Search
Close this search box.
EPISODE 152
Boards of Directors and Cybersecurity

EP 152: Boards of Directors and Cybersecurity

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

February 27, 2024

The SEC says that Boards of Directors need cybersecurity expertise. But how exactly does that work? Let’s find out with our guest Vanessa Pegueros, former CISO of DocuSign. Your hosts are Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at CR-MAP.com and KLGates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 152 of the Cyber Risk Management Podcast?

Kip Boyle: I'm really excited, Jake, because today we're going to talk about something that we have never made as a focus point in a previous episode. We're going to talk about cyber risk management at the board of directors level. And this is a hot topic and it's getting hotter and we're going to talk about this today with our guest. And her name is Vanessa Pegueros and she's a board director with at least two companies that I can share with you, the Boeing Employees Credit Union or BECU as we all refer to it. And also she's a board member of the publicly traded company LivePerson. And I've known Vanessa for years and years and years. I'm so glad, Vanessa, you've decided to spend a little bit of your time with us and our audience. Welcome to our podcast and thank you for being our guest.

Vanessa Pegueros: Well, you're welcome, Kip. Thanks. I really am glad to be here and to actually talk about this topic. Just as a little background on me, I spent 19 years in cybersecurity in various operation roles. Spent my whole career in technology, but 19 of those years specifically in cyber. I was a CISO at DocuSign, Expedia, and a company called OneLogin. And back in late January 2022, I decided I wanted to step away from operational roles in cyber and take my battle to a new level, which was really in the boardroom and advocating for all the change we needed at the board level relative to cyber. So my passion still is related to cyber, but I'm just kind of changing my attack technique on dealing with all these issues. And it's been a incredibly rewarding experience and I feel very, very proud to say I feel like I'm already making impacts with the companies I'm involved with.

Jake Bernstein: Now, Vanessa, I'd like to know if you had a magical crystal ball because you said that you chose to do this in January of 2022, which actually predated even the initial draft release of the SEC's board related public company cybersecurity disclosure requirements, which of course are now in effect and have been since last December. And Kip, of course, you'll have to put in the show notes, we have a link to an episode on that that was fairly recent. But that's really, I mean, and I don't know if you intended that or maybe you had some special intelligence somewhere, but pretty good timing and I'm curious, yeah, how'd you do that? And what stocks should I buy?

Vanessa Pegueros: Well, I told my brother to buy DocuSign when it was $35, but I have no insider information and now it's at 60 something.

Jake Bernstein: Well, there you go.

Vanessa Pegueros: He didn't listen to me. Yeah, Jake, I actually decided I wanted to do board work when I was in my 20s, but I actually knew that I didn't have the experience, the title, none of the things that I needed. So I kind of put it on the back burner and said, "One day, I'll come back to that."

So in January of 2022, I had been working, at least I had joined my first board in 2018. So I was on the Carbon Black board, so security company. And so I had started at least five years before that back in 2013 on my earnest effort to work my way into a board level position, which is, I'm sure we're going to talk about that more, but it's a long process and you have to be very patient and focused on your goals. And you spend more time... It's not like the job. It's not like, oh, I'll go do a few interviews and hopefully I'll get a job. It doesn't work that way at all and I'm sure we'll talk about that some more.

But I really, after leaving DocuSign took off about seven months. I'm like, oh, I'm going to retire and just do board work, but I wasn't quite ready. In your career, sometimes you're just not ready for something, you don't know it. So then I took on another operational role, which was with OneLogin, and two years later, which is when I left in January 2022, I'm like, I'm ready to do full force on board work. And I think it's needed more than ever now related to having that technical expertise and that cyber expertise at the board level.

