Cybersecurity and the role of the Board

accessbm

Cybersecurity and the role of the Board

Cyber risk remains among the top risks facing business organizations today. The World Economic Forum’s Global Risk Report 2021 lists cybersecurity failure as a top “clear and present danger” and critical global threat. As with any major enterprise issue, it is important for the board of directors and leadership to set the tone at the top and define how their organizations must address cybersecurity. The board needs to understand cyber risk, and its role in governing this threat, to perform its oversight function effectively. It continues to be important for members of the board of directors to increase their knowledge of how to address cybersecurity within their organizations.

The Board not only looks at the company’s financial systems and controls but is also duty- bound to oversee its overall cybersecurity management, including appropriate risk mitigation strategies, systems, processes, and controls. From a governance perspective, one of the most important priorities for the board is to verify that management has a clear perspective when it comes to how business will be affected and also has the appropriate skills, resources, and approaches in place to minimise the likelihood of a cyberattack and mitigate any damages that may occur.

The following are a few concepts that boards need to have or understand about cybersecurity:

  1. Cybersecurity goes beyond protecting data.

To oversee cybersecurity in today’s business environment requires a more holistic approach. This involves considering digital and connected systems that control the organizations information supply chains, production processes (such as the remote management of equipment) and the management of a digitally connected remote workforce. Directors need a general understanding of the security ecosystem, and relationships within, to adequately address risk.

2. Cybersecurity is an organizational problem, not just an IT problem.

Cybersecurity requires awareness and action from all members of the organization to recognize anomalies, alert leaders, and ultimately to mitigate risks. Leaders set the tone for prioritizing this kind of culture, but they also reinforce and personify the values and beliefs for action. The Board has a role in this; by asking questions about cybersecurity, directors imply that it is an important topic for them, and that sends the message that it needs to be a priority for corporate executives.

  1. Boards should focus on risk, reputation, and business continuity.

Cyber-professionals focus on the tactical level: how to address the technical, operational, and organizational aspects of cybersecurity. Directors do not require the same technical knowledge as these professionals. They must look at the issue from a macro perspective and focus on the impacts on risk, reputation, and business continuity. By focusing on common goals: keeping the organization safe and operational continuity, the gap between the Board’s role and the cybersecurity professionals’ role can be narrowed.

4.Boards need to be engaged when it comes to cybersecurity oversight.

It’s not the board’s role to write and draft the organisation’s cybersecurity plan. However, their role is to ensure that there is an actionable plan. There are many frameworks available to help an organization with their cybersecurity strategy (NIST, ISO, ICS etc.)

Below is a list of questions that will help boards understand how cybersecurity is being managed in the organisation:

1. What are our “crown jewels” or most critical assets — and how are we protecting them?

The board must make sure the organization’s most important assets are secure at the highest reasonable level. Is that your customer data, your systems and operational processes, or your company IP? Asking what is being protected and what needs to be protected is an important first step. If there is no agreement on what to protect, the rest of the cybersecurity strategy is subject to debate, dispute, or uncertainty.

2.What are the layers of protection we have put in place?

Boards don’t need to make the decision on how to implement the defensive strategies required by the organisation. But they need to be made aware of what these are, as well as how effective they will be in protecting the company.

3.How do we know if we’ve been breached? How do we detect a data breach?

Part of the board’s fiduciary duty is to ensure that the organisation has both protection and detection capabilities. Since majority of breaches are not detected immediately after they occur, the board must make sure it knows how a breach is detected and agree with the risk level resulting from this approach.

4.What are our response plans in the event of an incident?

Although the board will not likely be directly involved in the creation of a response plan, it’s part of their responsibility to ensure there is one. This plan should involve answers to the following questions:

  • What is the role of executives and leaders in the response plan?
  • What is the communications plan?
  • Who is responsible for alerting authorities?
  • Which authorities are alerted?
  • Who talks to the press?
  • Who will manage client and media concerns?

Having a plan is critical to responding appropriately.

6. What is the board’s role in the event of cyber – incidents?

It is important for the board to know what their role will be in the event of a cybersecurity breach. The board should consider conducting “fire drills” and tabletop exercises so they know what to do when a cyber-incident takes place. The board should also consider the following:

  • Should the decision to pay out a ransom in a ransomware attack fall on the board?
  • Should the board be accessible to customers?
  • Should they meet with top organisation leaders for hands-on, agile decision making?
  • What decisions should be delegated to management?

  • 7. What are our business recovery plans in the event of a cyber incident?

It is important for the board to know who “owns” business recovery, whether there is a plan for how to make it happen, and if it has been tested with a cyber incident in mind?

8. Is our cybersecurity investment enough?

You can’t invest enough to be 100% secure. But since a budget must be set, it is crucial that companies guarantee they have an excellent security team with the appropriate expertise to tackle technical problems and understand vulnerabilities inside the core critical functions of the business. By doing that, the company will be better prepared to allocate investment where it is most needed. Companies should evaluate their level of protection and their risk tolerance before they engage in new investments. Two ways to do this are through simulations of cyber-attacks and from penetration/vulnerability tests. These actions expose vulnerabilities, enable actions to minimize potential damage based on priority, risk exposure and budget, and ultimately ensure appropriate investment of time, money, and resources.

Boards can’t shy away from their cybersecurity governance responsibilities. As the most valuable assets of organizations are digitized, stakeholders expect the organisation to employ all possible measures to protect itself against the perilous

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Welcome to my Insights Blog

I am a business leader, who is fascinated with helping organizations build human-centric systems that incorporate emerging risks, cybersecurity and data privacy with PEOPLE at the centre. 

I am the CEO of Orirori Consulting, a faculty member at Henley Business School and currently serve on the Social & Ethics Committee, Nominations Committee and Board of Famous Brands and Chair their Audit & Risk Committee. I also serve on the Board and Audit & Risk Committee of Curro Holdings. I am a Board & Remuneration Committee member of of MTN Ivory Coast. In 2025 I joined the Board, Audit, Social & Ethics and Risk Committee’s of Netcare Limited.

Know More

Latest Podcast: Reflections

June is a very special month for me as it’s my birth month & a month where we welcome one of my favorite seasons – winter! As part of my celebrations,I did a podcast reflecting on ‘my purpose driven journey’ – a journey I’ve been on for close to two years now. In these 2 years I’ve learn the importance of staying true to your purpose.

Listen Now

Free eBook Download

Whether you’re a business owner, CEO, executive, or professional, this e-book is an essential resource to help you stay informed and vigilant about cybersecurity. With this knowledge, you can proactively protect your business, employees, and customers from cyber threats and minimize the potential for financial loss, legal liability, and reputational damage.

Download eBook

Recent Posts

Categories

0
Would love your thoughts, please comment.x
()
x