Business security is a key concern for stakeholders and protecting your company and your customers and suppliers from cyber security risks is just as important as any other form of risk management.
As part of our ‘Cybersecurity’ series, we unpack the question of just how important it is to have board directors who are competent and knowledgeable in the cyber sphere. To gain more insight, Odgers Berndtson’s Board Practice consultant, Felicity Kadi spoke to Tshifhiwa Ramuthaga the multi award-winning CIO who has been involved in working with boards in terms of their responsibilities regarding IT governance, cyber security and risk management. For her doctoral studies with the Gordon Institute of Business Science, she is currently researching dynamic capabilities of boards in IT governance. This implies looking at how do boards effectively implement IT governance in the era of digital disruption.
Why do you think it is important for a board to have cyber-competent directors?
It's no longer just a case of “what if”, but when it happens. When the board has no depth in terms of how to drive the implementation (of cyber security strategy), they are unable to assess overall risk. You can't delegate responsibility in an area that you're not competent in.
Do you think cybersecurity and data privacy is treated as an enterprise-wide risk management issue, not just an IT or background issue?
It is culture driven. There are organisations that should treat it as a risk-management issue, because their entire organisation can come to a standstill if the risk is realised, but they have not yet done so at a board level because they may lack the necessary skills.
For example, in finance; when you have several financially astute board members, you know you've got people to help you navigate this area. What I've recently observed is that boards that have a board member who understands technology may rely on that specific board member to act as a conduit between the board and the IT Technology risk agenda.
Are boards having the right conversations about cybersecurity and data privacy – should they focus on protection and/or resilience?
Operationally, there are boards that have a technology committee, or IT embedded in the risk committee of the board, but do you have awareness at board level of your cyber security strategy and the cyber incident resilience plan? My advice to boards is to implement formal IT training for non-IT savvy board member training, in the same way non-financial executives learn about finance for non-financial professionals as an example.
How can boards progressively build up their cybersecurity knowledge?
This should be deliberately structured as part of general board induction and training to include detailed coverage of the cyber incident strategy and cyber incident response planning protocols. When the cyber incident response plan is revised, it should also be tested with the board.
There must be a designated member of the board who understands this topic so that they can manage this aspect of the agenda, because we don't want the board to be bogged down with every operational detail about IT or cyber security. A cyber-competent board member will be able to focus on this and give comfort that the risk elements are covered.
What do you think are the legal implications of cyber risks as they relate to the company’s context? Also some reputational damages?
You have to consider the legal implications of cyber risks as they relate to the company's context. Globally there are privacy laws that compel companies to disclose if their data has been breached. The other challenge is, what are the legal obligations you have undertaken with your suppliers and customers?
In the South African context, King IV says that the governing body ensures that they govern technology such that it supports the organisational setting of the strategy and achieving of the strategic objectives. So that on its own says to the Board, “You're responsible for this risk relating to organisational sustainability through technology.”
Engagement with experts is important. Clients will call a consultant, and a consultant can tell you what's wrong, but someone must take ownership within the organisation, because you cannot delegate or address concerns that you don’t adequately understand.
Partner with us
To stay ahead of changing cyber security demands, it's crucial to have the right leadership guiding your organisation. At Odgers Berndtson, we specialise in identifying and recruiting top-tier executives and board members who can navigate these and other complex challenges to drive your strategy forward.
Contact us today to learn how we can help you find the leaders you need to secure your digital future.