Last updated: August 14

How this national CEO dealt with a data breach & positioning you as a paid board of director advisor 

Helping companies reduce penalties and fines while avoiding data breaches is a solution many of our clients bring to their own companies. Data breaches are a massive problem companies are facing in the post-pandemic business environment. Helping organizations close the gap is less complicated than you may believe when you consider your own success managing (or mitigating) a crisis. 

And because of your experience, you may be an ideal candidate for a board advisory role serving a public or private board of directors. This article explores the primary differences between a fiduciary board and an advisory board opportunity, top current issues facing organizations and my short and recent interview with the CEO of a national organization that recently experienced a massive data breach. 

According to another 2021 World Economic Forum report, “corporate leaders are increasingly elevating the importance of cybersecurity to their companies.” 

Here are the top five concerns based on a survey conducted in 2021:

  1. More complex cybersecurity challenges, including ransomware attacks and “fake news.”
  2. Fragmented and complex regulations across borders.
  3. Dependence on other parties and the ecosystem is only as strong as its weakest link.
  4. Lack of cybersecurity expertise, particularly in ransomware, an exacerbated threat during the pandemic.
  5. Difficulty tracking cyber criminals (the likelihood of detecting a cyber criminal is as low as 0.05% in the US). 
Cyber security

If your expertise is in the growing discipline of cyber security, computer security, information technology, and data protection—helping your board remain safe from information disclosure, theft of or damage to hardware, software, or electronic data, and from the disruption or misdirection of services they provide, your expertise may be highly marketable. 

Whether your experience is in the technology side or the policy side, that experience is extremely valuable. 

Many CEOs and other CXOs have operational expertise that we have positioned for boards of directors needing to reduce risk and fortify their business strategy and business continuity plans. Whether you’re seeking a fiduciary board seat or an advisory board seat, your expertise can help an organization and its customers protect their digital assets, remain compliant, protect the company brand, and keep customers (and regulators) happy. 

An advisory board role can also serve as a roadmap to a fiduciary board opportunity and is an important component of your career plan. Explore the key differences between an advisory board opportunity and a fiduciary board opportunity here

Fiduciary boards require a foundational knowledge in corporate governance practices while advisory boards are typically created to advise the organization on a specific project or a specific topic. If board service is in your career plan, think about leveraging your industry expertise as an advisory board member.

Visibility Venn Diagram (final Aug 14 2021)

According to the same study by the World Economic Forum, information security was the most important aspect of technology initiatives and 44.7% of respondents indicated information security is the most important objective. 

Lack of visibility is often the biggest barrier to entry for CEOs who aspire to serve on a board of directors. Business technology executives sometimes discount their experience as too junior, too specialized, or irrelevant for board service. 

However, this is not the case.

Industry Experience

Take Victoria, for example. Victoria is a Chief Product Officer with experience in artificial intelligence (AI), machine learning (ML), block chain, and cloud systems with a track record for scaling businesses from zero to $148M+ in annual recurring revenues in less than 37 months. Victoria’s current and relevant experience in real-world technology issues ensures her skills and insights are in demand. 

Corporate Governance Knowledge

Victoria doesn’t have a board certification, which has not stood in her way of serving on advisory boards for Fortune 100 companies for organizations with $42B+ in revenues. Victoria’s strategy is very simple. Although she doesn’t have a director certification, she is well versed in corporate governance issues. Director certification ensures the board candidate is trained in governance models, including the role of board committees, legal issues, executive compensation, audit issues, regulatory compliance, and risk mitigation. It doesn’t replace real world experience. 

Executive Branding

Without key messaging and a targeted audience to share the messaging with, Victoria would not have catapulted her career to the top of her industry. She understands that she must work on her career (marketing) as well as working in her career (expertise). 

Raise your visibility with board-level and CEO decision-makers

Victoria is always available to lend a hand, to advise the CEO, the board, customers, vendors, and employees and although there is no formal job description for doing so, she knows that “out of sight is out of mind”. She remains visible to key decision-makers and because of her willingness to share her knowledge, she is trusted among the top echelon of every organization she’s served. 

Victoria is an expert at raising her visibility and this is how she did it. Consider this approach an extended networking strategy. 

  • Speaking at appropriate level conferences and seminars is an excellent way to raise your visibility in the marketplace. Consider targeting events hosted by CEO groups and governance organizations, such as the Institute of Corporate Directors (Canada) or the National Association of Corporate Directors (United States). If you’re not in these countries, your country will have a similar type of organization.  
  • Position yourself as an industry insider “Data Breach Lessons Learned from an Industry CISO Insider”. You will need to consult your employment contract and media policies before doing so; however, speaking at industry conferences not only raises your own personal brand and visibility, but enhances the employer’s brand. It’s a win-win outcome.  
  • If you are a diverse person of color, you may benefit from the expertise of DiversForce.com, an organization that assists people of color to train for and access board opportunities across the United States. 
  • Author a white paper showcasing your product development expertise (or your own expertise) using a SARI formula. Outline the: situation, action, result, and impact on the organization or the team. Use the same topic to create a white paper. There is no need to a brand-new story. Repurpose your signature story to create branded messages that resonate with your targeted audience. 
  • Create a case study showcasing your experience managing major crises. If the data breach or other type of breach is confidential, you can fictionalize the details and speak to outcomes only rather than specific details. You won’t want to over-expose your organization, obviously. Very few industry insiders consider this option, but it can be a powerful enabler for your career. 

