The Importance of Cyber-Competent Board Directors: Part Two

To gain more insight, this series on ‘Cybersecurity’ considers the role of cyber competency in company boards. Felicity Kadi, Odgers Berndtson South Africa Board Practice Consultant, spoke with Portia Maluleke whose business focuses on the governance of technology, the ethics thereof, privacy and cyber security.  She has been in the IT space for 30 years with organisations such as Telkom, Airports Company South Africa and T-Systems, with the latter part of her career to date spent in engagement at CEO and Board level on the governance of technology.

What is cybersecurity and data privacy?

Cyber security focuses on unauthorised access through the internet. I prefer focusing on information security rather, which is a more comprehensive approach to security which includes local and physical data.  Privacy augments security through prescribing who should access the information, particularly personal identifiable information.
This is critical because information may leak outside the cyber gateway. 

We are yet to appreciate and fully understand what privacy actually means and how to manage personal identifiable information.

Why do you think it is important for a board to have cyber-competent directors? 

The King IV™ Report, which is arguably the gold standard for corporate governance, through Principle 12 posits that IT governance is the responsibility of directors. King IV™ places accountability of IT Governance with the board. Technology risk management, inclusive of cybersecurity, is a key element of IT Governance.

Without Information Security competence, boards are limited in executing their fiduciary duties. While many boards delegate cybersecurity responsibility to management, they must still take accountability, which requires a fair understanding of technology risks. This knowledge allows them to assess organisational health and identify risks effectively. Hence, it's crucial for board members, regardless of background, to have a foundational grasp of technology risks.

Do you think cybersecurity and data privacy is treated as an enterprise-wide risk management issue, not just an IT or background issue? 

I think it is still relegated to IT. I use the word “relegated” deliberately because it means it is reduced from its rightful place. As IT professionals, we have also contributed to this problem by presenting cyber security and privacy as technical subjects, inadvertently alienating non-technical business leaders. 

Are boards having the right conversations about cybersecurity and data privacy – should they focus on protection and or resilience? 

My anecdotal view is that board discussions centre around finance or business sustainability, not cybersecurity or privacy. I believe that boards want to discuss these aspects but don't have the tools and the language to frame these topics. I think the desire is there, but the board needs to be properly equipped. 

As directors may be personally held liable if something goes wrong within the organisation, these conversations are critical and should be managed accordingly. 

How can boards progressively build up their cybersecurity knowledge? 

For me, it's a three-pronged approach. Firstly, the governance of technology and information should be included in the board development programme. The second element is to have IT professionals appointed as directors. Lastly, considering that we are in the digital age, there should be a technology sub-committee that will have a wider mandate than technology risks to also focus on innovation. This sub-committee may co-opt pioneers in the industry focusing on topical issues such as AI and so forth. 

What do you think are the legal implications of cyber risks as they relate to the company’s context? Also reputational damages? 

Firstly, it's financial loss that can come in the form of ransom when threat actors to try to extort money from the organisation. Financial loss also comes from loss of confidence leading to loss of clients. That links to reputational risk. Then there's also the issue around the information regulator, from a South African perspective, where there are also penalties that may be imposed. Secondly, legal action might be instituted in instances where there is evidence of negligence or misrepresentation of security protocols.

Any closing comments on the topic of board members and cyber competence?

This is such an exciting time for IT professionals who can add value differently. Traditionally, cyber security was not a priority but now it is imperative. I think as a society we need to think carefully around how we conduct ourselves because everything that we do generates some data, and this data is eventually stored somewhere. So, it's time we look at the world differently and reassess should the data be created in the first place i.e. is the data useful, how can it be safely stored, who should access it, how should it be accessed, for what period and so forth. 

Stay connected to this fortnightly series to continue exploring this topic further.

Partner with us

To stay ahead of changing cyber security demands, it's crucial to have the right leadership guiding your organisation. At Odgers Berndtson, we specialise in identifying and recruiting top-tier executives who can navigate these and other complex challenges to drive your strategy forward. 

Contact us today to learn how we can help you find the leaders you need to secure your digital future.