CrowdStrike CEO George Kurtz walked onto the RSAC 2025 stage with a smile, a swipe at his still-red hair, and a promise: “This is not another AI talk.” Instead, he delivered something far more urgent for the security community—an invitation to reshape the boardroom.
With economic uncertainty, regulatory pressure, and cybersecurity now among the top risks facing public companies, Kurtz issued a bold call to action: It’s time for CISOs to earn their seat at the board table. His message was clear: in the next decade, cybersecurity expertise won’t just be welcome on corporate boards—it will be indispensable.
“In the next decade, every public company will have a CISO on their board or they’ll wish they would have,” Kurtz said.
The Evolution of Boardroom Expertise
I’ve known Kurtz for more than 20 years. I first interviewed him while I was writing for About.com and he was leading Foundstone and had co-authored the influential book Hacking Exposed. Since then, I’ve followed his trajectory as an entrepreneur, security leader, and now, CEO of a major public company.
To explain why CISOs are poised for a governance breakthrough, Kurtz traced how board composition has evolved over time. Fifty years ago, board seats were often filled by insiders—friends of the CEO, typically with backgrounds in finance, law, or manufacturing. Few boards had formal audit committees, and risk oversight was minimal.
That changed dramatically in the early 2000s. Corporate scandals like Enron and WorldCom triggered legislative reforms, most notably the Sarbanes-Oxley Act of 2002. The law ushered in modern audit committees and elevated the CFO role, making financial expertise a requirement in the boardroom.
Kurtz sees a similar shift unfolding today, with breach disclosure regulations and escalating cyber threats driving cybersecurity into the spotlight. He emphasized that cyber risk has become a governance issue—not just a compliance checkbox. CISOs, he believes, are next in line to join the boardroom ranks if they’re ready to evolve.
Boards Want Cyber Expertise—But Can’t Find It
The opportunity is tangible. Kurtz cited statistics showing that while 72% of boards seek cybersecurity experience, only 29% currently have it. That gap represents more than just a market inefficiency—it’s an opening for qualified CISOs to step into strategic leadership roles.
But technical acumen alone won’t be enough. Kurtz explained that boards want more than someone who can explain vulnerabilities or security controls. They need executives who understand capital allocation, legal exposure, and business strategy.
Kurtz made the case that CISOs must transition from being technical specialists to business leaders. It’s not about knowing the most about firewalls or endpoint detection—it’s about demonstrating the ability to influence business outcomes and contribute to board-level decision-making.
A Three-Step Playbook for the Boardroom
To help security leaders make that leap, Kurtz offered a simple three-part framework:
1. Up-Level Business Skills
CISOs should understand where and how their company creates value. That includes being fluent in financial reporting, knowing the responsibilities of key board committees, and being able to interpret the proxy statements that define director qualifications. Kurtz pointed to CrowdStrike’s own board skills matrix as an example, noting how boards increasingly list cybersecurity and technology expertise as formal requirements.
2. Speak the Board’s Language
Kurtz summarized the board’s priorities with a simple framework: time, money, and legal risk. Security leaders must learn to reframe threats in terms of these drivers. Boards want to know how an issue delays time-to-market, erodes margins, or increases legal liability—not how it affects the patch cycle.
3. Build Your Brand and Network with Purpose
Rather than relying on technical reputation alone, Kurtz urged CISOs to actively cultivate visibility as strategic thinkers. That means staying in the boardroom after delivering updates, listening to committee discussions, and networking with directors at governance events like those hosted by the NACD. Over time, that engagement builds trust—and opportunity.
When Preparation Meets Opportunity
To illustrate what success looks like, Kurtz pointed to Adam Zoller, CISO of CrowdStrike, who now sits on the board of AdventHealth. Kurtz emphasized that his appointment wasn’t the result of a headhunter cold call—it was the outcome of years spent building financial fluency, engaging board members, and being viewed as more than just a security operator.
Another example was Phil Venables, former CISO of Goldman Sachs and a veteran of several boardrooms. According to Kurtz, boards were drawn to Venables not just for his cybersecurity experience, but also for his leadership in cloud, AI, risk management, and compliance.
Kurtz shared wisdom that Venables imparted on him, “It’s never just about security. It’s about the broader strategic value an executive can bring.”
A New Mandate for Security Leaders
Kurtz closed his talk by encouraging CISOs to reflect honestly on their own readiness. That includes identifying gaps in business or governance knowledge and building the skills required to earn—not just expect—a seat at the table.
He stressed that CISOs need to take some initiative with boards. “They’re waiting for somebody to step up to the plate and grab their next board seat.”
With board-level cyber risk now a permanent fixture, the demand for security leadership is stronger than ever. For CISOs willing to evolve and engage, the path is clear—and the moment is now.
Kurtz emphasized that the time is now. “The question is, will it be you at the board table?”