Jake Bernstein: So Vanessa, why, based on the changing world we live in, do boards of directors need cybersecurity expertise? And before you answer that, maybe let's just back up a second, Kip, for our audience as a whole and just ask, I think people will toss around terms board of directors all the time, but what is a board of directors from your perspective being on them, what companies have them, what companies don't have them? I think that it can be very confusing. It's confusing for me as a lawyer with corporate experience. I can only imagine how confusing it is for those without that education and background. So maybe let's start by just kind of talking about what's a board and what does a director do?

Vanessa Pegueros: So a board of directors are a group of people anywhere in the range of maybe seven to 11 people who essentially are charged with fiduciary duties on behalf of the shareholders, if they're a public company. And if they're a private company, they still have duties, but no shareholders at that... necessarily public shareholders. But essentially, if I had to boil it down, the board of directors hires, fires, evaluates the CEO, ensures that the company is adhering to all laws and regulations that they need to, ensures that the strategy is in line with what the company needs to achieve going forward to be competitive and to achieve their financial objectives.

And essentially there's a whole host of different segments of a board. We break out into committees and you deal with different things relating, for example, the audit committee typically looks at the financial statements the company issues and makes sure they're accurate, they have the integrity that they work with their external auditor. The non gov committee, which is another common committee, deals with bringing in... they work with executive succession planning, so related to the CEO as well as how do we keep bringing the right people, future new members onto the board of directors, having the right skillsets to run the company effectively at that level. And then the compensation committee, which essentially works to ensure that the CEO and senior level executives are compensated working with external consultants, ensure they're in line with the pay philosophy of the company and deal with things such as ESG.

I just recently am leading up a cyber and tech committee for one of my boards that we kicked off. So we're dealing with all technology and cyber risks, specifically taking that away. Typically, that had been handled in the audit committee and now it's become too much to deal with in the audit committee so now a lot more companies are starting to look at these separate committees. But essentially I'd say the biggest thing is your job is to make sure that the company's running in a healthy manner, it's adhering to laws and that you have the right CEO leading the company to achieve its goals and objectives.

Jake Bernstein: I think-

Kip Boyle: Vanessa, I just want to compliment you, that was a great thumbnail sketch. And as far as I could see, because we do have some video going so we can see each other as we make this, I don't think you read that.

Jake Bernstein: No, she didn't read that. And I have a couple more questions on this point because I think it's important for people to understand. Board members are not employees of the company. That's pretty clear. But it's also a lot of work. And I know board members do get compensated, but they're not employees. Sometimes it's stock, sometimes it's a retainer fee, but it really does have to be a decision to be a board member because they're certainly not compensated like CEOs. So you have to have an interest in being a board member. And I think the mechanics here are important because as we talk about actually getting to this question about why do boards of directors need cybersecurity expertise, it's worthwhile to think about who are the people on the boards now? Why have do people join boards? If we can't answer those, then we're going to have a hard time getting people with cybersecurity expertise like yourself to join boards. Maybe just any thoughts about that at all?

Vanessa Pegueros: Well, I think, Jake, the boards of directors are kind of in transition in terms of their structure and what traditionally they've been doing. I think, depending on the company, some boards, they have some members that have been there many years, maybe decades, that are there, which is a whole nother topic of term limits and some other things we could get into, but probably not the focus of this conversation. They get on through their network mostly. Most, call them legacy board members are getting on through their network. They know somebody, they know the CEO, they know one another board director, they get brought in. They may or may not... Unfortunately, and I think this is changing, but it was the bit of a buddy system in the past. And you wouldn't actually have the right skillsets, but you had somebody you could trust that you knew that you could work with.

Jake Bernstein: Let's be honest. You said buddy system, but really it was the old boys club

Vanessa Pegueros: Pretty much. Yeah. Yeah.

Jake Bernstein: I mean it, and it probably still is in a lot of cases, and I think you can talk about diversity on boards and we need it in many, many facets, not just experience, although now that is becoming required, but viewpoints as well. And that means all kinds of diversity, gender, race, all that stuff. And I think a board that is uniform, a bunch of friends from the old days, is just not going to have the same perspective as a board that's assembled a more modern way. And I don't know, I think there's a lot of... I mean Succession is a TV show largely about boards.

Vanessa Pegueros: I love that. That was a great-

Jake Bernstein: And then I think it has brought attention to a topic that a lot of people don't, again, they don't understand what a board is, how it interacts with the management of a company. There's differences between the officers and the board members. So moving into the cybersecurity component of this, and I think you've kind of hinted at it, but as a historical matter, there's no guarantee that a board has anyone with cyber experience.

Vanessa Pegueros: Yeah, I think typically in the past that's been true because again, as you mentioned, it's their network, the network of who existed. And let's bring on my buddy going to... I like him and we can work together. And it's funny, but if I look at companies now, think about the most disruptive aspect of all companies is technology and how older companies are being disruptive. You have all these new entrants, you look at how AI is disrupting things. And not only how disruptive they are, but also the pace of change is just accelerating significantly. And you have this group of people whose mandate is to look ahead for the company, assure you have the right leaders, and they didn't grow up with technology. A lot of them don't have it in their background. They are, they're almost paralyzed by the pace of change that's occurring.
And so this is a skillset that I think if you think back to Sarbanes-Oxley when boards weren't required to have a qualified financial expert pre Sarbanes-Oxley. Now it's like everybody just accepts it and Oxley says, well, it makes complete sense that we'd have a qualified financial expert.

But right now it's not completely there with the technology expertise. I think in a few years we're going to be looking back at this time and saying, wow, it made so much sense. Why didn't we make this shift earlier to require technical expertise on boards? And so I do think at some point I think, the SEC's kind of creeping into it, but it's not yet there in terms of an absolute requirement that it will be. And I think because of the pervasive risks that technology brings and how that then moves into the cyber risks, cyber gets a lot of attention. But in general, I think it's technology, understanding, being comfortable with technology being comfortable... All technologists are just used to the pace of change that we have to deal with our entire career and boards, because they don't have those operational experiences, are really trying to figure out how do we adjust to all of this.

Kip Boyle: Fascinating. Vanessa, I have conversations regularly and in fact this morning I had a conversation with a new customer about the fact that every company that does business on the internet is a technology company that happens to specialize in something else. And that's a huge part of what I'm thinking about right now as I listened to you talk about getting cyber and then more broadly just technology expertise into the board. Because if we can't control our technology, we can't do anything. We can't sell, we can't fulfill orders that we've taken. We can't collect money that's owed to us. We can't pay anybody that we owe money to.

I had a conversation with a CFO not too long ago. They are a fruit growing company and they grow fruit, then they pack it after it's sorted and cleaned and they send it off. And I said to him, "Can you box any fruit without your computers?" And it took him a moment. He really had to take a moment and think about that and to realize he couldn't. And he's like, "Man, we're just farmers. Why are we doing all this tech stuff?" And I said, "Well, you've kind of answered your own question." But really that's everybody today. It doesn't matter if you're a not-for-profit, you can be big or small. I mean we can't opt out of the internet and therefore we have to have a competency. I think that's what you're saying. I mean, have I done a good job of parroting back in my own words what you're saying?

Vanessa Pegueros: Yeah. I think that's exactly it. I mean all levels of an organization, obviously the lower levels know this, but I think it has to seep upward more to realize how strategic and important technology is to all companies. Because at a minimum, they're enabling the back office, they're doing things that are going to make them more efficient, better able to compete, better able to serve their customers. The technology enables those things. I think sometimes people avoid topics that they're not comfortable with. So if an executive has not had to deal with that in most of their career, they're comfortable with the financial statements, but they're not comfortable with technology, that's a challenge because it is pervasive and it is a key component of their business. And they can't just relegate it to the CIO. We cannot silo technology and cyber risk anymore. And many executives and boards continue to try and silo it.

Kip Boyle: Well inaudible to work, right Vanessa? Back in the day it was tenable. You could do that, but you can't anymore.

