Cybersecurity for the board of directors

Issue 7 2021 Editor's Choice, Cyber Security

According to Gartner, by 2025 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. This is testament to the impact of cybersecurity risk on the continued digitalisation of the global economy.

Cyber-attacks have increased significantly in recent years bringing vital conversations about cybersecurity into the boardroom. As board oversight of cybersecurity has increased, board members – even those without technical expertise – have had to become rapidly acquainted with IT risk and security concepts. In the past few years, frameworks and best practices have emerged to help these business leaders get a grip on their company’s cybersecurity posture.

Edison Mazibuko.

The cybersecurity landscape is vast and understanding where you have gaps is vital. Below are some domains covering cybersecurity:

• Data security.

• Security operations and incident response.

• Identity and access management.

• Network and infrastructure security.

• Messaging security.

• Endpoint security.

• Cloud security.

• Risk and compliance.

These domains contain tools provided by various vendors. Your organisation does not have to acquire all the tools to be sufficiently covered against cybersecurity incidents. What is needed is for you to ensure you have adequate protection in place for what is important to your organisation.

While there are many lists of what boards of directors need to ask about cybersecurity, the more important thing might be what they’re not asking. Businesses have unique risk profiles. However, where board members rely too heavily on predetermined frameworks and cybersecurity assessment checklists, they risk passing over the most urgent issues.

What are some of the common cybersecurity issues that C-suite executives often miss? To answer that I will have to draw on industry jargon – bike-shedding.

The dangers of bike-shedding

When there is incongruity between the extent of the board’s cybersecurity knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.

This happens in board rooms when executive teams spend an unnecessary amount of time on trivia, neglecting the bigger picture, usually because the most important issues are so complex that teams focus instead on simpler, more solvable problems.

According to Gartner, when faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.

For decades an imaginary line has separated cybersecurity from ‘the business’ with most board members being not well versed in the topic nor even with a basic understanding of the impact it can have on their businesses. This has been compounded by many security leaders approaching the subject as a purely technical challenge dictated by technology and compliance constraints.

However, after years of near-limitless budgets and unsatisfactory results, the time has come for both security and business leaders to recognise that they have been asking the wrong questions and taking the wrong approach.

According to Gartner, security experts must connect cybersecurity to business outcomes. They go on to note that CIOs and CISOs must engage executive decision makers to change how cybersecurity is treated in organisations and drive security investments that directly impact business outcomes. Gartner confirms that while cybersecurity has been on board agendas for at least a decade, the pandemic has put a spotlight on the disconnect between executive understanding of cybersecurity and business’ actual capabilities.

Senior executives and stakeholders are always a target because of their influence on the organisation and access to valuable information. A cyber-attack can affect your entire organisation, making it the entire board’s responsibility, not just the role of the CIO/CISO.

In terms of raising the right issues, board members should have a stance on the company’s policy/response in the event of a ransomware attack. For example, will you pay ransom if that’s the only way to resume business operations? Will you have the capacity to engage in negotiations that will ensure the safe return of your data? Although the act of paying the ransom is not illegal in South Africa, have you considered going the route could be seen as sponsoring cyber terrorism? This will no doubt expose the organisation to a new host of risks.

What the board needs to know

One report notes that the role of a board of directors is to provide strategic oversight for a business and to hold management accountable for performance. Management is responsible for execution, including identifying, prioritising and managing cyber risks. It goes on to state that, while the specific information a board requires may vary – depending upon the organisation’s industry, regulatory requirements, operating activities, geographic footprint and risk profile etc., all boards look to management to translate technical, tactical details about cybersecurity into business terms, risks, opportunities and strategic implications.

This report further notes that board members are asking CISOs the following questions about cybersecurity:

1. What is our cyber-risk appetite?

2. What are the most important metrics we use to monitor and evaluate risk to the company?

3. What is the business case for cybersecurity?

4. How can cybersecurity enable other business functions across the enterprise?

5. What are the levels of insider and outsider risk?

6. How do we measure the effectiveness of our organisation’s cybersecurity programme and how it compares to those of other companies? For example, how do we track cybersecurity awareness across the organisation through indicators such as policy compliance, implementation and completion of training programmes?

7. How do we assess the cyber-risk position of our suppliers, vendors, joint venture partners and customers?

The NACD’s Directors Handbook on Cybersecurity recommends keeping the following guiding principles in mind when preparing board-level reports:

• Ensure the data is relevant to the organisation’s business context and can be understood by the audience.

• Be concise: avoid providing too much information and eliminate technical jargon.

• Less is more: minimise text and include graphics and visuals to convey your key points.

• Communicate insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.

• Above all, board-level reports should enable strategic discussion and dialogue between directors and senior management.

These are excellent guidelines for board-level reporting. NACD goes on to confirm that cybersecurity is now a major strategic and enterprise risk matter that affects how companies operate, innovate and create value. Several characteristics combine to make the nature of the threat especially formidable due to its complexity and speed of evolution, the potential for significant financial, competitive and reputational damage and the fact that total protection is an unrealistic objective.

This last point is a sobering, but factual statement that should be enough to get every board member’s seat into the upright position and focused on the business value of implementing strong cybersecurity measures.

For more information contact DRS, +27 11 523 1600,,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The worst of times
Technews Publishing Editor's Choice
Cyber resilience in terms of people, processes and technology is where it’s at when it comes to prevailing in a world beset with cybercriminals.

Cyber trends for 2022
Editor's Choice
In the last six months, an organisation in South Africa was attacked on average 1737 times per week. This is more than double the global average (819) of attacks per organisation per week.

Cybersecurity for the board of directors
Editor's Choice
Bike-shedding is a common distraction in boardrooms, especially when discussing issues board members are responsible for, but don’t understand – like cybersecurity.

Cybersecurity is now a digital transformation imperative
Editor's Choice
New research from the IDC reveals cloud security is the number one priority for investment, 50 percent of South African business leaders are concerned with the consequences of security breaches.

Providing real-time visibility
Technews Publishing Editor's Choice
Comprehensive visibility is critical, but not always attainable without the support of a managed service provider dedicated to monitoring and securing your cyber environment around the clock.

Getting the basics right
Technews Publishing Editor's Choice
Cybersecurity is like any other discipline, you can’t start at the top, you need to get the basics right. Hi-Tech Security Solutions asks how to best do this.

Partnering to make South Africa more cyber secure
Editor's Choice
Cybersecurity professionals from the public and private sectors as well as academia have joined forces to establish the Cybersecurity Digital Alliance.

Turnstar ramps up countermeasures
Turnstar Systems Editor's Choice Access Control & Identity Management News Products
Turnstar has developed and patented an early warning and deterrent system which will alert security, and anyone nearby, of any attempt to place ramps over the raised spikes.

The state of the distribution market
ESDA (Electronic Security Distributors Association Bosch Building Technologies Dark Horse Distribution Elvey Security Technologies Regal Distributors SA G4S Secure Solutions SA Editor's Choice Security Services & Risk Management
The distribution industry has evolved over the years and its current challenges simply mean another change is in the wind, for those who can take the next step.