometimes be much the same; they’re simply hired to help the organisation put on a security-focused front to investors, but the board doesn’t necessarily heed the cyber-NED’s advice. Be vigilant.
The specifics and expectations of every non-exec directorship can differ wildly depending on the maturity of the business. For example, small startups may not be able to pay their NEDs at all, but helping them create a positive organisation may be incredibly rewarding. On the other hand, if you do want swift financial returns, you should probably focus your attention on larger, for-profit organisations.
Due to their experience with risk, their cool head in the boardroom, and their expertise in a growing field, we think the business world is going to start crying out for non-exec directors with CISO (and similar infosec) experience. Being a NED looks great on your CV, and can even be an opportunity for budding CISOs to get a taste for operating at board level.
So if you’re an infosec leader with the expertise, the business-forward mind, the time to spare, and the understanding employer who doesn’t mind a bit of moonlighting, we’d encourage you to become a NED if the desire is there. The world’s need for NEDs with cybersecurity experience is only going to grow!