Emily Wearmouth: Hello and welcome to the Security Visionaries Podcast, a place where we invite cyber security leaders to come and talk to us about interesting stuff. And today we're doing just that, discussing the role of a NED or non-executive director. I'm your host Emily Wearmouth, so let me introduce my guests. Richard Starnes is the CISO of Six Degrees and he's also a non-executive director for the Cyber Resilience Centre for London, as well as a school governor at Lenham School in Kent as part of the Cyber Governors Scheme. He's worked in both the US and the UK and he joins our elite club of guests who's also held law enforcement positions, which I always like to get involved in the podcast. He is a recipient of the ISC2 CEO award and he's been named a top 50 information security professional, so welcome to the podcast Richard.
Richard Starnes: Thank you very much.
Emily Wearmouth: My second guest is Homaira Akbari, she's the President and CEO of AKnowledge Partners, which is a global advisory firm, and she's held senior management roles in a number of large organizations including Microsoft and Thales. But we invited her to join us today because she has extensive board leadership experience, serving on six public company and 15 private company boards of directors. Currently she's a non-executive director on the board of Banco Santander and she also serves the same role for Landstar System. If that's not enough, she's also the author of more than 50 scientific articles in international journals. She has two patents and a PhD in particle physics, which is just downright cool, so I'm really glad that you could join us today. Thanks for being here Homaira.
Homaira Akbari: Well, thank you, Emily.
Emily Wearmouth: So I'm gonna dive right in with the obvious question and I'm gonna start by asking this one to you, Richard. What is a non-executive director?
Richard Starnes: I'm going to go to an English phrase that's a bit of a how long is a piece of string question, that varies quite widely depending upon what industry you have a NED post in and the size and a myriad of different things. So it kind of depends.
Emily Wearmouth: [laughter] Homaira, can you help us out? Can you hone down a little bit? What are some of the general characteristics of a non-executive director role?
Homaira Akbari: Yes, every company whether they are private or public should have a governance. What does governance mean? It means a group of people called board of directors, which take the responsibility and fiduciary, specifically fiduciary responsibility and duty of care of governing all the principles for that company from bylaws and from rhythm of the business, from the objectives of strategy, and really have check and balances also against regulations and compliance.
Homaira Akbari: So that is board of directors. And within board of directors, then you have a group of people who, for example, the chief executive officer of the company who would usually become a director of the company, but they're executive obviously. In UK, it happens that frequently CFO, chief financial officer is also a director, but in the US or many other countries, in fact, that trend or that practice has been discontinued. Usually only CEO is the executive and you might have former executives who are serving on the board of directors. But when you have somebody who is independent from the company, has not worked for the company in the past, or advised the company in the past, or has been very closely associated with it, at least in the recent past, sometimes it's five years, for example an auditor, partner of major auditing companies, then you would call them non-executive directors.
Emily Wearmouth: Richard, does the distance, the more independence from the executive team imply that they're not paid? Is this still a commercial relationship? Is it still some sort of employment?
Richard Starnes: I think employment might be an interesting sort of distinction, but some of them are paid and some of them are not paid. It depends upon the board itself. For smaller non-profits or for smaller professional boards, those are going to be non-paid usually, certainly at Homaira's level. And I have to be honest, after listening to your introduction, Homaira, I'm feeling a bit of imposter syndrome here.
Emily Wearmouth: She is impressive isn't she?
Richard Starnes: Very impressive. What on earth am I doing here? But those sorts of positions are obviously remunerated.
Homaira Akbari: If I may add, first of all, Richard, thank you very much. And I'm very happy to be with you on this call. And I think the different backgrounds makes it so interesting. But you mentioned, Emily, commercial. There is really no commercial relationship between an NED or there shouldn't be because they are, in fact, they have fiduciary responsibility for all shareholders, even for not-for-profit. I am also, as Richard said, in not-for-profit, not only you're not paid, but you actually pay. You have to pay because it's not-for-profit and they need funds. But regardless, whether it's not-for-profit or for-profit, you effectively have fiduciary responsibility towards other shareholders of the company or other participants, if you like, or members.
