Cybersecurity for the board of directors

Issue 7 2021 Editor's Choice, Information Security

According to Gartner, by 2025 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. This is testament to the impact of cybersecurity risk on the continued digitalisation of the global economy.

Cyber-attacks have increased significantly in recent years bringing vital conversations about cybersecurity into the boardroom. As board oversight of cybersecurity has increased, board members – even those without technical expertise – have had to become rapidly acquainted with IT risk and security concepts. In the past few years, frameworks and best practices have emerged to help these business leaders get a grip on their company’s cybersecurity posture.


Edison Mazibuko.

The cybersecurity landscape is vast and understanding where you have gaps is vital. Below are some domains covering cybersecurity:

• Data security.

• Security operations and incident response.

• Identity and access management.

• Network and infrastructure security.

• Messaging security.

• Endpoint security.

• Cloud security.

• Risk and compliance.

These domains contain tools provided by various vendors. Your organisation does not have to acquire all the tools to be sufficiently covered against cybersecurity incidents. What is needed is for you to ensure you have adequate protection in place for what is important to your organisation.

While there are many lists of what boards of directors need to ask about cybersecurity, the more important thing might be what they’re not asking. Businesses have unique risk profiles. However, where board members rely too heavily on predetermined frameworks and cybersecurity assessment checklists, they risk passing over the most urgent issues.

What are some of the common cybersecurity issues that C-suite executives often miss? To answer that I will have to draw on industry jargon – bike-shedding.

The dangers of bike-shedding

When there is incongruity between the extent of the board’s cybersecurity knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.

This happens in board rooms when executive teams spend an unnecessary amount of time on trivia, neglecting the bigger picture, usually because the most important issues are so complex that teams focus instead on simpler, more solvable problems.

According to Gartner, when faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.

For decades an imaginary line has separated cybersecurity from ‘the business’ with most board members being not well versed in the topic nor even with a basic understanding of the impact it can have on their businesses. This has been compounded by many security leaders approaching the subject as a purely technical challenge dictated by technology and compliance constraints.

However, after years of near-limitless budgets and unsatisfactory results, the time has come for both security and business leaders to recognise that they have been asking the wrong questions and taking the wrong approach.

According to Gartner, security experts must connect cybersecurity to business outcomes. They go on to note that CIOs and CISOs must engage executive decision makers to change how cybersecurity is treated in organisations and drive security investments that directly impact business outcomes. Gartner confirms that while cybersecurity has been on board agendas for at least a decade, the pandemic has put a spotlight on the disconnect between executive understanding of cybersecurity and business’ actual capabilities.

Senior executives and stakeholders are always a target because of their influence on the organisation and access to valuable information. A cyber-attack can affect your entire organisation, making it the entire board’s responsibility, not just the role of the CIO/CISO.

In terms of raising the right issues, board members should have a stance on the company’s policy/response in the event of a ransomware attack. For example, will you pay ransom if that’s the only way to resume business operations? Will you have the capacity to engage in negotiations that will ensure the safe return of your data? Although the act of paying the ransom is not illegal in South Africa, have you considered going the route could be seen as sponsoring cyber terrorism? This will no doubt expose the organisation to a new host of risks.

What the board needs to know

One report notes that the role of a board of directors is to provide strategic oversight for a business and to hold management accountable for performance. Management is responsible for execution, including identifying, prioritising and managing cyber risks. It goes on to state that, while the specific information a board requires may vary – depending upon the organisation’s industry, regulatory requirements, operating activities, geographic footprint and risk profile etc., all boards look to management to translate technical, tactical details about cybersecurity into business terms, risks, opportunities and strategic implications.

This report further notes that board members are asking CISOs the following questions about cybersecurity:

1. What is our cyber-risk appetite?

2. What are the most important metrics we use to monitor and evaluate risk to the company?

3. What is the business case for cybersecurity?

4. How can cybersecurity enable other business functions across the enterprise?

5. What are the levels of insider and outsider risk?

6. How do we measure the effectiveness of our organisation’s cybersecurity programme and how it compares to those of other companies? For example, how do we track cybersecurity awareness across the organisation through indicators such as policy compliance, implementation and completion of training programmes?

7. How do we assess the cyber-risk position of our suppliers, vendors, joint venture partners and customers?

The NACD’s Directors Handbook on Cybersecurity recommends keeping the following guiding principles in mind when preparing board-level reports:

• Ensure the data is relevant to the organisation’s business context and can be understood by the audience.

• Be concise: avoid providing too much information and eliminate technical jargon.

• Less is more: minimise text and include graphics and visuals to convey your key points.

• Communicate insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.

• Above all, board-level reports should enable strategic discussion and dialogue between directors and senior management.

These are excellent guidelines for board-level reporting. NACD goes on to confirm that cybersecurity is now a major strategic and enterprise risk matter that affects how companies operate, innovate and create value. Several characteristics combine to make the nature of the threat especially formidable due to its complexity and speed of evolution, the potential for significant financial, competitive and reputational damage and the fact that total protection is an unrealistic objective.

This last point is a sobering, but factual statement that should be enough to get every board member’s seat into the upright position and focused on the business value of implementing strong cybersecurity measures.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Surveillance on the perimeter
Axis Communications SA Hikvision South Africa Technews Publishing Editor's Choice Perimeter Security, Alarms & Intruder Detection
Cameras have long been a feature in perimeter security, with varying reports of success and failure, often dependent on the cameras’ planning, installation and configuration, as well as their integration with other perimeter solutions and centralised management platforms.

Read more...
Onyyx wireless alarm
Technews Publishing Editor's Choice Smart Home Automation
IDS has introduced Onyyx, a wireless alarm system engineered to provide complete system control via the Onyyx app or keyring, as well as seamless installation.

Read more...
Visual verification raises the security game
Videofied SA Technews Publishing Editor's Choice Perimeter Security, Alarms & Intruder Detection
Incorporating alarm signals with live surveillance footage, visual verification enables a human observer in a control room (onsite or offsite) to gain a clear understanding of the situation, thereby facilitating informed decision-making.

Read more...
The AX Hybrid PRO Series offers reliable wired and wireless protection
Hikvision South Africa Editor's Choice Perimeter Security, Alarms & Intruder Detection Products & Solutions
Hikvision has announced the launch of a new AX Hybrid PRO alarm system with innovative Hikvision ‘Speed-X’ transmission technology. This system offers reliable wired protection while delivering expanded flexibility with seamless wireless integration.

Read more...
A critical component of perimeter security
Nemtek Electric Fencing Products Gallagher Technews Publishing Stafix Editor's Choice Perimeter Security, Alarms & Intruder Detection Integrated Solutions
Electric fences are standard in South Africa, but today, they also need to be able to integrate with other technologies and become part of a broader perimeter security solution.

Read more...
SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Addressing today’s mining challenges: cyber risks beyond IT
Editor's Choice Information Security Mining (Industry)
Despite the mining industry’s operational technology systems being vulnerable to cyberattacks, many decision-makers still see these threats as purely an IT issue, even though a breach could potentially disrupt mining operations.

Read more...
Workforce Consortium to reskill 95 million people
Editor's Choice News & Events AI & Data Analytics
ICT Workforce Consortium of global leaders has come together, committing to train and upskill 95 million people over the next 10 years, as 92% of jobs analysed are expected to undergo either high or moderate transformation due to advancements in AI.

Read more...