Rona Bunn is the CIO of the National Association of Corporate Directors (NACD), where she assists in digital orchestration and leads information technology, data and digital experience. A two-time winner of the Women of Color Technology All-Star Award in STEM, Bunn previously served as the US Department of Commerce’s CIO, Director of International Trade. She currently serves on the board of the IT Executive Management Forum (ITSMF) and has held board positions at the National Society of Black Engineers (NSBE), Washington, DC.
After the program, we spent more time talking about NACD’s mission and its advice for CIOs and CISOs aspiring to join the board. What follows is that conversation, edited for length and clarity.
Many opportunities were at your disposal. Why did you choose to go to NACD?
I was intrigued by the opportunity to drive a major transformation that would ultimately make a big difference in the way the organization conducts business and responds to customer needs. I saw that there is a good nucleus of people with a desire to change in NACD, and that I can really help them reach the next level. It was important to me in the next role. So while other opportunities were much bigger, this was one to use all the things I’ve learned throughout my career in business and technology to help an organization meet its goals.
Also, this is the mission. I always want to feel like I’m doing good, no matter what I’m doing. If you break down NACD’s mission, you realize that what we do is very important to society. We ensure that the board directors can be effective in their roles, and that they have the tools to be able to control the rapidly changing business environment. As a critical part of the governance ecosystem, we impact the economy, social welfare and all those people who rely on these organizations to deliver the results they need. Investors rely on the board to ensure they get the return they expect. And citizens and employees rely on the board to ensure that management staff treat them right and have their best interests in mind. It’s a ‘do good’ story.
How does the NACD help its members prepare for and manage cyber risk?
Cyber security oversight is a shared responsibility across the board. Because there may be other strategic needs for board composition, it may not be possible for boards to have cyber experts on the board, as they only have a certain number of seats. Therefore, we have plans to educate all managers about cyber security.
We have an official Cyber Risk Oversight Certificate Program For our members, created in partnership with the CERT Division of the Software Engineering Institute at Carnegie Mellon University and Ridge Global. We’ve had more than 700 directors become certified in this program through ACB, and we’re constantly updating it for changes in the environment. We also published, in collaboration with the Internet Security Alliance (ISA), the The 2023 Director’s Guide to Cyber Risk Oversight. This is the fourth edition, and it has been distributed to our 23,000 members and made available to the public. The guide, which is approved by the Department of Homeland Security and the Ministry of Justice, guides managers in specific oversight of cyber security, and is one of our most downloaded publications.
For CIOs and CISOs aspiring to be on boards, what are they looking for?
CIOs and CISOs have a great opportunity now to start practicing and learning about board engagement as a senior participant in board meetings. The board wants to engage in a value-added discussion. Technology leaders must move beyond a focus on preserving technology assets and enabling operational efficiencies—that’s an old conversation. They must create multidimensional engagement with the board, and center things around opportunities to lead in business growth through technology, innovation, products and services and spin-offs to the existing business.
CIOs and other CISOs also have the opportunity to educate the board, both about emerging technologies that will help the organization grow or manage threats, and about technology-related risks for operations, strategy, cyber issues, and depending on the industry, regulation. Commitments. We know that only around 42% of boards have cyber-savvy leadership representation, so there is an opportunity to educate and raise awareness of the risks around this.
Senior technology managers also need to focus on the strategic value of technology. This is something we don’t necessarily do well as CIOs – look at the relationship between the value of technology and cyber investments, and the ability to execute our strategy. There isn’t enough conversation and thought to make sure we get everything lined up to actually execute the strategy. You need to unpack the other capabilities needed besides technology to ensure success, and the CIO needs to illuminate that for the board and other executives.
Access to the performance of current technology investments is another area that will provide value to the board. Asks questions like:
- How well do they function?
- Are we reaching the end of life?
- What are the financial implications of keeping these investments?
CIOs should collaborate with CFOs to understand and quantify their operational performance, asking questions such as:
- Does the execution threaten the success?
- Does it maintain competitiveness?
- Does he maintain relevance and understand risks?
These are areas that the board wants to deal with.
In light of many misconceptions, what is the reality of board commitment?
I keep hearing, ‘This is going to be my retirement gig. I’m going to get on the board and make $250,000 a year, and I’m going to perform four times a year and life will be great.’ But the reality is that if you’re going to be on a board, you’re making a commitment to those stakeholders—whether they’re investors, citizens, or employees. You also have a fiduciary duty to be responsible in the decisions and instructions you give to regulatory agencies and the executives who run these companies.
This requires due diligence. Otherwise, there could be legal and financial consequences. You must invest time in understanding the industry in which the company operates, and the environment, and get to know the leadership team. If you don’t know about the industry and what these levers are that make the organization successful, you won’t be able to contribute effectively in the boardroom, much less give important information to assess risks or give advice. You also need to keep abreast of all aspects of the daily change in the business environment, especially if you are in a highly regulated industry. And it takes time to do that research.
Moreover, if you’re on a board, chances are you’re on at least one committee, maybe two, and that means you go to more than four meetings a year alone. You can advise or supervise the work of the management team through serious situations, and you need to do research to understand the problems. We help with this at NACD, but board directors need to learn to understand how recent events should be discussed and handled in the boardroom.
People might think that a board role would be 16 to 20 hours a year, but realistically it might require 10 times that. This is one of the reasons why it’s hard to get on a board while you’re working. There is a significant time commitment to being an effective board member while you have to continue to run your organization.
What does the path look like for a technology manager who wants to get on the board of directors?
I boil it down to three things: experience, exposure and education. Your management experience is great but it is not management experience. One way to get experience is to join a non-profit or a small private board. But you want to get a seat on the governing board. The litmus test for the board is a board that hires and fires the CEO and assigns the management team responsibility for strategy and risk management. You have to find the right board which gives you this government opportunity.
You must get exposure. To get on the board, you must be on the board of directors. Search companies are looking for people, but they will only find you through networks. NACD is the largest networking community of public, private and non-profit directors seeking to expand their network of peers.
The last section is education. You need to know what councils do, how they manage and what the various committees are. You also need to know how to manage money. If you’re a CIO, you might not dig into finances, but you certainly need to understand them if you’re going to be a board member and provide the right guidance and oversight to the organization.
What kind of education does NACD provide to prepare to be on the board?
The current programs we have are for executives at, or just below, the C-suite. We provide education for those at the director and VP level, and for aspiring leaders who want to be on the board one day. But our programs are designed for those who are ready to transition, because it will be difficult to get a director seat if you don’t have C-level experience.
However, there are really two buckets. Whoever is currently on the executive board can Become a member of NACD and pursue the NACD Executive Certification. As part of the certification program, you’ll work through cases that apply the concepts you’re going to learn using our extensive study guide. You will also receive guidance from our consultants, and there are designated study groups that you can join as well. Our goal is to make the NACD Management Certification The standard board management qualification.
For aspiring individuals who have never been on a board, we offer the NACD acceleration A program that provides a path to NACD Directorship certification. Through the program, participants receive two years of NACD membership and can attend educational and networking events in board communities. There is also the basic course, Professional in virtual management, an online training course of meeting room basics with an in-depth study of meeting room practices, which is about 15 hours of on-demand learning. The program provides a great start to understanding what boards do.
Landing that first board seat is like the challenge college graduates face: You need experience to get the job, but you need a job to get experience.
It’s hard, which is why a lot of people take the first step into a nonprofit board. There are great organizations that could use the skills we have to offer. You will get practical experience and be able to greatly influence an organization. It’s a win-win.
For more insights from Ban’s leadership book, go to Tech Whisperers Podcast.
