Cybersecurity for the board of directors

Issue 7 2021 Editor's Choice, Cyber Security

According to Gartner, by 2025 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. This is testament to the impact of cybersecurity risk on the continued digitalisation of the global economy.

Cyber-attacks have increased significantly in recent years bringing vital conversations about cybersecurity into the boardroom. As board oversight of cybersecurity has increased, board members – even those without technical expertise – have had to become rapidly acquainted with IT risk and security concepts. In the past few years, frameworks and best practices have emerged to help these business leaders get a grip on their company’s cybersecurity posture.

Edison Mazibuko.

The cybersecurity landscape is vast and understanding where you have gaps is vital. Below are some domains covering cybersecurity:

• Data security.

• Security operations and incident response.

• Identity and access management.

• Network and infrastructure security.

• Messaging security.

• Endpoint security.

• Cloud security.

• Risk and compliance.

These domains contain tools provided by various vendors. Your organisation does not have to acquire all the tools to be sufficiently covered against cybersecurity incidents. What is needed is for you to ensure you have adequate protection in place for what is important to your organisation.

While there are many lists of what boards of directors need to ask about cybersecurity, the more important thing might be what they’re not asking. Businesses have unique risk profiles. However, where board members rely too heavily on predetermined frameworks and cybersecurity assessment checklists, they risk passing over the most urgent issues.

What are some of the common cybersecurity issues that C-suite executives often miss? To answer that I will have to draw on industry jargon – bike-shedding.

The dangers of bike-shedding

When there is incongruity between the extent of the board’s cybersecurity knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.

This happens in board rooms when executive teams spend an unnecessary amount of time on trivia, neglecting the bigger picture, usually because the most important issues are so complex that teams focus instead on simpler, more solvable problems.

According to Gartner, when faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.

For decades an imaginary line has separated cybersecurity from ‘the business’ with most board members being not well versed in the topic nor even with a basic understanding of the impact it can have on their businesses. This has been compounded by many security leaders approaching the subject as a purely technical challenge dictated by technology and compliance constraints.

However, after years of near-limitless budgets and unsatisfactory results, the time has come for both security and business leaders to recognise that they have been asking the wrong questions and taking the wrong approach.

According to Gartner, security experts must connect cybersecurity to business outcomes. They go on to note that CIOs and CISOs must engage executive decision makers to change how cybersecurity is treated in organisations and drive security investments that directly impact business outcomes. Gartner confirms that while cybersecurity has been on board agendas for at least a decade, the pandemic has put a spotlight on the disconnect between executive understanding of cybersecurity and business’ actual capabilities.

Senior executives and stakeholders are always a target because of their influence on the organisation and access to valuable information. A cyber-attack can affect your entire organisation, making it the entire board’s responsibility, not just the role of the CIO/CISO.

In terms of raising the right issues, board members should have a stance on the company’s policy/response in the event of a ransomware attack. For example, will you pay ransom if that’s the only way to resume business operations? Will you have the capacity to engage in negotiations that will ensure the safe return of your data? Although the act of paying the ransom is not illegal in South Africa, have you considered going the route could be seen as sponsoring cyber terrorism? This will no doubt expose the organisation to a new host of risks.

What the board needs to know

One report notes that the role of a board of directors is to provide strategic oversight for a business and to hold management accountable for performance. Management is responsible for execution, including identifying, prioritising and managing cyber risks. It goes on to state that, while the specific information a board requires may vary – depending upon the organisation’s industry, regulatory requirements, operating activities, geographic footprint and risk profile etc., all boards look to management to translate technical, tactical details about cybersecurity into business terms, risks, opportunities and strategic implications.

This report further notes that board members are asking CISOs the following questions about cybersecurity:

1. What is our cyber-risk appetite?

2. What are the most important metrics we use to monitor and evaluate risk to the company?

3. What is the business case for cybersecurity?

4. How can cybersecurity enable other business functions across the enterprise?

5. What are the levels of insider and outsider risk?

6. How do we measure the effectiveness of our organisation’s cybersecurity programme and how it compares to those of other companies? For example, how do we track cybersecurity awareness across the organisation through indicators such as policy compliance, implementation and completion of training programmes?