Vanessa Pegueros: No, it's everywhere now.

Jake Bernstein: And I think moving into kind of a cyber risk component of it, I mean it's clear, once every company is a technology company, then suddenly every company has to worry about cyber risk as well because technology is inherently subject to cybersecurity risks and problems. And not to go backwards to our discussion about the board, but in terms of board function, and you kind of mentioned this, but is one of the board's areas of responsibility, I guess for lack of a better phrase, strategic direction for the company? And what is the CEO supposed to do? Does the CEO tell the board what to do or does the board tell the CEO what to do?" And I mean, I know the answer, but I think it's helpful for people to understand because that specific question often hangs over, well, why is the board responsible?

Vanessa Pegueros: So the actual strategy itself needs to come from the CEO and their executive team. And then they bring that strategy to the board and they essentially socialize, explain it, help the board understand why they're doing what they're doing, why they believe this is the right direction and approach. But in the end, if there is a heavy technical component to that, which there usually is, and more and more is technology such a key part of that, the board needs to have enough understanding to ask the right questions to challenge the assumptions and understand the assumptions. And if you don't have a competency in technology and understanding how cyber risk might manifest in this new approach or this strategy, you are not doing your job as a board member because that is your role, to challenge, to question to understand. But in the end, it's the CEO and the executive team's role to come up with the strategy. The board has to approve the financial plan associated with this strategy, but you have to be able to ask the right questions.

Jake Bernstein: In other words, you have to know something about... actually you have to know a lot about a lot to be a board member, in some ways, right?

Vanessa Pegueros: More and more. It's actually becoming more and more demanding to be a board member member because you are required to know a lot about a lot of different things. And then you also have to be able to draw that line between dipping into the operational nature of the business and your role as a board member. And that's a gray area in many situations, especially with cyber. When are you diving too much into the details and-

Jake Bernstein: Imagine especially for someone like you, you've been a CISO for a decade plus, been in cyber on the operational side for, as you said, almost 20 years. How challenging is it for you to not try to push some buttons and flip some switches, even if it's at the managerial level?

Vanessa Pegueros: I think my background in itself becomes... in its own way, the CISOs know, "Hey, I can't pull the wool over her eyes. She's going to ask me the question." So they're not going to kind try and make it seem all rosy because they know that's not the reality of any company when it comes to cyber. And they know I'll know that. So I think in a way, my presence, it's like the audience changes the outcome in a way how they present and what they think they can share.

I do hold back. When a CISO will present something and I know it's not, I'm like, "No, that's not true." I do not challenge them in front of the group. I mean, it just doesn't help. I pull them aside though later on and I'm like, "Hey, this doesn't make sense to me. Help me understand why it's like this or how you made that statement." So I don't want to embarrass them, but they also know that I make it known that I understand at a more detailed level and that they need to maybe adjust the next time they present.

Jake Bernstein: I mean, what you're saying is twofold. One is accountability is critical for all levels, and when you're in the C-suite, the accountability really leads to the CEO and then to the board and that's it. I mean that's where the accountability is. And the flip side of what you said, which should be concerning to everybody, every shareholder, is that what if you don't have a Vanessa on your board? What if there is nobody who understands cyber at all and any CISO can say whatever? And essentially the response is limited to nodding and smiling because you don't know. That is-

Kip Boyle: Golf clap.

Jake Bernstein: Golf clap. I mean I think about this, or I'm thinking about it right now, and it's just kind of suddenly horrifying me with realization that there have got to be way more boards with no cyber expertise than not and they don't know. They don't have a clue. I mean it's a different-

Kip Boyle: They don't even have technology expertise necessarily, right?

Jake Bernstein: No, no.

