How Boards Can Identify a CISO to Drive Business Enabled Innovation

Jason Henninger, managing director at Heller, explains the pressures facing boards – and the opportunities hiring the right CISO open for enterprises.

Corporate boards are increasingly looking for CISOs that not only bring top security skillsets but also can drive business and artificial intelligence (AI) innovation. In this interview for the Heller Report, Managing Director Jason Henninger outlines the key skillsets and expertise that boards seek when hiring a CISO, and how boards can position CISOs to grow the business.

Heller Report: How has the cybersecurity function changed within companies in recent years? How has that changed the CISO role?

Jason Henninger: With increasingly frequent and complex cyber breaches, and the need to comply with government regulations, security threats have become a board-level issue. These threats, coupled with new AI, have only expanded the role of the CISO and reinforced the need to find the right candidate to lead companies forward. Today’s boards who still treat cybersecurity as a siloed business function will quickly lose market share to those who lean on and incorporate their CISO into strategic decision-making.

AI, meanwhile, represents a great opportunity for inventing new ways of working using data – data that is subject to privacy rules and security considerations. Boards have a critical task to find the right CISO who can not only tackle day-to-day security functions but can also enable AI innovation while mitigating risk.

What are the top traits and experiences that boards most frequently look for in CISO candidates?

Boards are looking to hire CISOs who have previous internal CISO experience and technical cybersecurity expertise to enhance the internal security functions. They also want leaders who can communicate externally and effectively to CEOs, boards, and directly to customers. Additionally, a strong background in software engineering is one of the top skillsets sought by boards, particularly those with experience integrating and customizing vendor applications and SaaS platforms.

Interestingly, cybersecurity candidates with military backgrounds are also in high demand, as military experience tends to bring a strong external network for threat intelligence, which can bolster preventative cybersecurity programs.

How should companies view the expanding CISO function and assess their current needs?

Bring them inside the C-suite. Recently increased cyber threats mean increased liability for CISOs, and top candidates are looking for roles that give them a seat at the table and certain liability protections like directors and officers liability insurance.

Accountability without empowerment is the worst-case scenario for CISOs and can endanger the entire company. A cybersecurity function that operates independently from the executive team increase risk exposure to both CISOs and the overall business.

Then there’s the role itself. CEOs need to ask, beyond security, can the structure of the company’s CISO role truly drive the business forward? Does it allow for CISOs to build and establish networks – inside and outside the company – that not only mitigate vulnerabilities, but drive innovation through security enablement?

Recognizing this, more boards are creating a CISO role structure that brings board-level strategic responsibilities and protections. CEOs and boards must ensure that the CISO feels empowered when establishing frameworks and governance, which in turn enables company growth.