CrowdStrike CEO: Every board needs a CISO

The pressure on public company board directors to expand their knowledge and understanding of cyber risks points to the logical conclusion that, like CFOs, a CISO should have a seat at the table at most enterprises.

At RSAC 2025, CrowdStrike (a Zscaler partner) CEO George Kurtz used his 20-minute mainstage keynote to make this argument and outline how a CISO can make the leap. 

Kurtz pointed out that the gulf between the cybersecurity expertise needed and how little is currently present across corporate boards is an opportunity for CISOs looking to broaden their impact and careers. The reason for the widening gulf is because cybersecurity is, in the words of Kurtz, “no longer a compliance suggestion, but rather a governance mandate.” 

The same forces that drove more boards to include CFOs over the last few decades, such as the regulatory requirements of the Sarbanes-Oxley Act of 2002, are now at play for CISOs, he said. These leaders have increasingly direct influence over the fiduciary care of an enterprise impacted by cybercrime, innovation like AI, and information technology writ large .

“If we look at the average market cap loss of ‌any security breach for a public company, it's $5.4 billion. So it's not just regulation that's actually driving these sort of changes, right? It's actual dollars. And this is why cybersecurity is showing up on earnings calls and shareholder letters. It's a technical issue and a business event. Obviously it's a real problem,” he stressed. 

A highlight of Kurt’s message were his practical tips for how CISOs and future CISOs can land a spot on the board of directors. Coming from a CEO rather than a security expert exuded credibility. (Kurtz recently overcame a high-profile crisis due to a CrowdStrike service outage). 

What it comes down to for aspiring board directors is three things: learning business and financial acumen so you have skills like deciphering financial and proxy statements; speaking the same language as boards so that you are understood; and, building your brand so that you are top of mind when opportunities arise.

Kurtz shared a great piece of advice based on his experience with HPE: “I'm going to let you in on a little bit of a secret here. If you want to get a board seat, one of the best ways to do that is to actually find an opening on one of the committees that gets your skillset.” 

“You have to get out of the technical circle and you have to understand what drives a business, what drives a board, and really, really what's important. So as a board member, this is critical and you have to shift your mindset from a tech leader,” he said. The mindset of the board orbits three core things: time, money, and legal risk.

Kurtz’s keynote covered the history of corporate boards, the evolving composition of them, and how ambitious CISOs can join them. You can watch it on-demand. 

If the CrowdStrike founder and leader’s message resonates with you, then the Zscaler CXO ecosystem is a great resource to learn about presenting to and serving on boards, and how boards can improve their knowledge of and mitigate cyber risk. 

Below are tips gathered from across our community for aspiring directors or those aiming to be more influential when presenting to boards:

Uplevel business skills

Documentation and focus on the topic of ‌board and CISO engagements are plentiful, but not so much for CISOs joining boards since it is a relatively new trend. First research general role-agnostic resources, such as those for CFOs and CEOs. Then consider: 

• Corporate governance - Training programs and certifications, such as those offered by institutions like the National Association of Corporate Directors (NACD) will help you understand fiduciary duties, shareholder engagement, and governance structures.
• Financial literacy - Courses in accounting or finance will show you how organizational strategies tie into financial performance.
• Risk management - Expand knowledge of enterprise-wide risk management beyond cybersecurity to include financial, operational, regulatory, and reputational risks.
• Business strategy - Gain experience in business strategy by actively engaging in strategic planning at your current organization and be the authority on how cybersecurity aligns with broader business goals and growth objectives.
• Legal and regulatory - Know the intersection of cyber with legal frameworks and compliance requirements that impact public companies, such as SEC regulations, privacy laws, and other governance mandates 

Speak the board’s language

Below are the ingredients you need to ensure all paths eventually lead to those endpoints:

• Soft skills - Enhance your communication, influence, and collaboration skills. Boardrooms require concise, impactful communication with diverse stakeholders, often about complex but high-level topics. Soft skills are key. Aspiring directors should keep a heightened sense of how they present themselves and the value they bring to sound credible.
• Cross-functional leadership - Volunteer for or participate in initiatives outside the cybersecurity domain, such as marketing, operations, or customer experience. This demonstrates a broader understanding of business functions.
• Advisory boards - Serve as a board observer, member of advisory boards, or a consultant to boards within your industry or professional network to obtain practical exposure to how boards operate.
• Business outcomes - Learn how to toggle your conversations between technical details and how cybersecurity initiatives impact the business. Connect security updates to financial performance, regulatory compliance, risk mitigation, and operational resilience.
• Executive-friendly summaries - Present information in a concise and structured manner. Use executive summaries, bullet points, and visuals like dashboards or heat maps to deliver clear and actionable insights with precision.
• Board-level questions - Anticipate strategic or financial questions that board members typically ask, such as the cost-benefit analysis of cybersecurity investments or to compare industry peers in managing cyber risk.
• Storytelling - Use real-world examples, analogies, or case studies to make complex security concepts relatable.
• Transparency about challenges - Get comfortable being transparent about risks, incidents, or gaps in the organization's cybersecurity program while providing a plan of action for how they are being addressed.
• Metrics and KPIs - Learn to use board-relevant metrics, such as time-to-detect and respond to threats, potential financial losses from cyber incidents, or compliance with industry standards. Avoid overwhelming the board with overly technical or granular data.
• Active engagement - Communicate with confidence, listen attentively, and encourage questions. Show that you value board members’ insights while positioning yourself as a trusted advisor on cybersecurity matters.
• Cybersecurity as competitive advantage - Be able to articulate how robust security practices can be a selling point for customers, investors, and regulators, differentiating the company in the market.

Build your brand

In addition to many of the actions listed above such as serving on advisory boards and earning board-specific credentials, CISOs should consistently showcase a blend of technical expertise, strategic insight, and leadership beyond cybersecurity – while developing visibility in board-relevant communities.

• Professional networks - Build relationships with business leaders, investors, and board members to develop exposure to board-level conversations. Networking can also help identify mentoring opportunities to learn from experienced directors.
• Cross-functional leadership - Highlight experiences in working collaboratively with other departments, such as finance, operations, marketing, and legal. Demonstrate how you contribute beyond cybersecurity to support overall business strategy.
• Thought leadership - Spread thought leadership by publishing articles, blogs, or white papers in reputable industry outlets on cybersecurity, risk management, and governance topics and speak at conferences, webinars, and panels to position yourself as an authority on cybersecurity’s role in corporate strategy. The goal with thought leadership according to Kurtz: “It’s about building your brand around how people think of you. Do they think of you as just a tech person or a security person that walks into the boardroom for 15 minutes and goes through a bunch of gobbledygook? Or are you the person who gives your presentation to the board and then says, ‘Hey, I'd like to stay for the rest of it. I'd like to stay on the committees. I'd like to be a fly on the wall.’"
• Board fit - Find and target companies and boards where your personality and expertise is a good fit with a common mission and values. 

Getting on board

Once on a board committee, you, as the CISO, will be in a great position to use your expanded skills. Fellow directors will look to you to lead the charge or influence top board issues, including risk assessments, financial impact of cyber risk models, and the overall direction-setting of cyber strategies. 

Like CFOs, it’s the perfect time for cyber leaders to take their leadership seats in boardrooms to help their organizations navigate the digitalized and volatile future securely. 

Learn about Zscaler + CrowdStrike and how, with Okta, help lead the Cloud Security Alliance Zero Trust Advancement Center (ZTAC).