Cybersecurity for the board of directors

Smart Cybersecurity Handbook 2022 Editor's Choice

According to Gartner, by 2025 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member. This is testament to the impact of cybersecurity risk on the continued digitalisation of the global economy.

Edison Mazibuko.

Cyber-attacks have increased significantly in recent years bringing vital conversations about cybersecurity into the boardroom. As board oversight of cybersecurity has increased, board members – even those without technical expertise – have had to become rapidly acquainted with IT risk and security concepts. In the past few years, frameworks and best practices have emerged to help these business leaders get a grip on their company’s cybersecurity posture.

The cybersecurity landscape is vast and understanding where you have gaps is vital. Below are some domains covering cybersecurity:

• Data security.

• Security operations and incident response.

• Identity and access management.

• Network and infrastructure security.

• Messaging security.

• Endpoint security.

• Cloud security.

• Risk and compliance.

These domains contain tools provided by various vendors. Your organisation does not have to acquire all the tools to be sufficiently covered against cybersecurity incidents. What is needed is for you to ensure you have adequate protection in place for what is important to your organisation.

While there are many lists of what boards of directors need to ask about cybersecurity, the more important thing might be what they’re not asking. Businesses have unique risk profiles. However, where board members rely too heavily on predetermined frameworks and cybersecurity assessment checklists, they risk passing over the most urgent issues.

What are some of the common cybersecurity issues that C-suite executives often miss? To answer that I will have to draw on industry jargon – bike-shedding.

The dangers of bike-shedding

When there is incongruity between the extent of the board’s cybersecurity knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.

This happens in board rooms when executive teams spend an unnecessary amount of time on trivia, neglecting the bigger picture, usually because the most important issues are so complex that teams focus instead on simpler, more solvable problems.

According to Gartner, when faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.

For decades an imaginary line has separated cybersecurity from ‘the business’ with most board members being not well versed in the topic nor even with a basic understanding of the impact it can have on their businesses. This has been compounded by many security leaders approaching the subject as a purely technical challenge dictated by technology and compliance constraints.

However, after years of near-limitless budgets and unsatisfactory results, the time has come for both security and business leaders to recognise that they have been asking the wrong questions and taking the wrong approach.

According to Gartner, security experts must connect cybersecurity to business outcomes. They go on to note that CIOs and CISOs must engage executive decision makers to change how cybersecurity is treated in organisations and drive security investments that directly impact business outcomes. Gartner confirms that while cybersecurity has been on board agendas for at least a decade, the pandemic has put a spotlight on the disconnect between executive understanding of cybersecurity and business’ actual capabilities.

Senior executives and stakeholders are always a target because of their influence on the organisation and access to valuable information. A cyber-attack can affect your entire organisation, making it the entire board’s responsibility, not just the role of the CIO/CISO.

In terms of raising the right issues, board members should have a stance on the company’s policy/response in the event of a ransomware attack. For example, will you pay ransom if that’s the only way to resume business operations? Will you have the capacity to engage in negotiations that will ensure the safe return of your data? Although the act of paying the ransom is not illegal in South Africa, have you considered going the route could be seen as sponsoring cyber terrorism? This will no doubt expose the organisation to a new host of risks.

What the board needs to know

One report notes that the role of a board of directors is to provide strategic oversight for a business and to hold management accountable for performance. Management is responsible for execution, including identifying, prioritising and managing cyber risks. It goes on to state that, while the specific information a board requires may vary – depending upon the organisation’s industry, regulatory requirements, operating activities, geographic footprint and risk profile etc., all boards look to management to translate technical, tactical details about cybersecurity into business terms, risks, opportunities and strategic implications.

This report further notes that board members are asking CISOs the following questions about cybersecurity:

1. What is our cyber-risk appetite?

2. What are the most important metrics we use to monitor and evaluate risk to the company?

3. What is the business case for cybersecurity?

4. How can cybersecurity enable other business functions across the enterprise?

5. What are the levels of insider and outsider risk?

6. How do we measure the effectiveness of our organisation’s cybersecurity programme and how it compares to those of other companies? For example, how do we track cybersecurity awareness across the organisation through indicators such as policy compliance, implementation and completion of training programmes?

