The Board’s understanding of cybersecurity

The Board’s role in cybersecurity

Cybersecurity requires an orchestrated, integrated organisation-wide approach, from the Board to operations.  Cyber criminals are sophisticated in their attacks and are targeting companies using several different methods and strategies. Boards can play a role in addressing this risk and, along with senior executives, need to continuously review and challenge what you are being told by your teams regarding information security and cyber defences.

Samresh Ramjith, Deloitte Africa Cyber Risk Leader sat down with Alex Darko, (former CIO at AngloGold Ashanti | former Board Member for ABSA, Reunert, BCX, CIG, Safintra and the Mazor Group) and Justin Williams (Group Information Security at MTN | Global Top 100 Leader in Information Security (Corinium) | Audit Committee Member | Advisory Board Member) to explore this topic.

How can Board members get on top of this issue?

The Board’s oversight role is a fundamental aspect of governance, which includes defined strategies, policies, and procedures to mitigate cyber risk. Like all risks that organisations face, cyber risk requires established and mature governance, oversight, and inclusion in the overall enterprise risk management program. When the Board works with management, each fulfilling its specific role, they can complement the other to drive an effective cyber conscious culture, resulting in a prominent level of resilience to cyber threats. This is a topic that all company Boards need to deal with due to the increased cyberattacks and opportunities for breaches. Empowering Board members with the knowledge, terminology, and questions to ensure that organisations have appropriate oversight and a strong viewpoint relevant to the threats they face, is becoming critical.

Alex highlights five questions that the Board should ask:

• What are the critical cyber risks that your organisation faces?
• How prepared is the organisation for any breach? Will the organisation be able to recover after such an event?
• What are the investments the organisation made to manage any breach? I.e., do you have adequate resources?
• Does the company comply with what they need to comply with, regulated institutions or not?
• Is it clear what the various roles are? This is no longer just an IT issue; it is a business risk that requires leadership engagement and an initiative-taking approach to safeguard the organisation's critical assets, including its reputation and financial well-being. 

That becomes clear, to make this effort work the Board needs to ensure that there is a mutual understanding between a practitioner and the Board:

• Preferably, the Board should include somebody with technical or technology related skills on the Board
• If not, then awareness, exposure to basic threat awareness and training to non-technical Board members on an ongoing basis is critical; or
• Organisations need to use external cyber experts to help provide additional inputs into the Board – bring in people that can break down the “language” to expose what the risk, or the nature of the risk is. This does not mean a supplier that would like to create uncertainty and doubt so that they can sell a product or service.

The role of organisation culture and cybersecurity

Organisational culture is a system of shared beliefs and values among employees which guides their behaviour, or to put it simply, it is the way things are done in an organisation. According to Alex, “the culture and tone is set by the Board. If the Board does not want to hear dreadful things or people will risk getting ‘punished,’ the team will find ways to hide it or not bring it up.”

The responsibility of cyber culture lies with the Board. That should be a standard item at each Board meeting. The Board should understand what breach attempts practitioners have been exposed to, their actions and the results.  It is more than paying lip service, it is about really monitoring key risks, and to determine and to understand if there are new risks showing up.

Justin said it is about regular, open discussions with the Board. It should be a culture where the CISO and leaders of the organisation are able to openly discuss risks without feeling threatened. Cyber risk is impacting an organisation’s entire ecosystem, so these discussions should focus across the organisation and not only a particular area. This should not be a discussion only when the Board is informed about something that went wrong.

What about outsourcing?

Cybersecurity outsourcing could be a strategy for companies looking at alternatives outside of the organisation to assist in increasing their security measures and protect against cyber threats. By hiring third-party vendors or experts, businesses can delegate various tasks such as managed security, vulnerability assessments, and incident response, amongst others. However, before outsourcing, it is essential to define clear goals and requirements to ensure an effective partnership. This includes determining the scope of services, budget limits, and reporting metrics. It is also crucial to evaluate the experience and reputation of potential vendors.

Justin warned about the potential risks of outsourcing, particularly regarding managing third party vendors. He stressed that regardless of the size of the organisation, responsibility and accountability cannot be outsourced. The Board must have a thorough understanding of the outsourced work and be able to monitor the vendor's compliance with governance standards and contractual obligations. Justin also highlighted the misconception that outsourcing can completely absolve an organisation of accountability, which can be a major risk.

While outsourcing can bring cost savings and specialised expertise, it also poses a threat to an organisation's capabilities in a data-driven world. What may have started as a beneficial arrangement can quickly turn into an unhealthy dependency, jeopardising competitive advantages and strategic plans. This is especially critical in terms of cybersecurity, where personal data loss, economic loss, and compromise of product integrity or safety can occur. The Board must take accountability and responsibility for cybersecurity, regardless of whether they choose to outsource certain functions or not.

Moving forward

Cybersecurity will continue to be critical for organisations. To address this issue effectively, organisations must become more knowledgeable and skilled in the realm of cybersecurity. This will require partnerships and shared responsibilities, both within and outside of the organisation. It is vital that all the organisations are constantly educated and informed about cybersecurity ensuring that everyone is up to date and familiar with the subject matter. With the ever-evolving landscape of technology, it is imperative that organisations stay vigilant and proactive in their approach to cybersecurity and fostering a culture of awareness and responsibility.