Vanessa Pegueros: Let's just start there. Let's just start with the bigger picture, the technology expertise. I think, gosh, there's so much to what you just said. My brain's going five different directions right now. The challenge, I think current board members who don't have this expertise, they keep kind of going back to, "We don't need that. We'll bring a consultant in if we need them," not understanding the pervasive nature and all the conversations that cyber should be thought about in everything. It's not just like, oh, we'll bring the consultant when we have the presentation by the CISO. That's not enough. Marketing may be doing something and proposing something that could have a big cyber implication and the consultant's not there to bring it up. Who's going to figure out that that's kind of a risky thing? Or when HR is talking about, hey, we're going to go hire a bunch of people in Eastern Europe because it's a lower cost situation, the consultant's not there when that topic comes up.
So if you don't have somebody who's always there listening to all of these topics, we all know that cyber comes into everything, not just one particular presentation.

Kip Boyle: Everything.

Jake Bernstein: And I've seen that in my ostensibly cybersecurity focused law practice ends up inevitably branching into product, HR, contracting everything. And why? Because cyber goes everywhere. You can't just bring in an outside consultant with no relationship or no extended understanding of the business as a whole and expect to get a lot of value out of it.

And I think now is a good time just to mention, talk about it. The new SEC rules, this is very important, they don't require companies to have cyber expertise on the board quite yet. We're not yet to that Sarbanes-Oxley level where it's a requirement that you have someone on the board. Instead, it's kind of the next best thing, and it's certainly better than nothing, but now companies, and we're just starting to see this because you only have to do it when a public company files their annual 10-K, which I am getting a crash course education in from my public market partners, usually on the East Coast. And it's only January 26 as we record this episode 2024, which means that frankly very few annual 10-Ks have been filed as of yet.

And I can tell you that there's a lot of clients waiting around, "What are people going to say? What's it going to look like? Do you have a template?" Well, no. "Does anyone else have a template?" Well, no, this is new. And the reason is that the rule that the SEC has passed requires a company to disclose a whole bunch of information about the cybersecurity expertise, or lack thereof, on their boards. And like I said, it's not as good as a requirement, but it's a heck of a lot better than nothing. I'm curious, Vanessa, particularly given that you made this decision before this rule was even public, what did you feel like when you learned about this new rule?

Vanessa Pegueros: I actually was happy.

Jake Bernstein: Yeah, I would imagine.

Vanessa Pegueros: I think that, as you can see, even the 8-Ks that have been filed recently, would we have ever known about those incidents if it weren't for the role? And so I think it's good, it's healthy, it shows by having more and more of these 8-Ks, we're going to start to see how pervasive and critical this problem is. And the SEC will start to gather the data points to say, I think we have enough now to know that we're going to require expertise at the board level. And-

Jake Bernstein: Just to remind the listeners, an 8-K is what must be filed when a company experiences a material cyber incident. And those can be filed all the time. The 10-K is an annual report,

Vanessa Pegueros: But the SEC rules require public companies to now, the new rules require them to file this. I think before they should have filed it, but I think now it's just clear I need to file it now when this incident occurs. Where before I think, I mean no offense to lawyers, but I think there was definitely a lot of room to say, "Oh, we don't have to share this publicly. These following things did not happen." And so I think that that is a little different. I think that you're going to see more disclosure of incidents through the 8-K.

Well about to the 10-K, one of the things I think is really important is a lot of these disclosures have typically been handled by the general counsel. And so I think with these cyber rules, that the general counsel is going to have to go talk to the CISO unless they want to risk saying something that is not true publicly and then end up having an incident occur, and then everybody finds out that, oh, what they said in their 10-K really wasn't true. So that is going to be a new dynamic that I don't think maybe some companies did that, but I'd say most didn't. And you're going to have the CISO now having a view and a perspective around what is filed publicly in these 10-Ks. And I personally advocate for the GC to talk to the CISOs on the boards I'm on. So you need to make sure that that's reality because the last thing I want to do is, again, publicly state something and have it not be true internally.