7. How do we assess the cyber-risk position of our suppliers, vendors, joint venture partners and customers?

The NACD’s Directors Handbook on Cybersecurity recommends keeping the following guiding principles in mind when preparing board-level reports:

• Ensure the data is relevant to the organisation’s business context and can be understood by the audience.

• Be concise: avoid providing too much information and eliminate technical jargon.

• Less is more: minimise text and include graphics and visuals to convey your key points.

• Communicate insights about what the data means, not just information. Metrics should include analysis of changes, trends and patterns over time, show relative performance and indicate impact.

• Above all, board-level reports should enable strategic discussion and dialogue between directors and senior management..

These are excellent guidelines for board-level reporting. NACD goes on to confirm that cybersecurity is now a major strategic and enterprise risk matter that affects how companies operate, innovate and create value. Several characteristics combine to make the nature of the threat especially formidable due to its complexity and speed of evolution, the potential for significant financial, competitive and reputational damage and the fact that total protection is an unrealistic objective.

This last point is a sobering, but factual statement that should be enough to get every board member’s seat into the upright position and focused on the business value of implementing strong cybersecurity measures.

For more information contact DRS, +27 11 523 1600,,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

More to expect from Securex 2022
Specialised Exhibitions Editor's Choice
Securex South Africa 2022 will take place from 31 May to 02 June 2022 at Gallagher Convention Centre in Johannesburg, and will be co-located with A-OSH Expo, Facilities Management Expo and the new Firexpo 2022.

Securex 2022 exhibitors serve up the best in security
Specialised Exhibitions Editor's Choice
Exhibitors at the upcoming Securex South Africa 2022 trade show will be demonstrating the best in security-related products and services to the market.

Integrated personal security that travels with you
Editor's Choice
Individuals can take their security with them when travelling with the new Nomad all-in-one integrated security solution that keeps you and your belongings safe.

Securex Preview 2022
Technews Publishing Editor's Choice
Hi-Tech Security Solutions asked the exhibitors at this year’s Securex event to briefly mention some of the highlights we can expect from them at this year’s show.

Self-learning AI for existing CCTV systems
Iris AI Editor's Choice CCTV, Surveillance & Remote Monitoring News
Snap Guard is a cloud application that integrates into a property owner’s live CCTV feed, working with existing hardware and software, adding an additional layer of security.

Mark Kane and Wayne Schneeberger join Stallion Security
Stallion Security Editor's Choice CCTV, Surveillance & Remote Monitoring Integrated Solutions
Stallion Security has announced that Mark Kane and Wayne Schneeberger have joined its ranks at the same time as the company confirms its acquisition of Myertal Tactical Security’s offsite monitoring business.

Ongoing cybersecurity with a click
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Maintain your cybersecurity posture with web services from Pretect designed to keep your IT infrastructure optimally protected 24 x 7.

The Complete Manual on CCTV Management
Technews Publishing Editor's Choice CCTV, Surveillance & Remote Monitoring Security Services & Risk Management
Sonja de Klerk, retired Brigadier from the SAPS Forensic Science Laboratory has written a book on managing your CCTV systems to optimise the value of it as evidence.

Russia/Ukraine war and its effect on financial institutions
Technews Publishing Editor's Choice Security Services & Risk Management Financial (Industry)
ASIS SA’s treasurer, Erica Gibbons, highlights some of the effects financial institutions should look out for as a result of the war between Russia and the Ukraine.

Touchless school access control
neaMetrics Suprema Editor's Choice Access Control & Identity Management Integrated Solutions Education (Industry) Products
Wolverhampton Grammar School deployed a Suprema access control solution, integrated with Paxton to resolve its legacy access control challenges.