Homaira Akbari: And therefore, when you mentioned the word commercial, I would say there is a commercial relationship. But yes, boards of for-profit companies are generally paid. And the reason for it is, there is quite a bit of work involved in doing that. And again, back to you have duty of care and you have fiduciary responsibility. And if you do not perform those fiduciary responsibility, you're subject to legal actions by shareholders. Therefore, you're paid generally. Most boards pay you appropriately, but it's not gainful if you like.
Emily Wearmouth: I actually went to an event recently and I heard a couple of NEDs chatting and both of them agreed that no one gets into it for the money. You get into it for lots of reasons. And there is compensation, but nobody is in it for the money. But I was quite interested, they were talking about, and both of you are as well holding multiple roles at the same time. So what's the sort of average time commitment? Is there an average or does it vary?
Homaira Akbari: Yes. It does vary depending on the board. But on average, if we talk about a public board and let's say a board which is mid cap, a 10 billion market cap, and maybe I use European, the European company, which is mid cap, they usually meet five times a year, of which four times a year are actually board meetings. And one time a year is a strategy, if you like. So they don't do a board, but they do a strategy. They visit subsidiaries, they visit operations. And for that five times, if you like, you probably, depending on where you come from, you will travel two to three days, including the meetings. So you could say that you are engaged with a board around 15 to 17 days in person, and then another probably 10 to 15 days scattered across the year virtually for virtual calls and also preparation for the meetings. So for a single board, you might consider somewhere between 25 to 30 days a year, which is a lot but not a lot.
Emily Wearmouth: Right. It's a lot. Yeah. Yeah. It is certainly not a full-time job, but I think it's more than I was perhaps thinking for the number of boards that some people sit on, it does seem quite time intensive. Richard, what's your experience? And I'm quite interested in this cyber governors program, so we'll talk about that in a bit more detail in a moment, but when you are looking at being involved in these roles in a smaller organization, perhaps a not-for-profit, perhaps a school, what's the sort of time commitment there?
Richard Starnes: The time commitment, I would say tends to run 15 to 20 days per board. It's not as heavy as a commitment, but one of the things Homaira was talking about what I would say would be a normal situation. There's a cautionary with different types of directors that I would want to talk about. You have directors who sometimes lose the direction of what it is that they're supposed to be doing and start straying out of being a director and start straying towards being a... I would say an executive or being a little bit more active in the operational aspects of the company or the board than they should be. That's one kind of cautionary, I would say you need to remember what you're doing and why you're doing it.
Emily Wearmouth: To that point, this is a podcast listened to by people who are leaders in cybersecurity. And the reason we are having this conversation is I've picked up that a lot of people, as they move through their career, you start to see non-executive director roles added to CVs and LinkedIn profiles as people move up their career ladder. And I wanted to find out what's your perspective as to why this is? What's the appeal for taking on these roles as you become a senior person within cybersecurity? Richard, what pulled you in?
Richard Starnes: For me, it was... I'm starting to get onto the back end of my career and I am more and more aware of giving back. I've given back throughout my career, but I think it's incumbent upon me at this point in my career and my life to start giving back more to the profession and more to the community. And that's why I've sat on both of these boards to do that.
Emily Wearmouth: So that sounds delightfully altruistic, but surely there's also a sort of career benefit to having these names on your CV. Homaira, what's your take? What brought you into these sorts of roles?
Homaira Akbari: Well, I think what Richard described is absolutely true. There is generally, and historically this has been doing... Serving on boards where primarily as you enter towards the second half of your career or third half of your career, if you're like the third part of your career, but also because you do need experience and that is quite important, governance experience, or executive experience, or being CEO and running a company and P&L ownership, because you have to have kind of a well-rounded experience when you're on board. Having said that, about 15 years ago, or even somewhere 15 to 20 years ago, a trend started, which started first in Europe and specifically Norway, where they realized a lot of board of directors, if not all, were very much populated by male and they wanted to do gender diversification.