Jake Bernstein: Yeah, I go beyond that and I tell my clients who, and I often interface with the GC, but also with the CIO and I say, "You have to talk to each other. There's no way that either of you can do your job effectively these days without being partners, without having a close connection between legal and security."

Kip Boyle: That's why this podcast exists, by the way.

Jake Bernstein: It is.

Kip Boyle: Right?

Jake Bernstein: It is.

Kip Boyle: The CISO and Jake, the attorney, constantly comparing notes with each other about Jake's asking Kip, "How do you operationalize this?" And Kip's asking Jake, "What the hell does this even mean?"

Jake Bernstein: Yeah. And I mean I think the effect of the 10-K requirement, one, I wouldn't be surprised, Vanessa, if you start getting solicited for boards. Which is a perfect opportunity to segue into the last part of this episode, which is, sorry to steal your question, Kip.

Kip Boyle: Go for it.

Jake Bernstein: How and why are you serving at the board level? And then I know you're going to talk a little bit about that, but also let's consider what does this new 10-K requirement mean? I do think that it's going to change the way that boards are formed because people are going to look for folks with cyber experience. Or do you think that's going to happen?

Vanessa Pegueros: Yeah, I have some interesting data points on that, things I've heard from board members. So let me start with why. I want to go back to actually a question you brought up earlier, Jake. I think if a CISO is thinking about joining a board, I think they'd really need to understand why do they want to be on a board? And I unfortunately all too often hear, "Well, I'm going to retire and I just want to do board work." I have a board that last year I spent 300 hours on, I counted it up. It can be incredibly time-consuming. And on top of it, you're not meeting 8:00 to 5:00. You meet when the other board members can meet. So that's eight o'clock at night, on the weekends, whenever, because many board members have full-time roles. They're CEOs, they're doing other things. So you have to accommodate the schedule. You also have your fiduciary duties, and if you do not do your job well, it reflects very poorly on you, at some point legal liability personally, which we could talk about later-

Jake Bernstein: Oh, there is. That's a big deal.

Vanessa Pegueros: ... and come to the board level, especially things around cyber. So I tell people, don't do it because you're retiring at do because you enjoy it, that you enjoy governance, that you understand what a director's going to do. If you're doing this for a paycheck, it's the wrong reason to do it because then you lose your independence. Think about that. I don't want to lose my board role, so I'm going to kind of go along with everybody because this check is nice and I don't want to jeopardize not being on the board and losing that money. And that's a problem. That's an independence issue in my mind. Not all board members think that way, but you need to be on a board and be very bold about your position, and you need to not worry about losing your board role. If the board decides you're not the right board member because you're too outspoken or you don't agree with them, probably not the right board for you to be on. So I think-

Jake Bernstein: Well, and not just probably not the right board to be on, but you may find yourself in a situation where you cannot meet the fiduciary duties that you owe to the company. And you should leave. You should leave if you can't be effective. And I think you're exactly right. I mean, it's not a job. I mean, it can't be something that you rely on that otherwise you don't have any independence.

Vanessa Pegueros: And I think the other thing when I think about CISOs being on boards is, and this goes to the argument why I've heard board members say CISOs shouldn't be on boards, "Well, they're just too narrow. They're just only focused on cyber. They don't really understand the broader view." And I think that there are some CSOs who are very narrow and stay focused in their kind of space. inaudible-

Kip Boyle: And they talk in ones and zeros all the time.

Vanessa Pegueros: Huh?

Kip Boyle: They talk in ones and zeros all the time.

Vanessa Pegueros: Yeah. They're probably not going to be a good board member. So you need to look at yourself. And I looked at myself, I always had a broader interest in just, I love technology, but I had a broader interest in business. I got my business degree after having gotten my technical degree. I realized I enjoyed thinking about strategy and marketing and sales and how that all worked together. And you have to have a bit of a passion for that. And I feel like being on the board allows me... When I was in my... outside of OneLogin and where I reported directly to the CEO, most of my roles were not directly the CEO, but now I've found that, hey, I get to be in all the CEO conversations and have that impact at a strategic level that is very satisfying to me.

