Andy Brown, a Zscaler board director since October 2015, sits on the audit and compensation committees and previously served as group chief technology officer at UBS Securities; head of strategy, architecture, and optimization at Bank of America Merrill Lynch; and chief technology officer of infrastructure at Credit Suisse Securities. He holds several other board positions with technology companies.

What are some developing issues your business thinks board directors should be prepared for?

• Attack Surface Management: Boards need assessments based on the National Institute of Standards and Technology (NIST) to understand security vulnerabilities in their environment and visibility into specific investments aimed to reduce the risk of attackers breaching defenses. Do directors have confirmation that security funding levels are appropriate and gaps are properly mitigated?
• Board–CISO Communication: Chief information security officers should update the board at every meeting, with scorecards used to track NIST maturity improvements. Importantly, the board needs to know it will be notified of any incidents before they are called by reporters.
• AI Initiative Risks: Establish an artificial intelligence (AI) governance board with clear terms of reference to manage C-suite pressure for rushed implementations. Proper entitlement controls are required between users, large language models, and sensitive data sources to maintain privacy and data security.

Many cybersecurity oversight issues are easier to manage if the cyber leadership has committed to a Zero-Trust strategy. This lays a strong risk-management foundation for businesses.

What are a couple of tips for directors to ensure they are well-prepared for tomorrow’s challenges?

• Leverage Ready Resources: I wrote a book with Helmuth Ludwig, former Siemens chief information officer, called Cybersecurity: Seven Steps for Board Directors, that gives very practical cyber risk management advice. My colleague Rob Sloan also writes a monthly briefing called “The Director’s Cut,” which is distributed via the NACD Northern California monthly newsletter, that educates directors on cyber and AI risk issues.
• Establish AI Governance: Ensure your company has an AI governance board with clear terms of reference, followed by a comprehensive AI policy that can evolve over time as the organization’s AI maturity increases.
• Pursue Continuous Education: Become more qualified through NACD learning materials and director education programs to establish a baseline of knowledge that enables more effective risk oversight.

What are three ways your business can provide value for board directors?

Zscaler has a wealth of cyber, AI, and technology risk expertise. It’s very unlikely if you have any sort of issue, we aren’t in a good position to help. More specifically though, we are happy to provide:

• Educational Resources: As previously mentioned, we regularly publish materials that are tailored for directors and deliver practical guidance on cyber and AI risk oversight.
• Closed-Door Learning Sessions: As part of our partnership, we deliver intimate lunch-and-learn programs for directors in a judgment-free environment where participants can ask any question without concern.
• Tailored Board Briefings: Upon request, Zscaler can provide customized board-level presentations on cybersecurity and AI risk, delivered directly by appropriate subject matter experts.

What’s your favorite business-related podcast?

My favorite business podcast is All-In. I appreciate getting the venture capitalist presenters’ perspective on market trends, tech, and broader issues. Definitely worth a listen.

What’s your favorite way to foster meaningful connections with others?

For meaningful industry connections, I find the annual NACD Directors Summit™ invaluable, along with NACD’s local chapter events, which are more intimate. I also enjoy cross-functional director dinners focused on specific topics like privacy where I can both contribute and learn.

What’s something that’s been keeping you busy lately?

It’s more a case of someone than something! I’m loving spending time with my grandson, who is two and a half.

What’s your favorite AI tool?

I’ve recently joined the advisory board of a company called meetsynthia.ai Inc.—it’s an AI tool that helps create prompts to exploit AI effectively based on a user’s role and workflow to give more job-specific answers. I’m also a big user of Grok.