Homaira Akbari: And as a result, they put in laws in place where every board would have to have somewhere between 30% to 40% female on their board. As a result a lot of boards started diversifying prior when the rule went into act and they had the female board members that maybe was the first time they were a board member and frequently on a younger side of the age and not necessarily towards that second half or third part of their career. So today, fast forward, if you look at boards, boards are dramatically more diversified, not just anymore by gender, but also by race, but also by age. So you have... And that became even you talked about cyber earlier, but that became even more pronounced when digitalization became a reality and everybody realized, every company realized they have to do digital transformation. Guess what? Majority of people who knew how to do digital transformation were on the younger side of the age range. So the boards became more flexible to, for example, have board members who were even 35 years old or even younger versus if you go back three decades ago, the average age would have been much, much more than that, probably in like late '50s or '60s. Today, the average age kind of every year is going a little bit down.
Homaira Akbari: But I am a great believer that you need everything on a board. You need that diversification both in terms of age, in terms of technology, in terms of experience, background, gender, race... And I think boards who have done that, which majority of public boards have done that, have really benefited from it.
Emily Wearmouth: I've seen some McKinsey research that said... That specifically looked 100 boards and said those with the more diverse team had better bottom line performance. So it definitely seems that the right direction for a board to be moving in.
Richard Starnes: Absolutely, couldn't agree with you more. We convened an advisory board for the London Cyber Resiliency Centre and I chaired it and I was very, very specific in looking at the demographics of London and ensuring that the demographics of London matched the demographics of the board. And I think we've benefited greatly from that. 40% of our advisory board are women.
Emily Wearmouth: That's really good to hear.
Homaira Akbari: Fantastic. Congratulations.
Emily Wearmouth: Can I assert then, that if digital transformation was a driver of getting greater diversity and perhaps a younger makeup on a board, could we look at some of the challenges that organizations are currently facing and one of those, the top of my radar is a very fast evolving threats landscape. Could that mean that someone with cyber experience is today bringing much more appealing set of skills to a board than they perhaps might have done 10 years ago and we might therefore see an increase in cybersecurity professionals finding these board positions?
Homaira Akbari: The answer is yes and no. [laughter] In a sense that obviously if you do have cybersecurity knowledge and that if you like, you could be considered cybersecurity expert. That is a positive, but by itself only, it's not enough.
Emily Wearmouth: Right.
Homaira Akbari: While it would add on tremendously to your candidacy, it is not just enough. Because on board, you recall boards vary, their size vary anywhere from seven to 15-ish, and everybody matters on the boards. And as we discussed earlier, for example, if your board is 12, maybe three or four are executives or former executives. So now you only have seven or eight members that you can choose from, and all of that seven and eight, if you are, for example, an international company where you have presence in Brazil or you have presence in China, you do want representation from those geographies because it's very important. So you can't just pick somebody just because he is Brazilian and okay, he was a business person in Brazil, therefore I need somebody from Brazil. What you need to do is, everybody has to have several things they will bring to the table.
Emily Wearmouth: Right.
Homaira Akbari: Not just one aptitude, therefore cybersecurity alone is not sufficient. What I have seen, and I advise a lot of CISOs who many of them are in fact interested to serve on boards, is really to expand their knowledge base, their career, not just be chief information security officer all of their life, but to also do other things. And we have in fact seen CISOs who've been successful to do that. And we have a very powerful example in Banco Santander where our CISO who was there for seven years now transitioned to become P&L owner and the head of transformation for retail and commercial, which is really a very important position in the company.