There's a lot of self-reflection there that you have to think about, do I really enjoy all aspects of business or do I just really like the technical stuff? I think for me, serving on a board is satisfying and appealing to my broader view of business and the implications there.

Kip Boyle: And it's a real governance, risk and compliance focused set of responsibilities and tasks is one of the things that I'm taking away from listening to you talk, Vanessa, is that right?

Vanessa Pegueros: Yes, it is very much governance, risk and compliance. But it's also business savvy too, understanding competitive environments, understanding emerging trends, especially in technology and how they'll impact the business, being able to think ahead and look to the future and see how that's going to impact your business today, or in five years. So just you have to be a systems thinker and you have to think broadly. And I think those make good board members.

Jake Bernstein: So maybe just let us know or tell us how did you obtain these board positions? What's it like? Given that we do want, in particular our audience, folks who are cyber risk managers to start thinking about being on the board or on being on boards, how do you do it?

Vanessa Pegueros: Well, after you decide, hey, I really do want to do it and I think I have the interest and passion and skill sets to do it, then I think what you have to do... I mean, it's really tough to get on a board without a C-level title. I mean, if you have a VP title, yeah. But I have people I talk to who are director level, it's really difficult to get on a board you're operationally a director. You have to get to that C-level somehow. It's the best thing.

I think the other thing is you have to, in your current operational role, get exposure to as many other different business areas as possible. Get involved in projects that will round out your operational experience where you can go and say, when you're being interviewed for a board, you can talk about all the things you've done with the business and how you understand go to market and how you understand other areas. You could have gotten that experience through working with advising a startup or there's different ways to get this experience.

But my first board interview, they didn't ask me one question about cyber. Not one. They asked me questions about things around go to market, they asked me stuff about strategy, they asked me questions about customer perspectives. It was a security company. So just this process, it takes anywhere between, I'd say nine months to 18 months to get on a board. The process is long. So from the minute a company starts to look for a particular skillset or type of individual that they want, it takes a minimum of nine months and it could go stretch out into, one of my boards, it took a year before I got on the board from the very beginning of the process.

Kip Boyle: And there's no job postings for this. Your point, right? How did that board that you mentioned that took a year, how did they even know that you were available and interested?

Vanessa Pegueros: It's good to get involved in, there are a lot of board networks. And because of the DE&I efforts, there's a lot of different networks for women now. And the one opportunity I got for that board came through an organization called Him For Her, which focuses on placing women. But their approach is they work with very prominent male leaders to collaborate and work together to get more women on boards. That's why they call it him for her. And there's others. There's the OnBoarding Women program in Seattle. There's a ton of them. And for men, there are things, there's a Black Boardroom Initiative, which inclusive men, there's the Latino Corporate Directors Association inclusive of men. Now people might say, "What about the white men?" So I think that's where your personal network is probably, in a lot of cases, pretty powerful and connected. I think these organizations are helping groups of people who don't have those personal networks at all.

Jake Bernstein: Exactly. And I wouldn't be surprised if we start seeing cybersecurity specific organizations.

Vanessa Pegueros: Exactly.

Jake Bernstein: Because I mean it doesn't... Again, as we've been saying, there's no legal requirement, but if you as a company have to tell the world, or the US at least, that you don't have anyone on your board who knows anything about cyber, you're probably going to start looking. So that's going to be really interesting to see what happens over the next 18 to 20 months.

Kip Boyle: That'd be kind of a swallow the gopher thing, right? All these boards in a flash are going to want people. By flash, I mean like two years.

Vanessa Pegueros: Well, that goes back to a question you asked, I wanted to share some data points on that. Again, big thing I hear from existing board members is, "We don't need somebody that's specialized on our board. They're too narrow, they don't see big picture." So that is keeping boards from not bringing on cyber expertise.