Governance, Risk, & Compliance (GRC) Function

Establishing the foundational tools and processes for ensuring regulatory and internal security policy compliance are keys to keeping an organization’s assets safe. 

You’re likely familiar with the following example and this is how you can lend your expertise to a board. 

  • Establish governance, risk & compliance teams to socialize awareness of the value of GRC. 
  • Obtain GDPR compliance to manage compliance risk and protect customer information.
  • Implement an electronic GRC application to centralize compliance and security governance efforts and policies to increase efficiency and effectiveness of regulatory compliance regulations, such as SOX and GDPR. 
  • Complete online training for Global Information Security: Safeguarding Company Information to employees and vendors. 
  • Publish information security requirements for Identity & Access Management (IAM) in standard operating procedures (SOP). Test and retest the SOPs for efficacy. 
  • Ensure the security of system development efforts by integrating security requirements into the SDLC (Software Development Life Cycle) process.
  • Implement a streamlined third-party risk management program (tools and processes).
  • Create a Data Protection Program establishing standards and governance and coordinate data security efforts for data breach and IP theft avoidance.
  • Establish a comprehensive Identity & Access Management governance program to reduce the likelihood of penalties and fines and most importantly to avoid data breach.
  • Adhere to third party risk management, regulatory compliance, and SDLC processes and perform regular internal security control assessment efforts which will reduce likelihood of penalties and fines, while meeting regulatory requirements and avoiding data breaches.
Data Protection

CEO of a national Canadian organization weighs in on her experience with a major data breach in early 2021

As the CEO of a national organization, Aveling’s board experienced a major data breach in 2021 involving the deliberate exposure of key internal documents and intellectual property that exposed confidential (and controversial) information.

We spoke recently about her experience in preparation for this article, and here is our conversation:

Maureen: “Aveling, what would you have done differently to protect your organization from exposure?”

Aveling: “Our board of directors was ill prepared for the breach. Specifically, they didn’t understand their accountability regarding how governance data, information, and communications are shared externally. The intentionality of the breach was difficult for everyone in the organization to accept.”

Maureen: “What practices have you implemented?”

Aveling: “We now ensure directors are fully trained during their onboarding process, as well as undergoing a quarterly review of information management policies. We also ensure that each member of the board has a unique user ID for the technology we provide for them with strict VPN access because of the sensitive nature of the work we undertake and products we produce. Our organization previously was largely paper based with weak security controls outside of our production process. 

Now when we access key documents in our board database, each impression is watermarked so we know who has access the information with date and time stamp. Our documentation and its access by employees and the board is far more controlled than in the past. 

In addition, we were complacent. We had hired a third-party board management company who was engaged to protect our critical information. When the crisis occurred, the third-party company was unable to assist us. They were not able to determine the date, time, or the user ID of the employee who leaked the information. This was intensely disappointing, and we now have a crisis management team who conduct strict due diligence on all third-party vendors to ensure our organization is not exposed.

We terminated the vendor and took complete control of our plan.”

Here is her new risk mitigation plan: 

  • Improve regulatory compliance to reduce likelihood of penalties and fines
  • Require line managers to train and educate regarding potential exposure and required compliance
  • All employees will be trained by the end of Q3 2021
  • Ensure mature product security to enable increased capabilities of products with minimal exposure
  • Enhance investor and customer confidence by removing security as a prohibitor for new business
  • Ensure products are tested and retested with clear metrics and carefully track
  • Protect sensitive data to mitigate data breaches and intellectual property (IP) theft
  • Develop a detailed inventory of intellectual property ensuring only required employees have access to methodologies. Even our receptionist is trained on intellectual property matters and third-party vendors have restricted access to our IP
  • Data Loss Detection as new policies are established which are now rapidly decreasing once full reporting began both employee error and malicious activity
  • Develop a crisis incident management plan to reduce impact during a crisis
  • Ensure there is a strict contractual review of third-party vendors
  • Establish a recalibrated and strengthened vendor selection and quarterly vendor performance due diligence
  • Review of director’s liability insurance policies to ensure appropriate levels of protection
Mitigate risk

“Although the cost to implement such a robust plan is significant, the opportunity costs of not doing so far outweigh the investment. We owe our customers our brand promise of quality products and services.”

From a career standpoint, the CEO is now positioned to advise other organizations based on her experience over the last 18 months. 

At Westgate we help business leaders raise their visibility by creating branded portfolios and case studies that open doors. With powerful signature stories, you demonstrate your value proposition (your unique promise of value) to boards of directors for companies on your targeted list.

Download our advisory vs. fiduciary board asset

We respect your email privacy

3 steps to a LinkedIn profile headline that will jazz recruiters

If you liked this post, please share it with your friends and colleagues.


We look forward to welcoming you into the Westgate Family of success stories.

About executive resume writing author 

Westgate - Maureen Farmer

Maureen Farmer is the Founder & CEO of Westgate Executive Branding & Career Consulting Inc., an international personal branding and career consulting firm delivering premier executive branding and career consulting services for high-profile leaders. Author of The CEO Script Vault: Job Search Scripts for Busy Executives, Maureen believes that when we’re doing work aligned with our values, everyone wins. Using the law of attraction to identify quality employers utilizing the hidden job market is a cornerstone of her career management strategy.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}