Homaira Akbari: And those examples are very positive. They're rare and far too few, but they're starting to happen. It's the same applies by the way to CIO or any other, like if you're chief AI officer or chief data officer and you have ambition to become a board member, you have to realize that you do have to diversify yourself, diversify your career, and to be a well-rounded person. 'Cause that's what board needs. In every board now we do scale matrix, and in the scale matrix we say, okay, what are the things that we need for the board and which ones you're bringing to the table? And if you just check mark 2 out of 15, that's not good enough.
Emily Wearmouth: Richard, is there anything that you consciously worked on and expanded from your experience and your credentials in order to offer more value to the boards that you serve?
Richard Starnes: I've never actually served on a board as the CISO. I'm gonna step back and answer your original question. The question amongst CISOs has been sometimes I think poorly phrased and should a CISO sit on the board of directors? And my general answer is no. And the reason is, you can't sit on a board of directors because of a particular function that you do. You have to be much more diverse in what you do and your experiences is one thing. The other thing is, should CISOs report to the board of directors? I believe that should be the case. And when I say report, they should be able to have reports about what it is that they're doing. That not being the case, then the board will have some kind of structure where it will have risk or security committees that will have a board member that sits on them. And they certainly should be a member of that. But you don't sit as a CISO just because you're a CISO in my view.
Emily Wearmouth: Yeah. And I guess you get into territory there of marking your own homework to some extent, don't you? If you are both the CISO and the board that's checking the work of the CISO, there's a slight conflict potentially there anyway.
Richard Starnes: I generally recommend that boards have a cybersecurity and/or cybersecurity risk expertise other than the CISO because somebody does need to check that homework.
Emily Wearmouth: Yeah. It sounds like it makes sense. Homaira, are there... Whether this is your personal experience or people that you've seen move into some of the boards that you serve on, are there individuals that have come from a specific cybersecurity background? Possibly at a very different organization to the board that they're looking to sit on. And do you have any thoughts on what skills they've added to their cybersecurity credentials in order to justify their seat on that company's board? Should they be running out and finding financial skills, for instance?
Homaira Akbari: Yes. There has been cases, I have to say, that that person's biggest important piece of his career was to be part of cybersecurity ecosystem. But again, I said it before, they are much broader than that only. And frequently, by the way, even for anybody who wants to become a board member, if you want to establish skill sets to be a board member, you could start with smaller boards and specifically private board, non-public boards, venture-backed boards. And on those boards, for example, if the company is venture-backed and it is a cyber company, you would have the opportunity even as a CISO, to sit on the board.
Homaira Akbari: And that gives you, that start gives you the taste and the functions, the high functions and you go through learning. So I would definitely suggest that. But once again, for public companies, it's becoming very competitive and you have to have the 15 skill matrix and background, required background and experience. You probably have to check mark 10 to 12 in order to be on that public company. And that outside of sometimes race, gender, and diversity of the experience and background, it is, have you been CEO? Have you been responsible for P&L? And you either have it or you don't have it. If you don't have it, you can't check mark those. So there are some hard questions there that you have to answer and it takes time to get there, which is why originally or years ago, majority of board members were much older people because they had just done many different things through their career and they could have check marked those responsibilities or skill matrix.
Richard Starnes: We in the United Kingdom have governors. They're similar to school boards in the US in some respects, but not all. It may be called a governor's program or a governor's board, but it is a non-executive board type position. And this is a good place to learn how boards work and identify board members that have been there for a while and get some level of input and tutoring from them to learn how those whole processes work, how governance work if you don't already know and make those kinds of contributions. The Cyber Governors Program is we're having some challenges within particularly cybersecurity within the UK. And they're trying to bring people with cybersecurity experience and IT experience onto those boards to help the schools deal with those things. But that is a good way of you getting something from the standpoint of you getting board experience and the boards getting your experience from an IT standpoint and you getting something and giving something back at the same time.