Jake Bernstein: That will be a mistake in my opinion,

Vanessa Pegueros: Yeah, but I think this is where things have to get worse before they get better. This is a great example of that. But I also think there's an obligation on the part of the cyber community to demonstrate that they aren't just the one trick pony, right?

Jake Bernstein: I agree with that too. Yes, that's also totally fair.

Vanessa Pegueros: And so I think that CISOs, when they present to the board, it's a great opportunity for them to demonstrate that they are not just about the vulnerabilities, but they understand, they could talk about, "Oh, we realize that this particular thing is having an impact on our customer onboarding process." Just an example. "We've done these things to make that a little more frictionless approach to getting and enabling more quickly onboarding our customers," tying their work and activity back to things and enable the business to generate more revenue. The more they can demonstrate at the board level that, the more that these board members are going to see them and say, "Wow, they're really like a business leader, not just a technology person."

Kip Boyle: That's a big leap, right, Vanessa? Because I know when I became CISO, I had to change the way I operated compared to the way I was when I was a security engineer or a security architect. I had to completely change the way I operated. And I would imagine that you've got a similar metamorphosis you've got to go through to be inaudible on a board?

Vanessa Pegueros: Yes. And you have to like it Kip, right? I think I just know a lot of cyber leaders that don't really like that stuff.

Kip Boyle: Right. Right. Absolutely, right? They want the ones and zeros. They want to be involved in the details. And God bless them. Nothing wrong with that. It just doesn't really align well with board service. And one thing I wanted to contribute here before we wrap up the episode, because unfortunately we're running out of time, is I've served on the board of a small $1 million nonprofit, and I did that for three years and it was eyeopening. And a lot of the things that I'm hearing you say right now about your service on much larger boards actually matches up really well with what my experience was at that very small level. So I would think that if you're interested in board service, if you're a member of the audience today listening, you might first try to serve on the board of a small nonprofit in your area just to see what you think of it. And don't join as the cybersecurity expert, just join as somebody who believes in that mission.

Vanessa Pegueros: Kip, I really agree. I think nonprofit board experience, especially if it's a well-structured nonprofit, it could be very valuable in terms of experience and exposing you to things. So the thing I would say is a lot of times for-profit companies don't give much credit to people of nonprofit board experience, but that's not why you're doing it. You're doing it to get yourself exposed, like you said, to governance, the process. And well run nonprofits have committees and structures and they teach you the basics of governance. But again, it's not the ticket to say, "Oh, I'm on this board of this nonprofit, and therefore you should bring me on your."

Kip Boyle: Right. No, it's not. But it's a way for you to find out for yourself, do I inaudible this, before you start to try and make bigger waves. I wish this conversation could keep going in this podcast episode, but we are out of time, Jake. We are.

Vanessa Pegueros: One thing, if people do want to reach out to me, I do have a website, in the bottom, there's a form you could fill out, reach out to me, it's VanessaPegueros.com is my website.

Kip Boyle: I will put that in the show notes so people can access it. And then what about LinkedIn? Are you there? Are you on a social media right now?

Vanessa Pegueros: I only do LinkedIn really.

Kip Boyle: Okay.

Vanessa Pegueros: Pretty much. I have an account on all the others, but I don't do anything with those.

Kip Boyle: You and I have that in common. Okay. Well, cool. Any last words, Jake?

Jake Bernstein: Nope.

Kip Boyle: Vanessa, inaudible?

Jake Bernstein: I think we're good.

Vanessa Pegueros: Yeah. Thank you. This was interesting.

Jake Bernstein: Very good.

Kip Boyle: Well, if you want to come back and do another episode with us, Vanessa, if you want to talk more specifics, we would love that. But for now, that wraps up this episode of the Cyber Risk Management Podcast. Today we talked about cyber risk management at the board of directors level, and we did that with our guest, Vanessa Peguero. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at CR-MAP.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.