Why military minds should fill cybersecurity seats on corporate boards

A cybersecurity expert with the US Navy believes military personnel understand operational risk and should be appointed to corporate boards.

Why military minds should fill cybersecurity seats on corporate boards

More and more companies are filling board seats with cybersecurity experts. TechRepublic's Karen Roby talks with a security expert with the US Navy who says military personnel are a natural fit for the boardroom. The following is an edited transcript of their interview.

Karen Roby: Why do you think it's so important for companies to have cybersecurity experts sit in the boardroom?

Travis Howard: First of all, these are my views and opinions, not the Navy's or the government's, but the bottom line is the reason why more need to take this seriously is data breaches and cyberattacks are going up, and they're going to keep going up. The Identity Theft Resource Center talks about the number of records that have been stolen since 2017.

About 181 million records were stolen in 2017, and in 2018, just one year later, it was 415 million, and that doesn't even count the medical and healthcare industry, five billion in 2017 to over nine billion, almost 10 billion, just last year. It's a big enough issue that Congress is trying to take action as well with some bipartisan legislation that was introduced that talks about securities and exchange commission filings and disclosures for having a cybersecurity expert on the board.

It's certainly getting a lot of attention here, and I also want to mention just a quick leveling of terminology. There's cybersecurity, and there's information security, it's the overall umbrella term that helps manage risk. That's what we're talking about here, is managing risk. It's not exactly synonymous with cybersecurity, which is the more technical kind of, the blocking and tackling of how we get around security controls and implementing those technical controls.

Although information security and cybersecurity work together, and cybersecurity is a subset of information security, so really all about understanding information risk, who owns the risk, and how to get after it, and how to either accept it, mitigate it, or transfer it. Those are all risk techniques, and that's what it's about, and that's what I think works for the most part.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Karen Roby: Tell us why you think military cybersecurity experts would be a natural fit for the board room.

Travis Howard: Well this is not about appointing somebody to go through the techno-babble or the IT geekiness of it. It's really about understanding operational risk, and this is where veterans can come into play because veterans at a lot of levels, but really at the senior officer levels, understand operational risk and mission risk to mission.

They're trained to understand technical issues. I'll take my background, for example, is with the US Navy. Ships are complex machines; they are whole mechanical and electrical systems. There are systems of systems that are embedded within these ships, and so it doesn't matter what your job is on board, you understand technical issues, and you understand how those systems play with each other to carry the whole.

And so it's all about operational risk, and the senior ranks have extensive planning and strategy, the decision making experience that could benefit the board's oversight role. And again, getting back to the information and risk part, understanding and mitigating risks to the mission is a core competency in the military. It's a core competency of veterans, and boards could potentially consider tapping into that skill.

Karen Roby: How would you suggest, if a company wants to tap into that talent, how do they go about doing that?

Travis Howard: I think there's a lot of different ways to do that. Consultancies or consulting firms are shifting focus and becoming more broad. I'm seeing a number of firms, and as somebody who's looking at this, I have an MBA, but I've also been in the military bubble, so I don't have the depth of experience in the private sector, but I have a keen interest in looking at how these organizations are helping to protect information, America's information, and there's virtual chief information security officers.

These are consultants that will advise a number of boards at once, and they'll draw their talent from their traditional consulting, IT consulting, cybersecurity consulting, and broader information security consulting, but do it virtually, and tapping into that 21st century technology that allows them to do  what we're doing now, video chat.

You can do a video chat multiple times a day, board presentations, so the sky's the limit on that. You can also tap into the chief information security officers of the boards themselves. These are executive directors that run security that have had potentially decades of experience doing this sort of work, and they could be really good advisers to the boards if only the boards would invite them to those meetings every once in a while for focused discussions.

And again, not a technical discussion. It's a discussion about information risks, where the risks are currently, and how we're going to mitigate, and then finally you could appoint an expert to an advisory board. I know of a couple of different companies that are hiring cybersecurity experts. I'm connected with a couple on LinkedIn that are doing this.

They will set up an advisory board that will hire experts to examine certain risk sets, and information security's one of them, and I know a friend of mine who is a retired veteran who is now doing these sort of advisory board consultancy roles, and whether it works or not we'll have to ask him, and maybe time will tell, but that's the vein that's being tapped.

Karen Roby: We've talked a lot here at TechRepublic and done many stories on the talent pool in general, how there aren't enough people with this specialty that understand cybersecurity and really understand the risks involved, so the idea of looking at this sector and bringing in veterans that have that type of background, that's really, I think, a great idea.

Travis Howard: There's also a multitude of veteran service organizations and veteran-focused executive recruiters who would be more than happy to help fill a board, or help a board fill theses advisories roles. Hire military, military talent partners. There's a number of startups, and they're all really active on LinkedIn, and exactly what you said: they're taking veterans who may or may not have that cybersecurity experience but have that risk to mission knowledge and are translating that to the information security sector, and other roles too, but as an infosec professional myself I'm focused on that.

And I'm seeing them lift up that talent, and companies are taking advantage of it.

Karen Roby: Are companies, in general, taking cybersecurity more seriously?

Travis Howard: There is the light at the end of the tunnel here. I think there are a lot of firms that see themselves less like a firm that creates product to more of a technology firm that just happens to make or sell a certain thing, so as things become more technical, as things exist in the digital space, those risks are being known, and you're seeing that with an elevation of the information security leader in any company being elevated to a C-level executive position, or in the executive director position.

And those folks taking on greater leadership opportunities, and I think it's about time because our information is at risk, our intellectual property is a list from a multitude of threat actors, so it's a very complex time, and it's only going to get worse. The defenders have a really tough job, so the more help that they can get from the senior level of any organization, the CEO, the C-suite, and even the board, will go a long way towards getting that visibility and solving these problems.

Also see