Emily Wearmouth: That sounds like a brilliant way to start to tick some of those boxes that Homaira talked about and demonstrate that you've got experience in certain types of broader roles. But I also wanted to look at how does one go about finding these sorts of roles? My attention was drawn a few weeks ago to a website that's a bit like a jobs board but for non-executive director roles. And I was having a skim through there and there are some fascinating things listed. Is that the main way that boards find new non-executive directors or is it more a quiet tap on the shoulder from someone who knows someone? How in reality are these roles identifying candidates and are candidates finding roles?
Homaira Akbari: Sure. There are a number of possibilities. For example, there is something called BoardProspects. I think it's boardprospects.com that you could go on... There are... I know of a few networks which are all female networks. Sometimes you have to be already on a board of directors in order to get on those networks. I think in every country there are director institutes. For example, in the US it's National Association for Corporate Directors. And you can become a member even if you're not a corporate director and go to their events and start meeting people. So there are a number of these situations.
Homaira Akbari: In cybersecurity also, there are a number of networks that you can be part of. As I said earlier, one of the ways to learn is also to become board member of private companies, small private companies. That means that if you have relationship with venture capitalists or private equity, you could take advantage of that and leverage that. But there's no question that you have to do networking. If you think you can just sit there, go to a site and apply, it's a little bit more difficult than, I would say, than finding an employment.
Richard Starnes: The other thing that you need to consider, in some respects, this is not different than job search. In and of the fact that just because a board will have you, you need to make sure that you want to be on that board. Particularly, if you're approaching this for the first time, you can't just say, I've been asked, so yes. You need to make sure that there is a good fit just like you would in a job. And that's from a standpoint of what the company does, what the company's level of maturity is in the governance particular. And so those are the things you absolutely have to consider as well.
Emily Wearmouth: Now, I want to slightly turn the conversation on its head a little bit. We've talked about what cybersecurity leaders can bring to a board role. Now, I want to take a little look, 'cause I've seen both of you talking in the past about opinions about the cybersecurity knowledge that does or doesn't already exist amongst the broader board members, people that haven't come from a cybersecurity background. Just to ask a very binary question to start with, is cybersecurity knowledge on boards in general, good enough?
Homaira Akbari: Couple of things. You have to realize that many board members, not only they don't know cyber, but they don't need... Today, especially today, board members, they don't have a good technology background because they came through and they didn't even... Like when they went to business school, cybersecurity wasn't taught. It wasn't a course. Today, cybersecurity is taught, digital transformation is taught in business schools. So it remains pretty abstract topic for them. And I think one of the things we've seen frequently, they don't understand the concept of the fact that you're never, ever 100% secure, no matter how much money you spend. So you have to explain that to them. And because you have to explain, you are going to be breached. Therefore, your organization has to be prepared when you breach, how to identify that you're breached, how to contain it, how to respond to it, how to recover from it.
Homaira Akbari: And that's something that they don't understand, nor do they understand what investment you have to do that. Protection, they understand better. Okay. I build walls and I protect myself. Same in cyber. Last year I co-published a book called 'Cyber Savvy Boardroom', which really tries to provide mental models for board members and give them the basics of cybersecurity so that they can internalize the knowledge. That's the key word. You have to be able to internalize what it means, cyber and cybersecurity, and how do you defend yourself. You don't have to be a specialist, but you just have to understand the concepts. And the reasons that hackers and bad guys come after every company and the fact that today, because of ransomware, every company is a target.
Homaira Akbari: Ten years ago, that wasn't the case. Only if you were in certain industry, you would be targeted, whether you're financial industry, health care. But transportation was less important. They don't have a whole lot of interesting data. But today, when you can actually using ransomware, get money even from municipalities, even from not-for-profit organizations because you disrupt their operation, nobody is safe anymore. So that's the key. So I think it's continuing education. I think it's continuing putting emphasis on it. There's no end to this, for sure. But I'm sure Richard has quite a lot of... Could add quite a lot to this topic.
