Is your Board asking pertinent cybersecurity questions

Cybersecurity: A strategic imperative

Cybersecurity continues to be one of the top ten risks world-wide, yet too often, boards of directors have limited cybersecurity knowledge and therefore cannot effectively carry out their fiduciary duties. The rate of litigation and penalties continues to grow, with penalties in certain instances amounting to millions of rands.
Cybersecurity is a strategic imperative that supports innovation, business growth, and regulatory compliance.

Boards should therefore take a proactive stance on cybersecurity by understanding risks that are pertinent to the industry and their organisations. This ensures that they are prepared, and the appropriate measures are in place to mitigate cyberattacks. Concerted effort should be placed on a security-first culture. For that reason, it is important that boards understand the questions that they need to ask the organisations they are leading.

Cybersecurity Challenges that Boards Face

When it comes to the complex cybersecurity domain, boards are confronted by several challenges spanning the following:

Lack of Technical Expertise
The lack of technical skills is a prominent challenge as boards may not have the know-how of asking pertinent questions so to be able to make informed decisions.
Evolving Nature of Cyber Threats and Regulatory and Compliance Pressure
Cybersecurity threats are constantly becoming more complex and frequent. This complexity is exacerbated by the cybersecurity regulatory landscape that is continuously changing, making it arduous for boards to keep up with evolving threats and the regulatory landscape.
Risk Oversight and Accountability
Stakeholders, including regulators, investors, and customers, expect accountability and transparency from boards concerning the robustness of the management of cybersecurity risk. Disclosure is required on security frameworks, disclosure of incidents, and the board’s involvement in leading good practice. In most cases, the reports that are furnished to boards are however, technical thus not enabling these important governance structures to get a good understanding of the organisation’s cybersecurity risk posture to inform sound decisions.
Budgeting and Investment Decisions
During these challenging times, financial resources are tight. Consequently, boards have to do a balancing act of where to invest: On long-term resilience, immediate controls, training, and awareness, etc?
Talent Shortage
Cybersecurity talent is scarce, thus heightening associated risks. Boards are however expected to ensure that cybersecurity functions are adequate and are supported from a staffing, funding, and tools standpoint, and that the cybersecurity teams are empowered.
Third-party cyber operations
IT value chains extend beyond organisations themselves through vendors, partners, and third-party individuals. Although certain responsibilities are outsourced, accountability still resides with organisations that have outsourced their IT products and services, as third-party cybersecurity incidents may impact the organisation’s continuation of critical services and/or even compromise data privacy. A data breach involving a third party, therefore does not absolve boards from their fiduciary duties and liability.

Cybersecurity questions that boards should be asking

Tone at the top:

What is our overall cybersecurity strategy, and how does it align with business objectives?
Are we setting the right tone from the top in promoting cybersecurity culture?
What are our top cybersecurity risks, and how are we mitigating them?
Do we have a clear understanding of our organization’s most valuable digital assets and how they are protected?
Are we allocating enough budget and resources for cybersecurity initiatives?

Preparedness

How is our company preparing for emerging cyber threats?
How will we respond to a cyber-attack?
What steps are taken to prevent insider threats and data leaks?
What happens if a third-party vendor is breached? How does that impact us?
What training programs are in place to improve cybersecurity awareness?
Do we have cybersecurity insurance, and what does it cover?
Testing Cyber Resilience
How frequently does the organization conduct cybersecurity simulations and stress tests?
How frequently do we back up critical data, and have we tested data restoration recently?

Monitoring and Reporting

Do we have cybersecurity performance metrics / key performance indicators (KPIs) in place to measure the effectiveness of security programs?
Are we receiving cybersecurity reports that are clear, relevant, and actionable?
Have we conducted a recent cybersecurity risk assessment? What were the key findings?
Are there gaps in our current cybersecurity governance model that need to be addressed?
Continuous improvement and benchmarking
Are we staying informed about evolving cybersecurity regulations and industry best practices?
Are we benchmarking our cybersecurity practices against industry peers and competitors? How does our cybersecurity spending compare to industry standards?

Board’s Responsibility

Boards of directors are very instrumental in driving a security-conscious culture, making cybersecurity a strategic priority in this age of continuously changing cyber threats and regulatory landscape. Boards need to comprehend their organisations’ cybersecurity position in a language that is understandable to get comfort that risks are being managed in line with the risk appetite, and that decisions are informed by continuous/periodic risk assessments. Also, key to continuous cyber resilience is the understanding of how your organisations compare with other industry entities. Thus, the cybersecurity-related questions that are asked by Boards can mitigate regulatory fines, legal fees, business disruption, and reputational risks.

Good governance enables organisations to identify, protect, detect, prevent, respond and recover from cybersecurity incidents. Measures to be considered by boards involve the following at the least: