Why Every CISO Should Be Gunning For A Seat At The Board Table

CrowdStrike CEO George Kurtz delivered a bold call to action at the RSAC 2025 conference: it's time for CISOs to earn their seat at the board table. With economic uncertainty, regulatory pressure, and cybersecurity now among the top risks facing public companies, Kurtz emphasized that cybersecurity expertise won't just be welcome on corporate boards – it will be indispensable.

In the past, board composition has undergone significant changes over the past 50 years. Fifty years ago, board seats were often filled by insiders with backgrounds in finance, law, or manufacturing. Few boards had formal audit committees, and risk oversight was minimal. However, corporate scandals like Enron and WorldCom triggered legislative reforms, most notably the Sarbanes-Oxley Act of 2002. This ushered in modern audit committees and elevated the CFO role, making financial expertise a requirement in the boardroom.

Today, Kurtz sees a similar shift unfolding with breach disclosure regulations and escalating cyber threats driving cybersecurity into the spotlight. He emphasized that cyber risk has become a governance issue – not just a compliance checkbox. CISOs, he believes, are next in line to join the boardroom ranks if they're ready to evolve.

The opportunity is tangible. Kurtz cited statistics showing that while 72% of boards seek cybersecurity experience, only 29% currently have it. This gap represents more than just a market inefficiency – it's an opening for qualified CISOs to step into strategic leadership roles. However, technical acumen alone won't be enough. Boards want more than someone who can explain vulnerabilities or security controls.

"They need executives who understand capital allocation, legal exposure, and business strategy," Kurtz explained. "CISOs must transition from being technical specialists to business leaders." It's not about knowing the most about firewalls or endpoint detection – it's about demonstrating the ability to influence business outcomes and contribute to board-level decision-making.

To help security leaders make this leap, Kurtz offered a simple three-part framework:

1. Up-Level Business Skills

CISOs should understand where and how their company creates value. That includes being fluent in financial reporting, knowing the responsibilities of key board committees, and being able to interpret proxy statements that define director qualifications. CrowdStrike's own board skills matrix is an example of how boards increasingly list cybersecurity and technology expertise as formal requirements.

2. Speak the Board’s Language

"Boards want to know how an issue delays time-to-market, erodes margins, or increases legal liability – not how it affects the patch cycle," Kurtz summarized. Security leaders must learn to reframe threats in terms of these drivers.

3. Build Your Brand and Network with Purpose

Rather than relying on technical reputation alone, CISOs should actively cultivate visibility as strategic thinkers. That means staying in the boardroom after delivering updates, listening to committee discussions, and networking with directors at governance events like those hosted by the NACD.

Over time, that engagement builds trust – and opportunity. To illustrate what success looks like, Kurtz pointed to Adam Zoller, CISO of CrowdStrike, who now sits on the board of AdventHealth. His appointment wasn't the result of a headhunter cold call – it was the outcome of years spent building financial fluency, engaging board members, and being viewed as more than just a security operator.

Another example was Phil Venables, former CISO of Goldman Sachs and a veteran of several boardrooms. According to Kurtz, boards were drawn to Venables not just for his cybersecurity experience but also for his leadership in cloud, AI, risk management, and compliance. "It's never just about security – it's about the broader strategic value an executive can bring," Venables shared with Kurtz.

Kurtz closed his talk by encouraging CISOs to reflect honestly on their own readiness. That includes identifying gaps in business or governance knowledge and building the skills required to earn – not just expect – a seat at the table. He stressed that CISOs need to take some initiative with boards. "They're waiting for somebody to step up to the plate and grab their next board seat."

"The question is, will it be you at the board table?" Kurtz emphasized that the time is now. With board-level cyber risk now a permanent fixture, the demand for security leadership is stronger than ever. For CISOs willing to evolve and engage, the path is clear – and the moment is now.