7. How do we assess the cyber-risk position of our suppliers, vendors, joint venture partners and customers?

The NACD’s Directors Handbook on Cybersecurity recommends keeping the following guiding principles in mind when preparing board-level reports:

• Ensure the data is relevant to the organisation’s business context and can be understood by the audience.

• Be concise: avoid providing too much information and eliminate technical jargon.

• Less is more: minimise text and include graphics and visuals to convey your key points.

• Communicate insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.

• Above all, board-level reports should enable strategic discussion and dialogue between directors and senior management.

These are excellent guidelines for board-level reporting. NACD goes on to confirm that cybersecurity is now a major strategic and enterprise risk matter that affects how companies operate, innovate and create value. Several characteristics combine to make the nature of the threat especially formidable due to its complexity and speed of evolution, the potential for significant financial, competitive and reputational damage and the fact that total protection is an unrealistic objective.

This last point is a sobering, but factual statement that should be enough to get every board member’s seat into the upright position and focused on the business value of implementing strong cybersecurity measures.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Accenture Technology Vision 2023
Editor's Choice News
New report states that generative AI is expected to usher in a ‘bold new future’ for business, merging physical and digital worlds, transforming the way people work and live.

Economists divided on global economic recovery
Editor's Choice News
Growth outlook has strengthened in all regions, but chief economists are divided on the likelihood of a global recession in 2023; experts are concerned about trade-off between managing inflation and maintaining financial stability, with 76% anticipating central banks to struggle to bring down inflation.

Success in business process best practices
Technews Publishing Kleyn Change Management Editor's Choice Integrated Solutions Security Services & Risk Management
This month we commandeer time with the woman who is spearheading our national conversation on Women in Security, Lesley-Anne Kleyn, to get to know the lady herself a little better.

Addressing the SCADA in the room
Industrial (Industry) Cyber Security
Few other sectors command the breadth of purpose-built and custom devices necessary to function, as the industrial and manufacturing industries. These unique devices create an uncommon risk that must be assessed and understood to fully protect against incoming attacks.

Vulnerabilities in industrial cellular routers’ cloud management platforms
Industrial (Industry) Cyber Security Security Services & Risk Management
Research from OTORIO, a provider of operational technology cyber and digital risk management solutions, unveils cyber risks in M2M protocols and asset registration that expose hundreds of thousands of devices and OT networks to attack

SAFPS to launch a platform to combat fraud
Editor's Choice News Security Services & Risk Management
In response to the growing need for a proactive approach to fraud prevention, the SAFPS is developing a product called Yima, which will be a one-stop-shop for South Africans to report scams, secure their identity, and scan any website for vulnerabilities.

NEC XON appoints Armand Kruger as Head of Cybersecurity
News Cyber Security
NEC XON has announced the appointment of Armand Kruger as the Head of Cybersecurity. Kruger will oversee all cybersecurity offerings including cybersecurity strategy, programmes, and executive advisory.

Caesar Tonkin new head of cybersecurity business, Armata
News Cyber Security
Vivica Holdings has announced the appointment of cybersecurity expert Caesar Tonkin to head up its cybersecurity business Armata, which provides technology solutions and niche expertise needed to help businesses better protect themselves.

Surveillance-free surfing
News Cyber Security Products
Zoho has launched Ulaa, a privacy-centric browser built specifically to help users secure their personal data and activity by providing a browser solution that universally blocks tracking and website surveillance.

Troye and Arctic Wolf join forces
News Cyber Security Security Services & Risk Management
Troye has announced a strategic partnership with Arctic Wolf to enable Troye to provide customers with enhanced cybersecurity solutions and services that help protect their businesses from advanced cyber threats.