The Importance of Cyber-Competent Board Directors: Part One

Felicity Kadi, Board Practice consultant at Odgers Berndtson discussed this pertinent topic with Busisiwe Mathe, independent advisor and professional board director. Ms Mathe serves on the boards of Famous Brands and Curro Holdings and is a member of the Discovery Medical Health Scheme's audit committee and has experience in internal and external auditing with a focus on risk assessment. Her previous roles include specialisation in technology governance, data and cybersecurity strategy and technology implementation at PwC.

What is cybersecurity and data privacy?

There are a lot of definitions of what cybersecurity means. I talk about it from a business perspective, not a technical perspective in that cybersecurity and data privacy is about how you ensure that as you are advancing from a digital transformation perspective you have the controls at a strategic, tactical and operational level that ensure secure digitisation. Also, understanding the data you're going to collect, process and store and how you protect that data, including how you are aligning to the different data privacy legislations in the different jurisdictions you operate in.

Why do you think it is important for a board to have cyber-competent directors? 

The role of the board is dictated by various factors. There is legislation from a regulatory perspective that defines board requirements and corporate governance, and in South Africa, the King IV Code is observed. It talks about IT and data and outlines the board’s role and responsibilities. Globally we have seen the SEC also being very specific about the role of the board regarding cyber security. 

In the context of digital transformation, boards must consider the risks from a cyber security and data privacy perspective. I strongly believe that directors should understand cybersecurity risks so that they can support organisations navigate the ever-changing threat landscape introduced by cyber risk. 

Do you think cybersecurity and data privacy is treated as an enterprise-wide risk management issue, not just an IT or background issue?

Recently I have seen cyber (security) not just being an IT issue dealt with in isolation, but rather an enterprise-wide risk management issue tackled by different stakeholders in organisations. 

We are now seeing many Chief Information Security officers or Chief Information Officers or whoever at organisational levels looks after cybersecurity being part of board discussions and having a seat at the table because of the improved understanding of the impact of a cyber or data breach in the organisation. 

Are boards having the right conversations about cybersecurity and data privacy – should they focus on protection and/or resilience? 

The conversations are mainly driven from a legislative or compliance perspective or in some cases threats being experienced at industry or country level. In some instances these conversations are happening retrospectively rather than proactively. We need to have more conversations around cyber security and data privacy more often. 

There is still opportunity for boards to consider composition ensuring the appointment of directors who understand and have an appreciation of the impact of cybersecurity and data privacy on the business. Organisations are talking about operational resilience, which encompasses cyber resilience and not just cyber security from a protection perspective.

 
Protection is important, but I think we've moved away from the world of protection. We're shifting into resilience—how do you build a business that is operationally resilient? This includes cyber and data resilience because you need to ensure that your organisation has minimum viable controls to align with business continuity requirements regardless of any challenges. It is no longer about if but when an organisation suffers a breach.

How can boards progressively build up their cybersecurity knowledge? 

It’s important for the board to really understand their role around cyber(security) and data because of the pervasive risk that this introduces to the organisation. Regular conversation is needed, and the right questions need to be asked. 

There are resources with up-to-date information and reading that will help you understand what you should be thinking about. There are also professional bodies that board members can subscribe to that can assist them with understanding the latest threats and emerging risks and how to think about these.  
I also think it's important for organisations and board members to consider participating in cyber simulations. This training gives you an appreciation of the different types of attacks that could happen to the organisation and your role as the board.

What do you think are the legal implications of cyber risks as they relate to the company’s context? Also reputational damage? 

From a legislative perspective there's a number of legal implications if organisations don't deal with their cyber risks and ensure that they're building operational and cyber resilience, not just protection. 

For example, if you have a data breach, organisations seen to have been non-compliant with the Protection of Personal Information Act regulatory requirements will incur penalties. There's also the possibility of jail sentences for directors if they're found negligent around data privacy. In South Africa we have legislation around cybercrime as well as financial implications for organisations that are seen to be enabling cybercrime. 

It's not just the legal implications, it is the damage that happens to the brand when there is a cyber risk that is not addressed effectively. 

Any closing comments on the topic of board members and cyber competence?

Cybersecurity and data risks are here to stay because we live in a world that is interconnected. We live in a space where from individuals to entrepreneurs to small medium enterprises to listed entities, there is so much data that is flowing because of digitisation, introducing the concept of big data. 

Don’t shy away from cybersecurity. You must train your people to understand cybersecurity, to appreciate cybersecurity and data privacy risks, have the right controls, and have the right culture around cybersecurity. As directors we have a role to play in guiding organisations into building an environment that understands and appreciates cybersecurity, data privacy risks, and has resilience to recover and continue operating.

Stay connected to this fortnightly series to continue exploring this topic further.

Partner with us

To stay ahead of changing cyber security demands, it's crucial to have the right leadership guiding your organisation. At Odgers Berndtson, we specialise in identifying and recruiting top-tier executives who can navigate these and other complex challenges to drive your strategy forward. 

Contact us today to learn how we can help you find the leaders you need to secure your digital future.