The information security industry is rife with initiatives and organizations, one more formal than the other, that would benefit from able and competent boards. From the Security B-Sides organization, OWASP, ISSA and the Cloud Security Alliance to ISC2, over the years it has become clear that building and maintaining a competent and agile board proves to be a relative challenge. While each organization is different, the issues they face are similar. This post does not address the specific concerns of a single organization but rather tries to frame the need for dedicated and competent board members against the backdrop of an industry and community that continues to struggle with their own identity. It should provide guidance to both people with board ambitions and those looking to support them. Anybody identifying themselves with an organization and its membership should ask themselves at least the following questions.

Why me?

-------

The first answer to this question could be 'Why not?' but the answer lies in the fact that it is a flawed question to begin with. The real answer should be 'Who cares? This is not about YOU.'

A large following and a well-known name will obviously make it significantly easier to obtain a board seat but it is just important to note that very few organizations provide board seats as a 'badge of honor'. The position comes with both a decent dose of responsibility and the requirement to put in hours. If your first reason to aim for this position is that it will look good on your resume then you're not only in for a surprise, you're also about to hugely disappoint yourself and the people that rely on your engagement to make things happen.

'Servant Leadership' is a term that is overused these days. The essentials of the concept are very relevant for the aspiring board member though. It only starts when a community or membership provides you the opportunity to serve. Within that mandate is your obligation to serve your constituency with only the common interest on your agenda. Where you may expect the additional 'badge' to propel your career to soaring heights, you will rather find yourself spending numerous cycles on complex problems with no inkling of personal reward in return. Instead your reward lies in the value and benefits you create for your constituency.

While this may look like an awesome prospect, 'servant leadership' takes a special kind of person. Is that person you, or is the person you're planning to vote on that kind of person? Your answer here is the same answer to the question 'Why me?'

What does a board member do?

----------------------------

The common perception remains that a board member is an individual that is detached from reality and making decisions that are largely beyond the comprehension of the InfoSec commoner. Obviously this happens from plush board rooms while being copiously wined and dined in some cases. Not for the majority though.

A board member is responsible to set the strategic course of an organization, is essential to governing the organization, and IN NO WAY gets involved in managing the organization. Most organizations have an executive management team that runs day-to-day business according to the board defined strategy.

Our industry is composed of 95% people with a 'DO' mind. It behooves us to realize that within this big population, the number of 'servant leaders' with a vision and strategic ability is relatively low.

As a board member you will spend considerable time outside the boardroom interacting and getting to understand your constituency as well as defining and fine-tuning the strategic initiatives for the organization. Yes, this is time you will not be spending with friends and family or building your personal brand at conferences. This is time you will once again dedicate without a tangible reward. Worse, everything for which you are designing the blueprints today may only have results years down the road. You may no longer be a board member when that happens.

Are you ready for this? Is the person you are about to support ready for this?

What does it take to be a board member?

---------------------------------------

It is no surprise that many board members are perceived as 'old people' with nothing better to do. One couldn't be more wrong. As explained above, your responsibility is to define the strategy of the organization and work with executive management to ensure that the strategy is executed against. Once again we need to emphasize that this is 99% backstage work that very few people will notice. At the same time you are working on a fringe where a deep understanding of people in general, business acumen and strategic insight are essential to your relative success. A solid understanding of industry history and organizational psychology may prove useful.

Where a personal brand could be useful to land you a seat, it might be helpful to think beyond that point. Do you have what it takes to make the difference? Are you the best option for your constituency?

As a voter, are you sure that this person is the person that will run into the end zone for your agenda or is there a bigger chance that he/she will be tackled on the way there?

What will I contribute?

------------------------

So, you're confident that you will make it to the board, whatever the process within the specific organization entails. The last question to ask yourself before making the jump is what you will contribute. Do you have a solid platform that you'll be able to measure success against during and after your tenure? There was a time when 'change is needed' was enough to give it a shot. Continuous professionalization of boards across organizations such as OWASP, ISSA, and ISC2 have significantly raised that bar. Persons like Stefano Zanero (ISSA), Jim Manico (OWASP), Wim Remes and Dave Lewis (ISC2), amongst numerous others, have set a new standard that makes 'rebel candidates' unacceptable exceptions. As our industry matured, the organizations through which we are represented have become multi-million dollar organizations that not only work to support a message but also sustain families of employees and professionals the world over. Your need for an ego boost may have a larger impact than you have bargained for.

'Just change' isn't what we as an industry and community are looking for. We are looking for exceptional leadership that can pull us out of the swamp of “cyberwar” and “APT” onto the shore of relevancy and vision.

Will the real Slim Shady please stand up?

Footnote

--------

We understand that this post comes on the heels of ISC2's yearly election announcement. It isn't aimed at a specific organization or individual board candidates.

We have watched elections and board transitions within various organizations over the past few years and the recent trend of 'famous' candidates with little to no platform is a concern we believe to share with a considerable part of this industry and community. We offer this post as a point of reflection for both potential candidates and their constituents. Obviously, within the rules and bylaws of each separate organization, we can't prevent anybody from becoming a candidate. We do believe that candidates should carefully consider their candidacy and their responsibility towards their constituency before stepping to the plate.