CISOs should be on corporate boards, says F-Secure chief research officer Mikko Hyppönen

Companies shouldn't wait until they have a data breach before inviting the CISO to board meetings, advises Hyppönen

Companies should appoint their chief information security officers (CISOs) to the board of directors - alongside CIOs - says F-Secure chief research officer Mikko Hyppönen.

Speaking to Computing at the recent IPSec conference in London, and referencing the recent hack of the records of 145 million Americans from credit reference agency Equifax, Hyppönen suggested that as every company today uses software to differentiate itself from rivals, the CISO now has a key role in the management and oversight of almost every major organisation.

"Cyber security seems to be very reactionary - they [corporate boards] don't think about it because they are not experts in computers, they are not experts in cyber security. They are not comfortable about these things.

"But when something big happens, it becomes a board level issue - for one or two minutes. They invite the CISO or the CIO to their meetings to talk about it, but then it gets forgotten very quickly.

"That's not the right way to do it. It should be a permanent topic at every large company's board-level meetings. Every large company needs a CISO. That CISO should be a member of the executive team," said Hyppönen.

He added that they should also be on the board, too.

"The CISO should be on the board, but the reason why is that today every company is a software company. It doesn't matter what you do.

"Equifax is a software company. A car maker is a software company. They do software. Every company does software, and this is the key differentiator between successful companies and less successful companies.

"Digitalisation is how you differentiate yourself today. A hotel is a software company, a restaurant is software company. Every company is a software company," Hyppönen told Computing.

According to recruitment agencies, CISOs can not only demand remuneration in excess of £500,000 per annum, though, but many are also taking up seats on corporate boards.

The so-called Internet of Things (IoT) will only makes matter even more acute, he added, and not only that, when the data they generate becomes more valuable than the cost of the additional electronics, no-one will be able to opt out of the IoT.