Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

CISO’s Dilemma – Winning a Seat on the Board of Directors

With a prior company, I headed the internal audit department for the now-defunct Ben Franklin Retail Stores reporting directly to the Chief Financial Officer (CFO) with dotted lines to the CEO and the Audit Committee on the board. I had opportunities presenting various audit issue findings such as financial, operational and those involving security to a lesser degree as well. Back then, security both informational and physical was definitely not on the radar with the board members, all were unanimously zeroed in on quarterly financial results and operations. The company was publicly traded with an initial IPO offering at $5 per share. The retail chain was initially founded in 1877 with its roots in Chicago, IL by the Butler Brothers. At the time of its bankruptcy and liquidation, this 120-year-old retailer had a productive history spawning great leaders in retailing.

Walmart Stores’ founder Sam Walton purchased a franchised Ben Franklin Retail Store from the Butler Brothers organization when he first ventured into retailing in the mid-1940’s. Successful in his innovative approach negotiating deals with his suppliers that by 1962 he acquired a chain of 15 stores that lead to what is now the largest retailer on the planet. Ironically, Sam Walton, the founder of Walmart, was turned down by Ben Franklin's management regarding his concept to open discount stores in small towns. He ended up breaking out beginning the idea on his own the first of many Walmart stores.

Sam Walton did not achieve this by himself; from a logistics point of view, he had enormous help from his colleague and former CEO of Ben Franklin Don Soderquist who joined Walmart in 1980. He is credited for being the force behind the massive growth of Walmart carrying on the cultural values instilled by Sam Walton. Shown here is an interview with Soderquist examining ethical downfalls in the corporate world and encouraged retailers to transform their business by implementing an active set of values and ethical business practices. During the 1970's the company introduced larger concept stores (Big Box) that included clothing and groceries, these were the Ben Franklin Family Centers and the B&C Family Center brand.

In the early 1980's Michael J. Dupey converted several Ben Franklin Store franchises into craft stores inherited through his father James Dupey who owned a chain of stores in the Dallas/Ft. Worth Texas area. Michael Dupey originally conceived the craft superstore concept called MJDesigns and was subsequently acquired by the Wyly Brothers who provided the financial backing for Michael's. The company is publicly traded and operates some 1,200 stores, the largest in the arts and craft retail industry.

In 1995 Ben Franklin Retail Stores purchased from True Value (Cotter & Co.) the V&S Variety Store business. At the time I was there the company had launched the unsuccessful crafts store concept and proceeded to acquire Crafts Plus+, a chain of 45 stores in Texas. The craft store concept failure, the overwhelming V&S acquisition in addition to heavy Big Box competition proved insurmountable.
John B. Menzer was the CEO I had a dotted line reporting situation with. He was a talented visionary who left Ben Franklin in 1995 and appointed the CFO, later elevated to Vice Chairman of Walmart. John went on to become the CEO of Michael's spearheading its IPO efforts before retiring due to illness.

After Menzer left, Robert Kendig was appointed the CEO of Ben Franklin Stores to oversee it's closure yet another remarkable visionary retail executive I had the pleasure of working with until my departure.

At its peak, Ben Franklin Retail Stores had some 2,500 stores operating across the country and had international locations, at its demise it managed 1,300.

The Focus: What it Takes to Gain a Seat on the Board

There are several CISOs I know who desire and determined to join a board, most if not all are duly qualified, but it takes more than having the mettle to join a committee. From a security perspective, this talent is in dire need as businesses have exponentially changed from a traditional brick and mortar to the internet commerce model ushering in a whole new dynamic that has perplexed all industries.
Boards, in general, are conservative in nature, cliquish or perhaps better described as “a club” institution. Most of them select new members who possess proven skills such as from other boards in the same industry. It is a herd mentality as I see it from my previous experience with board dealings and is the leading cause of adversity towards innovation and change. This phenomenon can lead to the downfall of organizations as I witnessed the disarray with Ben Franklin Retail Stores in the past. There are many other notable examples of this detrimental board timidity with companies such as AIG, Lehman Brothers, General Motors and other organizations.

Gaining a seat on a board is a tough task and if you’re determined enough one must take inventory of your own capabilities. These are some of the attributes to be aware of to have a shot at being considered for a board seat:
  1. Assess your industry expertise - how well recognized is your work in the field of information security and to a greater extent, the industrial vertical you are in. Examples include your leadership skills within governance, risk, and compliance (GRC) how well you interfaced with regulators in industries such as finance and healthcare, and tightly regulated sector if your focus is a board seat with that organization.
  2. Executive comparisons with others - this is an area where you may need assistance from a mentor to candidly assess you as an executive and how you measure up with others on the board. In essence, what makes you attractive and unique that others may not possess that is in demand. Concentrate on the skills you truthfully excel at while leaving behind any that is of no value to a board. That uniqueness will win over a void within the board that none of the other members have, in particular, information security prowess.
  3. Your character – next to executive comparisons, and this one is a doozy describes the kind of characteristics you must possess. It is who you are as a person, for example how well you judge others such as the CEO’s performance so look upon your ability where you made a difference translating a vision, a strategy and successfully executing it. Other examples are your ability to earn trust and effective collaboration influencing others. The one and the most essential characteristic is what is called “EQ” or emotional intelligence. EQ is having empathy, self-knowledge, and humility describing you as a human being rather than your overall skills which are a given.
To win a board seat, a CISO must have visibility and broad exposure doing speaking engagements or writing publications that contribute to the industry. There are search firms that recruit for new board members exclusively, others instill the help of other board members and are invited to interview for open seats. Yet, the most significant marketing ally comes from knowing and working with the CEO, many times he/she will nominate individuals for board seats.