Richard Starnes: In answer to the question, no, they don't. But my response is, why should they? They are executives in and of their own rights and very good in specialist areas of their own. My response to that is generally the CISOs need to learn to talk to the board in a language they understand, which is business risk, which boards understand quite well. And that's the translation that has to occur from the CISOs. You don't know what a firewall is, and I'm not gonna blow 15 minutes of your time explaining one to you because you don't care and you shouldn't. But here's what a firewall does. It mitigates these risks to the company, and this is why we have them. So that's the kind of language change that I think we need to do amongst the CISO community, is speaking in business language.
Homaira Akbari: I fully agree with Richard. I think that language... I remember I was in this event with a number of board members and where I gave a little speech and then it was a debate. And then one of the board members, she said to me, well, and she really was very serious. She said, "I think some of these people don't speak English. We should send them to language lessons."
[laughter]
Homaira Akbari: And I was like, okay. It's exactly to the point that Richard just made. She said they don't speak English actually.
[laughter]
Emily Wearmouth: It's a very good point. I wonder whether when these incidents occur and suddenly cyber security might be sitting at the top of a board's agenda because they're in the middle of an incident, and we've even seen this, some of the schools in the UK, Richard, you'll be familiar with this, being subjected to ransomware attacks and having ransom demands being made on them. These are public schools as in government money. They don't have the money, but everybody is falling victim to these. When these incidents occur or industries become aware of incidents occurring to peer organizations, does it flip and suddenly cyber becomes disproportionately laser focused from the board or is that not the case? I'm trying to imagine how these conversations ebb and flow within board consideration. Does it move with incidents?
Homaira Akbari: Answer is yes. If they didn't have a good cyber program and they were caught by huge surprise and are a number of examples, I don't wanna point out, especially because I'm in the sector. But maybe I will, Target, Equifax, SolarWinds. And the impact, these breaches, the impact has been huge. And it is the time that these organizations weren't fully prepared and have not had full program, then it becomes quite chaotic. And has certain major consequences, which it did for all these three companies I cited, and it continues to have.
Richard Starnes: I wrote an article fairly recently on this very subject, and the reason that I'm smiling is because I needed a graphic for it, and I asked Dolly to write me a graphic for what it looks like when a board is dealing with a cyber incident. And it drew me a board of directors sitting at a table. There were papers flying everywhere. There were people yelling and shouting, and there were red screens flashing all over it, and my immediate response was, if this is what your board looks like during an incident, the first thing you should do is fire your CISO. You trained for these, and then you will know how to react to them. The board should be engaged. They should be going through at least one scenario a year to fully understand how these things work.
Richard Starnes: The ransomware is a good one, and it's very easy for certain people... I'm ex-law enforcement, so with my law enforcement hat on is, no, I don't wanna pay the ransom, I wanna put these people in jail. But unfortunately, it's just not that simple. When you are a company and you've had your ability to make money or sustain your company taken away from you, and you're racking up debt and losing customers every minute, sometimes you have to do the unthinkable, which is pay. It's highly situation-able, but you need to be able to have already been there mentally and made some of these calculations to save you time. And that comes through things like scenarios.
Emily Wearmouth: Yeah. That sounds very sensible. They used to say from the mouths of babes, the truth springs. And I think it's now from the mouth of an AI request, you tend to work out what the stereotypes are that it's feeding off. Fascinating. So I can see that we're running short of time. And Homaira has got a meeting to go to. I'm assuming a board meeting. So I'm gonna wrap it up there. But thank you both very much for your time. You have been listening to the Security Visionaries Podcast. I've been your host, Emily Wearmouth. Please do subscribe to the podcast if you haven't already. My co-host, marvellous Max Havey, and I record fresh episodes every two weeks. So we cover all sorts of interesting topics and there's something there for everybody. Thank you very much, Homaira. Thank you, Richard, for joining us. It's been great to have you here.
){kind=icon}