A CISO on the Board the De Facto Requirement

More and more boards are asking serious questions with regards to cybersecurity and privacy. In many respects, it is still too slow realizing why boards have not brought to the table a CISO. The primary cause is their reluctance to understand that information security is not just an information technology issue alone. Information security permeates throughout an organization, and it does not have to be related to technology where breaches occur.
Reactionary and driven for the most part by the large-scale breaches that have and continually occur on a daily basis where governments around the world have now mandated enforcement of regulations to all industries. On June 10, 2014, the head of the Securities and Exchange Commission (SEC) Luis Agulilar stated the following:
“Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks.” He also issued a clear warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”
It is clear that government regulars have a stance requiring all organizations to have sound security and privacy framework and be an integral part of their corporate governance. It is therefore of paramount importance that boards across all industries have a security expert on the board to guide them with these matters. The SEC is enforcing and investigating many breaches which have occurred along with the assistance of other law enforcement agencies such as the FBI. Other countries around the world have also used their regulatory powers to enforce appropriate security and privacy practices. It is clear that government regulators will hold the Board of Directors accountable and liable for not discharging their duty to prevent harm to the corporation. Individual directors themselves can be subject to derivative shareholder lawsuits and class-action suits from the company’s banks, business partners, vendors, customers and their own employees.

How a CISO can Influence the Board

It is true that CISOs are now asked to present to their respective board's regular updates on their security posture, articulating breach incidence as to its severity and what responses are in motion affecting the organization. For those not accustomed to it, presenting to the board can prove to be difficult, one in which they want to impart all the necessary information without wasting anyone's time. On top of the business reasons for understanding how to best present data, this experience is also crucial for the CISO on a personal level as it can define how the board views them, recall your “EQ” or character disposition discussed previously.

Few CISOs have the acumen; the executive presence necessary to articulate in business terms the impact an incident has on the organization and steps taken to mitigate such events. Many members of the board are not technocrats let alone have an understanding of GRC. The average board size has about nine members but can be as large as 30 members, so it is imperative that the CISO get to know and understand his audience to effectively deliver a solid presentation that speaks volumes. It often helps to discuss the “weeds” of your presentation offline with individual members, many members would relish knowing more, and that is a great way to influence the board on an individual basis. During a board meeting, there is a strict agenda, time limitations as there are other presentations besides your own.

One of the most useful presentations is the use of risk metrics as most board members in a formal session do not want to be inundated with security and privacy frameworks. They want to see the big picture assessing the impact it has on the organization as a whole. Board members want to look at what quantifies with the most relevant data they can quickly grasp and understand. Using benchmarks designating the past, present and future allows the audience to clearly see how the situation has changed, see the progress and efforts necessary to achieve a benchmark goal.

Depending upon what individual board members want to see is a comparison of how other companies in their industry stack up against them. Are they leaders in their security posture, middle of the pack or laggards? Indeed this is how they will judge your performance as a CISO, and you need to articulate the answers carefully especially if resources are lacking and you need their help to enhance security and privacy. A CISO should also work with the Audit Committee delivering metrics on governance and compliance matters, often board members want to know if the company is in compliance with regulatory mandates as well as corporate governance practices, what remediation steps are being taken to address the most significant non-compliance issues.
Some of the key questions facing CISOs with board members are:
  1. Board members are now asking for routine and ad hoc updates about security and privacy risks to help them understand the impact.
  2. What is and what can be done to stay current and ahead of the curve protecting the organization from cyberthreat risks.
  3. What can the board do to enhance the organization’s security posture, in what aspects can they become involved?
CISOs must be well prepared before presentation to the board and be able to address sometimes tricky questions from board members, for the most part, the items will surround the performance itself or a previous presentation, try to keep the board questionnaires in scope confined to the actual display itself. Other questions can be discussed offline with the individual board members after the meeting.

It is a problematic task walking the road towards acquiring a board seat. It is not for the weak minded as it carries enormous responsibilities and the board members are the tip of the sword of an organization that defines its destiny. For this reason membership on boards is a very selective process as much is at stake affecting the livelihood of the organization.

CISOs are a necessity to have on the board, but they should be a well-groomed executive to serve in that capacity. They must have the vision, business acumen, a strategic thinker and the proven wherewithal to execute it along with impeccable influential people skills that go hand-in-hand with the character of the individual.